TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 16fe2fd15a7383043c97baebbe9f3a8047c88f04 / . / tests / ssl-opt.sh
blob: 49543e072a8db49b1acea60275a8dea11d211f51 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]9# Assumes a build with default options.
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]16: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]17: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]18: ${GNUTLS_CLI:=gnutls-cli}
19: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]20: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]22O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]23O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]24G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]25G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]26TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]27
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]28TESTS=0
29FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]30SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]33
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]35FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]36EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]37
38print_usage() {
39 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]40 printf " -h|--help\tPrint this help.\n"
41 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
42 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
43 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame]44 printf " --seed\tInteger seed value to use for this test run (default: random)\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45}
46
47get_options() {
48 while [ $# -gt 0 ]; do
49 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]50 -f|--filter)
51 shift; FILTER=$1
52 ;;
53 -e|--exclude)
54 shift; EXCLUDE=$1
55 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]56 -m|--memcheck)
57 MEMCHECK=1
58 ;;
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame]59 --seed)
60 shift; SEED="$1"
61 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]62 -h|--help)
63 print_usage
64 exit 0
65 ;;
66 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]67 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]68 print_usage
69 exit 1
70 ;;
71 esac
72 shift
73 done
74}
75
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]76# skip next test if the flag is not enabled in config.h
77requires_config_enabled() {
78 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
79 SKIP_NEXT="YES"
80 fi
81}
82
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]83# skip next test if the flag is enabled in config.h
84requires_config_disabled() {
85 if grep "^#define $1" $CONFIG_H > /dev/null; then
86 SKIP_NEXT="YES"
87 fi
88}
89
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]90# skip next test if OpenSSL doesn't support FALLBACK_SCSV
91requires_openssl_with_fallback_scsv() {
92 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
93 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
94 then
95 OPENSSL_HAS_FBSCSV="YES"
96 else
97 OPENSSL_HAS_FBSCSV="NO"
98 fi
99 fi
100 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
101 SKIP_NEXT="YES"
102 fi
103}
104
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]105# skip next test if GnuTLS isn't available
106requires_gnutls() {
107 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]108 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]109 GNUTLS_AVAILABLE="YES"
110 else
111 GNUTLS_AVAILABLE="NO"
112 fi
113 fi
114 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
115 SKIP_NEXT="YES"
116 fi
117}
118
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]119# skip next test if IPv6 isn't available on this host
120requires_ipv6() {
121 if [ -z "${HAS_IPV6:-}" ]; then
122 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
123 SRV_PID=$!
124 sleep 1
125 kill $SRV_PID >/dev/null 2>&1
126 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
127 HAS_IPV6="NO"
128 else
129 HAS_IPV6="YES"
130 fi
131 rm -r $SRV_OUT
132 fi
133
134 if [ "$HAS_IPV6" = "NO" ]; then
135 SKIP_NEXT="YES"
136 fi
137}
138
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]139# skip the next test if valgrind is in use
140not_with_valgrind() {
141 if [ "$MEMCHECK" -gt 0 ]; then
142 SKIP_NEXT="YES"
143 fi
144}
145
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]146# skip the next test if valgrind is NOT in use
147only_with_valgrind() {
148 if [ "$MEMCHECK" -eq 0 ]; then
149 SKIP_NEXT="YES"
150 fi
151}
152
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]153# multiply the client timeout delay by the given factor for the next test
154needs_more_time() {
155 CLI_DELAY_FACTOR=$1
156}
157
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]158# print_name <name>
159print_name() {
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]160 printf "$1 "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]161 LEN=$(( 72 - `echo "$1" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]162 for i in `seq 1 $LEN`; do printf '.'; done
163 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]164
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]165 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]166}
167
168# fail <message>
169fail() {
170 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]171 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]172
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]173 mv $SRV_OUT o-srv-${TESTS}.log
174 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]175 if [ -n "$PXY_CMD" ]; then
176 mv $PXY_OUT o-pxy-${TESTS}.log
177 fi
178 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]179
Azim Khan341e3782018-03-29 11:04:20 +0100[diff] [blame]180 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]181 echo " ! server output:"
182 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]183 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]184 echo " ! client output:"
185 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]186 if [ -n "$PXY_CMD" ]; then
187 echo " ! ========================================================"
188 echo " ! proxy output:"
189 cat o-pxy-${TESTS}.log
190 fi
191 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]192 fi
193
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]194 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]195}
196
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]197# is_polar <cmd_line>
198is_polar() {
199 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
200}
201
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]202# openssl s_server doesn't have -www with DTLS
203check_osrv_dtls() {
204 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
205 NEEDS_INPUT=1
206 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
207 else
208 NEEDS_INPUT=0
209 fi
210}
211
212# provide input to commands that need it
213provide_input() {
214 if [ $NEEDS_INPUT -eq 0 ]; then
215 return
216 fi
217
218 while true; do
219 echo "HTTP/1.0 200 OK"
220 sleep 1
221 done
222}
223
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]224# has_mem_err <log_file_name>
225has_mem_err() {
226 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
227 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
228 then
229 return 1 # false: does not have errors
230 else
231 return 0 # true: has errors
232 fi
233}
234
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]235# Wait for process $2 to be listening on port $1
236if type lsof >/dev/null 2>/dev/null; then
237 wait_server_start() {
238 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]239 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]240 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]241 else
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]242 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]243 fi
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]244 # Make a tight loop, server normally takes less than 1s to start.
245 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
246 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
247 echo "SERVERSTART TIMEOUT"
248 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
249 break
250 fi
251 # Linux and *BSD support decimal arguments to sleep. On other
252 # OSes this may be a tight loop.
253 sleep 0.1 2>/dev/null || true
254 done
255 }
256else
Gilles Peskine2cc7ad42018-06-29 15:48:13 +0200[diff] [blame]257 echo "Warning: lsof not available, wait_server_start = sleep"
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]258 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]259 sleep "$START_DELAY"
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]260 }
261fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]262
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]263# wait for client to terminate and set CLI_EXIT
264# must be called right after starting the client
265wait_client_done() {
266 CLI_PID=$!
267
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]268 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
269 CLI_DELAY_FACTOR=1
270
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]271 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]272 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]273
274 wait $CLI_PID
275 CLI_EXIT=$?
276
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]277 kill $DOG_PID >/dev/null 2>&1
278 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]279
280 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
281}
282
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]283# check if the given command uses dtls and sets global variable DTLS
284detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]285 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]286 DTLS=1
287 else
288 DTLS=0
289 fi
290}
291
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]292# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]293# Options: -s pattern pattern that must be present in server output
294# -c pattern pattern that must be present in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]295# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]296# -S pattern pattern that must be absent in server output
297# -C pattern pattern that must be absent in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]298# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]299run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]300 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]301 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]302
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]303 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
304 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]305 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]306 return
307 fi
308
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]309 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]310
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]311 # should we skip?
312 if [ "X$SKIP_NEXT" = "XYES" ]; then
313 SKIP_NEXT="NO"
314 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]315 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]316 return
317 fi
318
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]319 # does this test use a proxy?
320 if [ "X$1" = "X-p" ]; then
321 PXY_CMD="$2"
322 shift 2
323 else
324 PXY_CMD=""
325 fi
326
327 # get commands and client output
328 SRV_CMD="$1"
329 CLI_CMD="$2"
330 CLI_EXPECT="$3"
331 shift 3
332
333 # fix client port
334 if [ -n "$PXY_CMD" ]; then
335 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
336 else
337 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
338 fi
339
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]340 # update DTLS variable
341 detect_dtls "$SRV_CMD"
342
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]343 # prepend valgrind to our commands if active
344 if [ "$MEMCHECK" -gt 0 ]; then
345 if is_polar "$SRV_CMD"; then
346 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
347 fi
348 if is_polar "$CLI_CMD"; then
349 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
350 fi
351 fi
352
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]353 TIMES_LEFT=2
354 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]355 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]356
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]357 # run the commands
358 if [ -n "$PXY_CMD" ]; then
359 echo "$PXY_CMD" > $PXY_OUT
360 $PXY_CMD >> $PXY_OUT 2>&1 &
361 PXY_PID=$!
362 # assume proxy starts faster than server
363 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]364
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]365 check_osrv_dtls
366 echo "$SRV_CMD" > $SRV_OUT
367 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
368 SRV_PID=$!
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]369 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]370
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]371 echo "$CLI_CMD" > $CLI_OUT
372 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
373 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]374
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]375 # terminate the server (and the proxy)
376 kill $SRV_PID
377 wait $SRV_PID
378 if [ -n "$PXY_CMD" ]; then
379 kill $PXY_PID >/dev/null 2>&1
380 wait $PXY_PID
381 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]382
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]383 # retry only on timeouts
384 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
385 printf "RETRY "
386 else
387 TIMES_LEFT=0
388 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]389 done
390
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]391 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]392 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]393 # expected client exit to incorrectly succeed in case of catastrophic
394 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]395 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]396 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]397 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]398 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]399 return
400 fi
401 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]402 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]403 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]404 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]405 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]406 return
407 fi
408 fi
409
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]410 # check server exit code
411 if [ $? != 0 ]; then
412 fail "server fail"
413 return
414 fi
415
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]416 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]417 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
418 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]419 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]420 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]421 return
422 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]423
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]424 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]425 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]426 while [ $# -gt 0 ]
427 do
428 case $1 in
429 "-s")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]430 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
431 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]432 return
433 fi
434 ;;
435
436 "-c")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]437 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
438 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]439 return
440 fi
441 ;;
442
443 "-S")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]444 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
445 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]446 return
447 fi
448 ;;
449
450 "-C")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]451 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
452 fail "pattern '$2' MUST NOT be present in the Client output"
453 return
454 fi
455 ;;
456
457 # The filtering in the following two options (-u and -U) do the following
458 # - ignore valgrind output
459 # - filter out everything but lines right after the pattern occurances
460 # - keep one of each non-unique line
461 # - count how many lines remain
462 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
463 # if there were no duplicates.
464 "-U")
465 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
466 fail "lines following pattern '$2' must be unique in Server output"
467 return
468 fi
469 ;;
470
471 "-u")
472 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
473 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]474 return
475 fi
476 ;;
477
478 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]479 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]480 exit 1
481 esac
482 shift 2
483 done
484
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]485 # check valgrind's results
486 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]487 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]488 fail "Server has memory errors"
489 return
490 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]491 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]492 fail "Client has memory errors"
493 return
494 fi
495 fi
496
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]497 # if we're here, everything is ok
498 echo "PASS"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]499 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]500}
501
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]502cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]503 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]504 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
505 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
506 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
507 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]508 exit 1
509}
510
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]511#
512# MAIN
513#
514
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]515if cd $( dirname $0 ); then :; else
516 echo "cd $( dirname $0 ) failed" >&2
517 exit 1
518fi
519
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]520get_options "$@"
521
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]522# sanity checks, avoid an avalanche of errors
523if [ ! -x "$P_SRV" ]; then
524 echo "Command '$P_SRV' is not an executable file"
525 exit 1
526fi
527if [ ! -x "$P_CLI" ]; then
528 echo "Command '$P_CLI' is not an executable file"
529 exit 1
530fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]531if [ ! -x "$P_PXY" ]; then
532 echo "Command '$P_PXY' is not an executable file"
533 exit 1
534fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]535if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
536 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]537 exit 1
538fi
539
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]540# used by watchdog
541MAIN_PID="$$"
542
Manuel Pégourié-Gonnard3f69e542018-01-22 10:22:09 +0100[diff] [blame]543# We use somewhat arbitrary delays for tests:
544# - how long do we wait for the server to start (when lsof not available)?
545# - how long do we allow for the client to finish?
546# (not to check performance, just to avoid waiting indefinitely)
547# Things are slower with valgrind, so give extra time here.
548#
549# Note: without lsof, there is a trade-off between the running time of this
550# script and the risk of spurious errors because we didn't wait long enough.
551# The watchdog delay on the other hand doesn't affect normal running time of
552# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]553if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard3f69e542018-01-22 10:22:09 +0100[diff] [blame]554 START_DELAY=6
555 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]556else
Manuel Pégourié-Gonnard3f69e542018-01-22 10:22:09 +0100[diff] [blame]557 START_DELAY=2
558 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]559fi
Manuel Pégourié-Gonnard3f69e542018-01-22 10:22:09 +0100[diff] [blame]560
561# some particular tests need more time:
562# - for the client, we multiply the usual watchdog limit by a factor
563# - for the server, we sleep for a number of seconds after the client exits
564# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]565CLI_DELAY_FACTOR=1
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]566
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]567# Pick a "unique" server port in the range 10000-19999, and a proxy port
568PORT_BASE="0000$$"
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]569PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]570SRV_PORT="1$PORT_BASE"
571PXY_PORT="2$PORT_BASE"
572unset PORT_BASE
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]573
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]574# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]575# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]576P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
577P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame]578P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]579O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]580O_CLI="$O_CLI -connect localhost:+SRV_PORT"
581G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]582G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]583
Gilles Peskine35db5ba2017-05-10 10:13:59 +0200[diff] [blame]584# Allow SHA-1, because many of our test certificates use it
585P_SRV="$P_SRV allow_sha1=1"
586P_CLI="$P_CLI allow_sha1=1"
587
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]588# Also pick a unique name for intermediate files
589SRV_OUT="srv_out.$$"
590CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]591PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]592SESSION="session.$$"
593
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]594SKIP_NEXT="NO"
595
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]596trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]597
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]598# Basic test
599
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]600# Checks that:
601# - things work with all ciphersuites active (used with config-full in all.sh)
602# - the expected (highest security) parameters are selected
603# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]604run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]605 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]606 "$P_CLI" \
607 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]608 -s "Protocol is TLSv1.2" \
609 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
610 -s "client hello v3, signature_algorithm ext: 6" \
611 -s "ECDHE curve: secp521r1" \
612 -S "error" \
613 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]614
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]615run_test "Default, DTLS" \
616 "$P_SRV dtls=1" \
617 "$P_CLI dtls=1" \
618 0 \
619 -s "Protocol is DTLSv1.2" \
620 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
621
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]622# Test for uniqueness of IVs in AEAD ciphersuites
623run_test "Unique IV in GCM" \
624 "$P_SRV exchanges=20 debug_level=4" \
625 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
626 0 \
627 -u "IV used" \
628 -U "IV used"
629
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]630# Tests for rc4 option
631
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]632requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]633run_test "RC4: server disabled, client enabled" \
634 "$P_SRV" \
635 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
636 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]637 -s "SSL - The server has no ciphersuites in common"
638
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]639requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]640run_test "RC4: server half, client enabled" \
641 "$P_SRV arc4=1" \
642 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
643 1 \
644 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]645
646run_test "RC4: server enabled, client disabled" \
647 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
648 "$P_CLI" \
649 1 \
650 -s "SSL - The server has no ciphersuites in common"
651
652run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]653 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]654 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
655 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]656 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]657 -S "SSL - The server has no ciphersuites in common"
658
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]659# Tests for SHA-1 support
660
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]661requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]662run_test "SHA-1 forbidden by default in server certificate" \
663 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
664 "$P_CLI debug_level=2 allow_sha1=0" \
665 1 \
666 -c "The certificate is signed with an unacceptable hash"
667
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]668requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
669run_test "SHA-1 forbidden by default in server certificate" \
670 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
671 "$P_CLI debug_level=2 allow_sha1=0" \
672 0
673
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]674run_test "SHA-1 explicitly allowed in server certificate" \
675 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
676 "$P_CLI allow_sha1=1" \
677 0
678
679run_test "SHA-256 allowed by default in server certificate" \
680 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
681 "$P_CLI allow_sha1=0" \
682 0
683
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]684requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]685run_test "SHA-1 forbidden by default in client certificate" \
686 "$P_SRV auth_mode=required allow_sha1=0" \
687 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
688 1 \
689 -s "The certificate is signed with an unacceptable hash"
690
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]691requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
692run_test "SHA-1 forbidden by default in client certificate" \
693 "$P_SRV auth_mode=required allow_sha1=0" \
694 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
695 0
696
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]697run_test "SHA-1 explicitly allowed in client certificate" \
698 "$P_SRV auth_mode=required allow_sha1=1" \
699 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
700 0
701
702run_test "SHA-256 allowed by default in client certificate" \
703 "$P_SRV auth_mode=required allow_sha1=0" \
704 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
705 0
706
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]707# Tests for Truncated HMAC extension
708
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]709run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]710 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]711 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]712 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]713 -s "dumping 'expected mac' (20 bytes)" \
714 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]715
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]716requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]717run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]718 "$P_SRV debug_level=4" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]719 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]720 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]721 -s "dumping 'expected mac' (20 bytes)" \
722 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]723
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]724requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]725run_test "Truncated HMAC: client enabled, server default" \
726 "$P_SRV debug_level=4" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]727 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]728 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]729 -s "dumping 'expected mac' (20 bytes)" \
730 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]731
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]732requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]733run_test "Truncated HMAC: client enabled, server disabled" \
734 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]735 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]736 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]737 -s "dumping 'expected mac' (20 bytes)" \
738 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]739
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]740requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Beckerd51bec72017-11-17 15:46:24 +0000[diff] [blame]741run_test "Truncated HMAC: client disabled, server enabled" \
742 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]743 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Beckerd51bec72017-11-17 15:46:24 +0000[diff] [blame]744 0 \
745 -s "dumping 'expected mac' (20 bytes)" \
746 -S "dumping 'expected mac' (10 bytes)"
747
748requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]749run_test "Truncated HMAC: client enabled, server enabled" \
750 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]751 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]752 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]753 -S "dumping 'expected mac' (20 bytes)" \
754 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]755
Hanno Becker02f632e2017-11-10 09:16:05 +0000[diff] [blame]756run_test "Truncated HMAC, DTLS: client default, server default" \
757 "$P_SRV dtls=1 debug_level=4" \
758 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
759 0 \
760 -s "dumping 'expected mac' (20 bytes)" \
761 -S "dumping 'expected mac' (10 bytes)"
762
763requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
764run_test "Truncated HMAC, DTLS: client disabled, server default" \
765 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]766 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker02f632e2017-11-10 09:16:05 +0000[diff] [blame]767 0 \
768 -s "dumping 'expected mac' (20 bytes)" \
769 -S "dumping 'expected mac' (10 bytes)"
770
771requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
772run_test "Truncated HMAC, DTLS: client enabled, server default" \
773 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]774 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker02f632e2017-11-10 09:16:05 +0000[diff] [blame]775 0 \
776 -s "dumping 'expected mac' (20 bytes)" \
777 -S "dumping 'expected mac' (10 bytes)"
778
779requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
780run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
781 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]782 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker02f632e2017-11-10 09:16:05 +0000[diff] [blame]783 0 \
784 -s "dumping 'expected mac' (20 bytes)" \
785 -S "dumping 'expected mac' (10 bytes)"
786
787requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
788run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
789 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]790 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker02f632e2017-11-10 09:16:05 +0000[diff] [blame]791 0 \
792 -s "dumping 'expected mac' (20 bytes)" \
793 -S "dumping 'expected mac' (10 bytes)"
794
795requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
796run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
797 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]798 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]799 0 \
800 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]801 -s "dumping 'expected mac' (10 bytes)"
802
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]803# Tests for Encrypt-then-MAC extension
804
805run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]806 "$P_SRV debug_level=3 \
807 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]808 "$P_CLI debug_level=3" \
809 0 \
810 -c "client hello, adding encrypt_then_mac extension" \
811 -s "found encrypt then mac extension" \
812 -s "server hello, adding encrypt then mac extension" \
813 -c "found encrypt_then_mac extension" \
814 -c "using encrypt then mac" \
815 -s "using encrypt then mac"
816
817run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]818 "$P_SRV debug_level=3 etm=0 \
819 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]820 "$P_CLI debug_level=3 etm=1" \
821 0 \
822 -c "client hello, adding encrypt_then_mac extension" \
823 -s "found encrypt then mac extension" \
824 -S "server hello, adding encrypt then mac extension" \
825 -C "found encrypt_then_mac extension" \
826 -C "using encrypt then mac" \
827 -S "using encrypt then mac"
828
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]829run_test "Encrypt then MAC: client enabled, aead cipher" \
830 "$P_SRV debug_level=3 etm=1 \
831 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
832 "$P_CLI debug_level=3 etm=1" \
833 0 \
834 -c "client hello, adding encrypt_then_mac extension" \
835 -s "found encrypt then mac extension" \
836 -S "server hello, adding encrypt then mac extension" \
837 -C "found encrypt_then_mac extension" \
838 -C "using encrypt then mac" \
839 -S "using encrypt then mac"
840
841run_test "Encrypt then MAC: client enabled, stream cipher" \
842 "$P_SRV debug_level=3 etm=1 \
843 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]844 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]845 0 \
846 -c "client hello, adding encrypt_then_mac extension" \
847 -s "found encrypt then mac extension" \
848 -S "server hello, adding encrypt then mac extension" \
849 -C "found encrypt_then_mac extension" \
850 -C "using encrypt then mac" \
851 -S "using encrypt then mac"
852
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]853run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]854 "$P_SRV debug_level=3 etm=1 \
855 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]856 "$P_CLI debug_level=3 etm=0" \
857 0 \
858 -C "client hello, adding encrypt_then_mac extension" \
859 -S "found encrypt then mac extension" \
860 -S "server hello, adding encrypt then mac extension" \
861 -C "found encrypt_then_mac extension" \
862 -C "using encrypt then mac" \
863 -S "using encrypt then mac"
864
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]865requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]866run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]867 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]868 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]869 "$P_CLI debug_level=3 force_version=ssl3" \
870 0 \
871 -C "client hello, adding encrypt_then_mac extension" \
872 -S "found encrypt then mac extension" \
873 -S "server hello, adding encrypt then mac extension" \
874 -C "found encrypt_then_mac extension" \
875 -C "using encrypt then mac" \
876 -S "using encrypt then mac"
877
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]878requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]879run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]880 "$P_SRV debug_level=3 force_version=ssl3 \
881 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]882 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]883 0 \
884 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]885 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]886 -S "server hello, adding encrypt then mac extension" \
887 -C "found encrypt_then_mac extension" \
888 -C "using encrypt then mac" \
889 -S "using encrypt then mac"
890
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]891# Tests for Extended Master Secret extension
892
893run_test "Extended Master Secret: default" \
894 "$P_SRV debug_level=3" \
895 "$P_CLI debug_level=3" \
896 0 \
897 -c "client hello, adding extended_master_secret extension" \
898 -s "found extended master secret extension" \
899 -s "server hello, adding extended master secret extension" \
900 -c "found extended_master_secret extension" \
901 -c "using extended master secret" \
902 -s "using extended master secret"
903
904run_test "Extended Master Secret: client enabled, server disabled" \
905 "$P_SRV debug_level=3 extended_ms=0" \
906 "$P_CLI debug_level=3 extended_ms=1" \
907 0 \
908 -c "client hello, adding extended_master_secret extension" \
909 -s "found extended master secret extension" \
910 -S "server hello, adding extended master secret extension" \
911 -C "found extended_master_secret extension" \
912 -C "using extended master secret" \
913 -S "using extended master secret"
914
915run_test "Extended Master Secret: client disabled, server enabled" \
916 "$P_SRV debug_level=3 extended_ms=1" \
917 "$P_CLI debug_level=3 extended_ms=0" \
918 0 \
919 -C "client hello, adding extended_master_secret extension" \
920 -S "found extended master secret extension" \
921 -S "server hello, adding extended master secret extension" \
922 -C "found extended_master_secret extension" \
923 -C "using extended master secret" \
924 -S "using extended master secret"
925
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]926requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]927run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]928 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]929 "$P_CLI debug_level=3 force_version=ssl3" \
930 0 \
931 -C "client hello, adding extended_master_secret extension" \
932 -S "found extended master secret extension" \
933 -S "server hello, adding extended master secret extension" \
934 -C "found extended_master_secret extension" \
935 -C "using extended master secret" \
936 -S "using extended master secret"
937
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]938requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]939run_test "Extended Master Secret: client enabled, server SSLv3" \
940 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]941 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]942 0 \
943 -c "client hello, adding extended_master_secret extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]944 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]945 -S "server hello, adding extended master secret extension" \
946 -C "found extended_master_secret extension" \
947 -C "using extended master secret" \
948 -S "using extended master secret"
949
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]950# Tests for FALLBACK_SCSV
951
952run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]953 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]954 "$P_CLI debug_level=3 force_version=tls1_1" \
955 0 \
956 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]957 -S "received FALLBACK_SCSV" \
958 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]959 -C "is a fatal alert message (msg 86)"
960
961run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]962 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]963 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
964 0 \
965 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]966 -S "received FALLBACK_SCSV" \
967 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]968 -C "is a fatal alert message (msg 86)"
969
970run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]971 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]972 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]973 1 \
974 -c "adding FALLBACK_SCSV" \
975 -s "received FALLBACK_SCSV" \
976 -s "inapropriate fallback" \
977 -c "is a fatal alert message (msg 86)"
978
979run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]980 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]981 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]982 0 \
983 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]984 -s "received FALLBACK_SCSV" \
985 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]986 -C "is a fatal alert message (msg 86)"
987
988requires_openssl_with_fallback_scsv
989run_test "Fallback SCSV: default, openssl server" \
990 "$O_SRV" \
991 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
992 0 \
993 -C "adding FALLBACK_SCSV" \
994 -C "is a fatal alert message (msg 86)"
995
996requires_openssl_with_fallback_scsv
997run_test "Fallback SCSV: enabled, openssl server" \
998 "$O_SRV" \
999 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1000 1 \
1001 -c "adding FALLBACK_SCSV" \
1002 -c "is a fatal alert message (msg 86)"
1003
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1004requires_openssl_with_fallback_scsv
1005run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1006 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1007 "$O_CLI -tls1_1" \
1008 0 \
1009 -S "received FALLBACK_SCSV" \
1010 -S "inapropriate fallback"
1011
1012requires_openssl_with_fallback_scsv
1013run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1014 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1015 "$O_CLI -tls1_1 -fallback_scsv" \
1016 1 \
1017 -s "received FALLBACK_SCSV" \
1018 -s "inapropriate fallback"
1019
1020requires_openssl_with_fallback_scsv
1021run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1022 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1023 "$O_CLI -fallback_scsv" \
1024 0 \
1025 -s "received FALLBACK_SCSV" \
1026 -S "inapropriate fallback"
1027
Andres Amaya Garciadc8b6df2018-07-10 20:08:04 +0100[diff] [blame]1028# Test sending and receiving empty application data records
1029
1030run_test "Encrypt then MAC: empty application data record" \
1031 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1032 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1033 0 \
1034 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1035 -s "dumping 'input payload after decrypt' (0 bytes)" \
1036 -c "0 bytes written in 1 fragments"
1037
1038run_test "Default, no Encrypt then MAC: empty application data record" \
1039 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1040 "$P_CLI auth_mode=none etm=0 request_size=0" \
1041 0 \
1042 -s "dumping 'input payload after decrypt' (0 bytes)" \
1043 -c "0 bytes written in 1 fragments"
1044
1045run_test "Encrypt then MAC, DTLS: empty application data record" \
1046 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1047 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1048 0 \
1049 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1050 -s "dumping 'input payload after decrypt' (0 bytes)" \
1051 -c "0 bytes written in 1 fragments"
1052
1053run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
1054 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1055 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1056 0 \
1057 -s "dumping 'input payload after decrypt' (0 bytes)" \
1058 -c "0 bytes written in 1 fragments"
1059
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]1060## ClientHello generated with
1061## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1062## then manually twiddling the ciphersuite list.
1063## The ClientHello content is spelled out below as a hex string as
1064## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1065## The expected response is an inappropriate_fallback alert.
1066requires_openssl_with_fallback_scsv
1067run_test "Fallback SCSV: beginning of list" \
1068 "$P_SRV debug_level=2" \
1069 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1070 0 \
1071 -s "received FALLBACK_SCSV" \
1072 -s "inapropriate fallback"
1073
1074requires_openssl_with_fallback_scsv
1075run_test "Fallback SCSV: end of list" \
1076 "$P_SRV debug_level=2" \
1077 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1078 0 \
1079 -s "received FALLBACK_SCSV" \
1080 -s "inapropriate fallback"
1081
1082## Here the expected response is a valid ServerHello prefix, up to the random.
1083requires_openssl_with_fallback_scsv
1084run_test "Fallback SCSV: not in list" \
1085 "$P_SRV debug_level=2" \
1086 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1087 0 \
1088 -S "received FALLBACK_SCSV" \
1089 -S "inapropriate fallback"
1090
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1091# Tests for CBC 1/n-1 record splitting
1092
1093run_test "CBC Record splitting: TLS 1.2, no splitting" \
1094 "$P_SRV" \
1095 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1096 request_size=123 force_version=tls1_2" \
1097 0 \
1098 -s "Read from client: 123 bytes read" \
1099 -S "Read from client: 1 bytes read" \
1100 -S "122 bytes read"
1101
1102run_test "CBC Record splitting: TLS 1.1, no splitting" \
1103 "$P_SRV" \
1104 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1105 request_size=123 force_version=tls1_1" \
1106 0 \
1107 -s "Read from client: 123 bytes read" \
1108 -S "Read from client: 1 bytes read" \
1109 -S "122 bytes read"
1110
1111run_test "CBC Record splitting: TLS 1.0, splitting" \
1112 "$P_SRV" \
1113 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1114 request_size=123 force_version=tls1" \
1115 0 \
1116 -S "Read from client: 123 bytes read" \
1117 -s "Read from client: 1 bytes read" \
1118 -s "122 bytes read"
1119
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]1120requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1121run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1122 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1123 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1124 request_size=123 force_version=ssl3" \
1125 0 \
1126 -S "Read from client: 123 bytes read" \
1127 -s "Read from client: 1 bytes read" \
1128 -s "122 bytes read"
1129
1130run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1131 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1132 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1133 request_size=123 force_version=tls1" \
1134 0 \
1135 -s "Read from client: 123 bytes read" \
1136 -S "Read from client: 1 bytes read" \
1137 -S "122 bytes read"
1138
1139run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1140 "$P_SRV" \
1141 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1142 request_size=123 force_version=tls1 recsplit=0" \
1143 0 \
1144 -s "Read from client: 123 bytes read" \
1145 -S "Read from client: 1 bytes read" \
1146 -S "122 bytes read"
1147
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1148run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1149 "$P_SRV nbio=2" \
1150 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1151 request_size=123 force_version=tls1" \
1152 0 \
1153 -S "Read from client: 123 bytes read" \
1154 -s "Read from client: 1 bytes read" \
1155 -s "122 bytes read"
1156
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1157# Tests for Session Tickets
1158
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1159run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1160 "$P_SRV debug_level=3 tickets=1" \
1161 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1162 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1163 -c "client hello, adding session ticket extension" \
1164 -s "found session ticket extension" \
1165 -s "server hello, adding session ticket extension" \
1166 -c "found session_ticket extension" \
1167 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1168 -S "session successfully restored from cache" \
1169 -s "session successfully restored from ticket" \
1170 -s "a session has been resumed" \
1171 -c "a session has been resumed"
1172
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1173run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1174 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1175 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1176 0 \
1177 -c "client hello, adding session ticket extension" \
1178 -s "found session ticket extension" \
1179 -s "server hello, adding session ticket extension" \
1180 -c "found session_ticket extension" \
1181 -c "parse new session ticket" \
1182 -S "session successfully restored from cache" \
1183 -s "session successfully restored from ticket" \
1184 -s "a session has been resumed" \
1185 -c "a session has been resumed"
1186
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1187run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1188 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1189 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1190 0 \
1191 -c "client hello, adding session ticket extension" \
1192 -s "found session ticket extension" \
1193 -s "server hello, adding session ticket extension" \
1194 -c "found session_ticket extension" \
1195 -c "parse new session ticket" \
1196 -S "session successfully restored from cache" \
1197 -S "session successfully restored from ticket" \
1198 -S "a session has been resumed" \
1199 -C "a session has been resumed"
1200
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1201run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1202 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1203 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1204 0 \
1205 -c "client hello, adding session ticket extension" \
1206 -c "found session_ticket extension" \
1207 -c "parse new session ticket" \
1208 -c "a session has been resumed"
1209
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1210run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1211 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1212 "( $O_CLI -sess_out $SESSION; \
1213 $O_CLI -sess_in $SESSION; \
1214 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1215 0 \
1216 -s "found session ticket extension" \
1217 -s "server hello, adding session ticket extension" \
1218 -S "session successfully restored from cache" \
1219 -s "session successfully restored from ticket" \
1220 -s "a session has been resumed"
1221
Hanno Becker16fe2fd2018-08-21 13:55:22 +0100[diff] [blame^]1222# Tests for Session Tickets with DTLS
1223
1224run_test "Session resume using tickets, DTLS: basic" \
1225 "$P_SRV debug_level=3 dtls=1 tickets=1" \
1226 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
1227 0 \
1228 -c "client hello, adding session ticket extension" \
1229 -s "found session ticket extension" \
1230 -s "server hello, adding session ticket extension" \
1231 -c "found session_ticket extension" \
1232 -c "parse new session ticket" \
1233 -S "session successfully restored from cache" \
1234 -s "session successfully restored from ticket" \
1235 -s "a session has been resumed" \
1236 -c "a session has been resumed"
1237
1238run_test "Session resume using tickets, DTLS: cache disabled" \
1239 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
1240 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
1241 0 \
1242 -c "client hello, adding session ticket extension" \
1243 -s "found session ticket extension" \
1244 -s "server hello, adding session ticket extension" \
1245 -c "found session_ticket extension" \
1246 -c "parse new session ticket" \
1247 -S "session successfully restored from cache" \
1248 -s "session successfully restored from ticket" \
1249 -s "a session has been resumed" \
1250 -c "a session has been resumed"
1251
1252run_test "Session resume using tickets, DTLS: timeout" \
1253 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
1254 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
1255 0 \
1256 -c "client hello, adding session ticket extension" \
1257 -s "found session ticket extension" \
1258 -s "server hello, adding session ticket extension" \
1259 -c "found session_ticket extension" \
1260 -c "parse new session ticket" \
1261 -S "session successfully restored from cache" \
1262 -S "session successfully restored from ticket" \
1263 -S "a session has been resumed" \
1264 -C "a session has been resumed"
1265
1266run_test "Session resume using tickets, DTLS: openssl server" \
1267 "$O_SRV -dtls1" \
1268 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1269 0 \
1270 -c "client hello, adding session ticket extension" \
1271 -c "found session_ticket extension" \
1272 -c "parse new session ticket" \
1273 -c "a session has been resumed"
1274
1275run_test "Session resume using tickets, DTLS: openssl client" \
1276 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1277 "( $O_CLI -dtls1 -sess_out $SESSION; \
1278 $O_CLI -dtls1 -sess_in $SESSION; \
1279 rm -f $SESSION )" \
1280 0 \
1281 -s "found session ticket extension" \
1282 -s "server hello, adding session ticket extension" \
1283 -S "session successfully restored from cache" \
1284 -s "session successfully restored from ticket" \
1285 -s "a session has been resumed"
1286
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1287# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1288
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1289run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1290 "$P_SRV debug_level=3 tickets=0" \
1291 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1292 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1293 -c "client hello, adding session ticket extension" \
1294 -s "found session ticket extension" \
1295 -S "server hello, adding session ticket extension" \
1296 -C "found session_ticket extension" \
1297 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1298 -s "session successfully restored from cache" \
1299 -S "session successfully restored from ticket" \
1300 -s "a session has been resumed" \
1301 -c "a session has been resumed"
1302
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1303run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1304 "$P_SRV debug_level=3 tickets=1" \
1305 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1306 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1307 -C "client hello, adding session ticket extension" \
1308 -S "found session ticket extension" \
1309 -S "server hello, adding session ticket extension" \
1310 -C "found session_ticket extension" \
1311 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1312 -s "session successfully restored from cache" \
1313 -S "session successfully restored from ticket" \
1314 -s "a session has been resumed" \
1315 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1316
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1317run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1318 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1319 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1320 0 \
1321 -S "session successfully restored from cache" \
1322 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1323 -S "a session has been resumed" \
1324 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1325
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1326run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1327 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1328 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1329 0 \
1330 -s "session successfully restored from cache" \
1331 -S "session successfully restored from ticket" \
1332 -s "a session has been resumed" \
1333 -c "a session has been resumed"
1334
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1335run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1336 "$P_SRV debug_level=3 tickets=0" \
1337 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1338 0 \
1339 -s "session successfully restored from cache" \
1340 -S "session successfully restored from ticket" \
1341 -s "a session has been resumed" \
1342 -c "a session has been resumed"
1343
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1344run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1345 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1346 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1347 0 \
1348 -S "session successfully restored from cache" \
1349 -S "session successfully restored from ticket" \
1350 -S "a session has been resumed" \
1351 -C "a session has been resumed"
1352
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1353run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1354 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1355 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1356 0 \
1357 -s "session successfully restored from cache" \
1358 -S "session successfully restored from ticket" \
1359 -s "a session has been resumed" \
1360 -c "a session has been resumed"
1361
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1362run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1363 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1364 "( $O_CLI -sess_out $SESSION; \
1365 $O_CLI -sess_in $SESSION; \
1366 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1367 0 \
1368 -s "found session ticket extension" \
1369 -S "server hello, adding session ticket extension" \
1370 -s "session successfully restored from cache" \
1371 -S "session successfully restored from ticket" \
1372 -s "a session has been resumed"
1373
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1374run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1375 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1376 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1377 0 \
1378 -C "found session_ticket extension" \
1379 -C "parse new session ticket" \
1380 -c "a session has been resumed"
1381
Hanno Becker16fe2fd2018-08-21 13:55:22 +0100[diff] [blame^]1382# Tests for Session Resume based on session-ID and cache, DTLS
1383
1384run_test "Session resume using cache, DTLS: tickets enabled on client" \
1385 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1386 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1387 0 \
1388 -c "client hello, adding session ticket extension" \
1389 -s "found session ticket extension" \
1390 -S "server hello, adding session ticket extension" \
1391 -C "found session_ticket extension" \
1392 -C "parse new session ticket" \
1393 -s "session successfully restored from cache" \
1394 -S "session successfully restored from ticket" \
1395 -s "a session has been resumed" \
1396 -c "a session has been resumed"
1397
1398run_test "Session resume using cache, DTLS: tickets enabled on server" \
1399 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1400 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1401 0 \
1402 -C "client hello, adding session ticket extension" \
1403 -S "found session ticket extension" \
1404 -S "server hello, adding session ticket extension" \
1405 -C "found session_ticket extension" \
1406 -C "parse new session ticket" \
1407 -s "session successfully restored from cache" \
1408 -S "session successfully restored from ticket" \
1409 -s "a session has been resumed" \
1410 -c "a session has been resumed"
1411
1412run_test "Session resume using cache, DTLS: cache_max=0" \
1413 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
1414 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1415 0 \
1416 -S "session successfully restored from cache" \
1417 -S "session successfully restored from ticket" \
1418 -S "a session has been resumed" \
1419 -C "a session has been resumed"
1420
1421run_test "Session resume using cache, DTLS: cache_max=1" \
1422 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
1423 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1424 0 \
1425 -s "session successfully restored from cache" \
1426 -S "session successfully restored from ticket" \
1427 -s "a session has been resumed" \
1428 -c "a session has been resumed"
1429
1430run_test "Session resume using cache, DTLS: timeout > delay" \
1431 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1432 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
1433 0 \
1434 -s "session successfully restored from cache" \
1435 -S "session successfully restored from ticket" \
1436 -s "a session has been resumed" \
1437 -c "a session has been resumed"
1438
1439run_test "Session resume using cache, DTLS: timeout < delay" \
1440 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
1441 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
1442 0 \
1443 -S "session successfully restored from cache" \
1444 -S "session successfully restored from ticket" \
1445 -S "a session has been resumed" \
1446 -C "a session has been resumed"
1447
1448run_test "Session resume using cache, DTLS: no timeout" \
1449 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
1450 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
1451 0 \
1452 -s "session successfully restored from cache" \
1453 -S "session successfully restored from ticket" \
1454 -s "a session has been resumed" \
1455 -c "a session has been resumed"
1456
1457run_test "Session resume using cache, DTLS: openssl client" \
1458 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1459 "( $O_CLI -dtls1 -sess_out $SESSION; \
1460 $O_CLI -dtls1 -sess_in $SESSION; \
1461 rm -f $SESSION )" \
1462 0 \
1463 -s "found session ticket extension" \
1464 -S "server hello, adding session ticket extension" \
1465 -s "session successfully restored from cache" \
1466 -S "session successfully restored from ticket" \
1467 -s "a session has been resumed"
1468
1469run_test "Session resume using cache, DTLS: openssl server" \
1470 "$O_SRV -dtls1" \
1471 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1472 0 \
1473 -C "found session_ticket extension" \
1474 -C "parse new session ticket" \
1475 -c "a session has been resumed"
1476
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1477# Tests for Max Fragment Length extension
1478
Hanno Becker64691dc2017-09-22 16:58:50 +0100[diff] [blame]1479MAX_CONTENT_LEN_EXPECT='16384'
1480MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1481
1482if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1483 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1484 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1485 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1486 printf "\n"
1487 printf "The tests assume this value and if it changes, the tests in this\n"
1488 printf "script should also be adjusted.\n"
1489 printf "\n"
1490
1491 exit 1
1492fi
1493
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1494requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1495run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1496 "$P_SRV debug_level=3" \
1497 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1498 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1499 -c "Maximum fragment length is 16384" \
1500 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1501 -C "client hello, adding max_fragment_length extension" \
1502 -S "found max fragment length extension" \
1503 -S "server hello, max_fragment_length extension" \
1504 -C "found max_fragment_length extension"
1505
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1506requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1507run_test "Max fragment length: enabled, default, larger message" \
1508 "$P_SRV debug_level=3" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1509 "$P_CLI debug_level=3 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1510 0 \
1511 -c "Maximum fragment length is 16384" \
1512 -s "Maximum fragment length is 16384" \
1513 -C "client hello, adding max_fragment_length extension" \
1514 -S "found max fragment length extension" \
1515 -S "server hello, max_fragment_length extension" \
1516 -C "found max_fragment_length extension" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1517 -c "16385 bytes written in 2 fragments" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1518 -s "16384 bytes read" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1519 -s "1 bytes read"
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1520
1521requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1522run_test "Max fragment length, DTLS: enabled, default, larger message" \
1523 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1524 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1525 1 \
1526 -c "Maximum fragment length is 16384" \
1527 -s "Maximum fragment length is 16384" \
1528 -C "client hello, adding max_fragment_length extension" \
1529 -S "found max fragment length extension" \
1530 -S "server hello, max_fragment_length extension" \
1531 -C "found max_fragment_length extension" \
1532 -c "fragment larger than.*maximum "
1533
1534requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1535run_test "Max fragment length: disabled, larger message" \
1536 "$P_SRV debug_level=3" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1537 "$P_CLI debug_level=3 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1538 0 \
1539 -C "Maximum fragment length is 16384" \
1540 -S "Maximum fragment length is 16384" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1541 -c "16385 bytes written in 2 fragments" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1542 -s "16384 bytes read" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1543 -s "1 bytes read"
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1544
1545requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1546run_test "Max fragment length DTLS: disabled, larger message" \
1547 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1548 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1549 1 \
1550 -C "Maximum fragment length is 16384" \
1551 -S "Maximum fragment length is 16384" \
1552 -c "fragment larger than.*maximum "
1553
1554requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1555run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1556 "$P_SRV debug_level=3" \
1557 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1558 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1559 -c "Maximum fragment length is 4096" \
1560 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1561 -c "client hello, adding max_fragment_length extension" \
1562 -s "found max fragment length extension" \
1563 -s "server hello, max_fragment_length extension" \
1564 -c "found max_fragment_length extension"
1565
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1566requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1567run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1568 "$P_SRV debug_level=3 max_frag_len=4096" \
1569 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1570 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1571 -c "Maximum fragment length is 16384" \
1572 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1573 -C "client hello, adding max_fragment_length extension" \
1574 -S "found max fragment length extension" \
1575 -S "server hello, max_fragment_length extension" \
1576 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1577
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1578requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1579requires_gnutls
1580run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1581 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1582 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1583 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1584 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1585 -c "client hello, adding max_fragment_length extension" \
1586 -c "found max_fragment_length extension"
1587
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1588requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1589run_test "Max fragment length: client, message just fits" \
1590 "$P_SRV debug_level=3" \
1591 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1592 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1593 -c "Maximum fragment length is 2048" \
1594 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1595 -c "client hello, adding max_fragment_length extension" \
1596 -s "found max fragment length extension" \
1597 -s "server hello, max_fragment_length extension" \
1598 -c "found max_fragment_length extension" \
1599 -c "2048 bytes written in 1 fragments" \
1600 -s "2048 bytes read"
1601
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1602requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1603run_test "Max fragment length: client, larger message" \
1604 "$P_SRV debug_level=3" \
1605 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1606 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1607 -c "Maximum fragment length is 2048" \
1608 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1609 -c "client hello, adding max_fragment_length extension" \
1610 -s "found max fragment length extension" \
1611 -s "server hello, max_fragment_length extension" \
1612 -c "found max_fragment_length extension" \
1613 -c "2345 bytes written in 2 fragments" \
1614 -s "2048 bytes read" \
1615 -s "297 bytes read"
1616
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1617requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1618run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1619 "$P_SRV debug_level=3 dtls=1" \
1620 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1621 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1622 -c "Maximum fragment length is 2048" \
1623 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1624 -c "client hello, adding max_fragment_length extension" \
1625 -s "found max fragment length extension" \
1626 -s "server hello, max_fragment_length extension" \
1627 -c "found max_fragment_length extension" \
1628 -c "fragment larger than.*maximum"
1629
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1630# Tests for renegotiation
1631
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1632run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1633 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1634 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1635 0 \
1636 -C "client hello, adding renegotiation extension" \
1637 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1638 -S "found renegotiation extension" \
1639 -s "server hello, secure renegotiation extension" \
1640 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1641 -C "=> renegotiate" \
1642 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1643 -S "write hello request"
1644
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1645requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1646run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1647 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1648 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1649 0 \
1650 -c "client hello, adding renegotiation extension" \
1651 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1652 -s "found renegotiation extension" \
1653 -s "server hello, secure renegotiation extension" \
1654 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1655 -c "=> renegotiate" \
1656 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1657 -S "write hello request"
1658
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1659requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1660run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1661 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1662 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1663 0 \
1664 -c "client hello, adding renegotiation extension" \
1665 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1666 -s "found renegotiation extension" \
1667 -s "server hello, secure renegotiation extension" \
1668 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1669 -c "=> renegotiate" \
1670 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1671 -s "write hello request"
1672
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1673# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1674# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1675# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1676requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1677run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1678 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1679 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1680 0 \
1681 -c "client hello, adding renegotiation extension" \
1682 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1683 -s "found renegotiation extension" \
1684 -s "server hello, secure renegotiation extension" \
1685 -c "found renegotiation extension" \
1686 -c "=> renegotiate" \
1687 -s "=> renegotiate" \
1688 -S "write hello request" \
1689 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1690
1691# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1692# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1693# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1694requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1695run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1696 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1697 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1698 0 \
1699 -c "client hello, adding renegotiation extension" \
1700 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1701 -s "found renegotiation extension" \
1702 -s "server hello, secure renegotiation extension" \
1703 -c "found renegotiation extension" \
1704 -c "=> renegotiate" \
1705 -s "=> renegotiate" \
1706 -s "write hello request" \
1707 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1708
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1709requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1710run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1711 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1712 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1713 0 \
1714 -c "client hello, adding renegotiation extension" \
1715 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1716 -s "found renegotiation extension" \
1717 -s "server hello, secure renegotiation extension" \
1718 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1719 -c "=> renegotiate" \
1720 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1721 -s "write hello request"
1722
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1723requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1724run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1725 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1726 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1727 1 \
1728 -c "client hello, adding renegotiation extension" \
1729 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1730 -S "found renegotiation extension" \
1731 -s "server hello, secure renegotiation extension" \
1732 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1733 -c "=> renegotiate" \
1734 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1735 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1736 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1737 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1738
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1739requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1740run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1741 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1742 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1743 0 \
1744 -C "client hello, adding renegotiation extension" \
1745 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1746 -S "found renegotiation extension" \
1747 -s "server hello, secure renegotiation extension" \
1748 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1749 -C "=> renegotiate" \
1750 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1751 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1752 -S "SSL - An unexpected message was received from our peer" \
1753 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1754
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1755requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1756run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1757 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1758 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1759 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1760 0 \
1761 -C "client hello, adding renegotiation extension" \
1762 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1763 -S "found renegotiation extension" \
1764 -s "server hello, secure renegotiation extension" \
1765 -c "found renegotiation extension" \
1766 -C "=> renegotiate" \
1767 -S "=> renegotiate" \
1768 -s "write hello request" \
1769 -S "SSL - An unexpected message was received from our peer" \
1770 -S "failed"
1771
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1772# delay 2 for 1 alert record + 1 application data record
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1773requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1774run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1775 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1776 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1777 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1778 0 \
1779 -C "client hello, adding renegotiation extension" \
1780 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1781 -S "found renegotiation extension" \
1782 -s "server hello, secure renegotiation extension" \
1783 -c "found renegotiation extension" \
1784 -C "=> renegotiate" \
1785 -S "=> renegotiate" \
1786 -s "write hello request" \
1787 -S "SSL - An unexpected message was received from our peer" \
1788 -S "failed"
1789
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1790requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1791run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1792 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1793 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1794 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1795 0 \
1796 -C "client hello, adding renegotiation extension" \
1797 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1798 -S "found renegotiation extension" \
1799 -s "server hello, secure renegotiation extension" \
1800 -c "found renegotiation extension" \
1801 -C "=> renegotiate" \
1802 -S "=> renegotiate" \
1803 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1804 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1805
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1806requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1807run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1808 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1809 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1810 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1811 0 \
1812 -c "client hello, adding renegotiation extension" \
1813 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1814 -s "found renegotiation extension" \
1815 -s "server hello, secure renegotiation extension" \
1816 -c "found renegotiation extension" \
1817 -c "=> renegotiate" \
1818 -s "=> renegotiate" \
1819 -s "write hello request" \
1820 -S "SSL - An unexpected message was received from our peer" \
1821 -S "failed"
1822
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1823requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1824run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1825 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1826 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1827 0 \
1828 -C "client hello, adding renegotiation extension" \
1829 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1830 -S "found renegotiation extension" \
1831 -s "server hello, secure renegotiation extension" \
1832 -c "found renegotiation extension" \
1833 -S "record counter limit reached: renegotiate" \
1834 -C "=> renegotiate" \
1835 -S "=> renegotiate" \
1836 -S "write hello request" \
1837 -S "SSL - An unexpected message was received from our peer" \
1838 -S "failed"
1839
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1840# one extra exchange to be able to complete renego
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1841requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1842run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1843 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1844 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1845 0 \
1846 -c "client hello, adding renegotiation extension" \
1847 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1848 -s "found renegotiation extension" \
1849 -s "server hello, secure renegotiation extension" \
1850 -c "found renegotiation extension" \
1851 -s "record counter limit reached: renegotiate" \
1852 -c "=> renegotiate" \
1853 -s "=> renegotiate" \
1854 -s "write hello request" \
1855 -S "SSL - An unexpected message was received from our peer" \
1856 -S "failed"
1857
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1858requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1859run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1860 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1861 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1862 0 \
1863 -c "client hello, adding renegotiation extension" \
1864 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1865 -s "found renegotiation extension" \
1866 -s "server hello, secure renegotiation extension" \
1867 -c "found renegotiation extension" \
1868 -s "record counter limit reached: renegotiate" \
1869 -c "=> renegotiate" \
1870 -s "=> renegotiate" \
1871 -s "write hello request" \
1872 -S "SSL - An unexpected message was received from our peer" \
1873 -S "failed"
1874
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1875requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1876run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1877 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1878 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1879 0 \
1880 -C "client hello, adding renegotiation extension" \
1881 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1882 -S "found renegotiation extension" \
1883 -s "server hello, secure renegotiation extension" \
1884 -c "found renegotiation extension" \
1885 -S "record counter limit reached: renegotiate" \
1886 -C "=> renegotiate" \
1887 -S "=> renegotiate" \
1888 -S "write hello request" \
1889 -S "SSL - An unexpected message was received from our peer" \
1890 -S "failed"
1891
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1892requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1893run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1894 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1895 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1896 0 \
1897 -c "client hello, adding renegotiation extension" \
1898 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1899 -s "found renegotiation extension" \
1900 -s "server hello, secure renegotiation extension" \
1901 -c "found renegotiation extension" \
1902 -c "=> renegotiate" \
1903 -s "=> renegotiate" \
1904 -S "write hello request"
1905
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1906requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1907run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1908 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1909 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1910 0 \
1911 -c "client hello, adding renegotiation extension" \
1912 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1913 -s "found renegotiation extension" \
1914 -s "server hello, secure renegotiation extension" \
1915 -c "found renegotiation extension" \
1916 -c "=> renegotiate" \
1917 -s "=> renegotiate" \
1918 -s "write hello request"
1919
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1920requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1921run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1922 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1923 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1924 0 \
1925 -c "client hello, adding renegotiation extension" \
1926 -c "found renegotiation extension" \
1927 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1928 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1929 -C "error" \
1930 -c "HTTP/1.0 200 [Oo][Kk]"
1931
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1932requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1933requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1934run_test "Renegotiation: gnutls server strict, client-initiated" \
1935 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1936 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1937 0 \
1938 -c "client hello, adding renegotiation extension" \
1939 -c "found renegotiation extension" \
1940 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1941 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1942 -C "error" \
1943 -c "HTTP/1.0 200 [Oo][Kk]"
1944
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1945requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1946requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1947run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1948 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1949 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1950 1 \
1951 -c "client hello, adding renegotiation extension" \
1952 -C "found renegotiation extension" \
1953 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1954 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1955 -c "error" \
1956 -C "HTTP/1.0 200 [Oo][Kk]"
1957
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1958requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1959requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1960run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1961 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1962 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1963 allow_legacy=0" \
1964 1 \
1965 -c "client hello, adding renegotiation extension" \
1966 -C "found renegotiation extension" \
1967 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1968 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1969 -c "error" \
1970 -C "HTTP/1.0 200 [Oo][Kk]"
1971
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1972requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1973requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1974run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1975 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1976 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1977 allow_legacy=1" \
1978 0 \
1979 -c "client hello, adding renegotiation extension" \
1980 -C "found renegotiation extension" \
1981 -c "=> renegotiate" \
1982 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1983 -C "error" \
1984 -c "HTTP/1.0 200 [Oo][Kk]"
1985
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1986requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1987run_test "Renegotiation: DTLS, client-initiated" \
1988 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1989 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1990 0 \
1991 -c "client hello, adding renegotiation extension" \
1992 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1993 -s "found renegotiation extension" \
1994 -s "server hello, secure renegotiation extension" \
1995 -c "found renegotiation extension" \
1996 -c "=> renegotiate" \
1997 -s "=> renegotiate" \
1998 -S "write hello request"
1999
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]2000requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2001run_test "Renegotiation: DTLS, server-initiated" \
2002 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2003 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2004 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2005 0 \
2006 -c "client hello, adding renegotiation extension" \
2007 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2008 -s "found renegotiation extension" \
2009 -s "server hello, secure renegotiation extension" \
2010 -c "found renegotiation extension" \
2011 -c "=> renegotiate" \
2012 -s "=> renegotiate" \
2013 -s "write hello request"
2014
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]2015requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]2016run_test "Renegotiation: DTLS, renego_period overflow" \
2017 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2018 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2019 0 \
2020 -c "client hello, adding renegotiation extension" \
2021 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2022 -s "found renegotiation extension" \
2023 -s "server hello, secure renegotiation extension" \
2024 -s "record counter limit reached: renegotiate" \
2025 -c "=> renegotiate" \
2026 -s "=> renegotiate" \
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]2027 -s "write hello request"
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]2028
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2029requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]2030requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2031run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2032 "$G_SRV -u --mtu 4096" \
2033 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2034 0 \
2035 -c "client hello, adding renegotiation extension" \
2036 -c "found renegotiation extension" \
2037 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2038 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2039 -C "error" \
2040 -s "Extra-header:"
2041
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2042# Test for the "secure renegotation" extension only (no actual renegotiation)
2043
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2044requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2045run_test "Renego ext: gnutls server strict, client default" \
2046 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2047 "$P_CLI debug_level=3" \
2048 0 \
2049 -c "found renegotiation extension" \
2050 -C "error" \
2051 -c "HTTP/1.0 200 [Oo][Kk]"
2052
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2053requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2054run_test "Renego ext: gnutls server unsafe, client default" \
2055 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2056 "$P_CLI debug_level=3" \
2057 0 \
2058 -C "found renegotiation extension" \
2059 -C "error" \
2060 -c "HTTP/1.0 200 [Oo][Kk]"
2061
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2062requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2063run_test "Renego ext: gnutls server unsafe, client break legacy" \
2064 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2065 "$P_CLI debug_level=3 allow_legacy=-1" \
2066 1 \
2067 -C "found renegotiation extension" \
2068 -c "error" \
2069 -C "HTTP/1.0 200 [Oo][Kk]"
2070
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2071requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2072run_test "Renego ext: gnutls client strict, server default" \
2073 "$P_SRV debug_level=3" \
2074 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2075 0 \
2076 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2077 -s "server hello, secure renegotiation extension"
2078
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2079requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2080run_test "Renego ext: gnutls client unsafe, server default" \
2081 "$P_SRV debug_level=3" \
2082 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2083 0 \
2084 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2085 -S "server hello, secure renegotiation extension"
2086
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2087requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2088run_test "Renego ext: gnutls client unsafe, server break legacy" \
2089 "$P_SRV debug_level=3 allow_legacy=-1" \
2090 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2091 1 \
2092 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2093 -S "server hello, secure renegotiation extension"
2094
Janos Follath365b2262016-02-17 10:11:21 +0000[diff] [blame]2095# Tests for silently dropping trailing extra bytes in .der certificates
2096
2097requires_gnutls
2098run_test "DER format: no trailing bytes" \
2099 "$P_SRV crt_file=data_files/server5-der0.crt \
2100 key_file=data_files/server5.key" \
2101 "$G_CLI " \
2102 0 \
2103 -c "Handshake was completed" \
2104
2105requires_gnutls
2106run_test "DER format: with a trailing zero byte" \
2107 "$P_SRV crt_file=data_files/server5-der1a.crt \
2108 key_file=data_files/server5.key" \
2109 "$G_CLI " \
2110 0 \
2111 -c "Handshake was completed" \
2112
2113requires_gnutls
2114run_test "DER format: with a trailing random byte" \
2115 "$P_SRV crt_file=data_files/server5-der1b.crt \
2116 key_file=data_files/server5.key" \
2117 "$G_CLI " \
2118 0 \
2119 -c "Handshake was completed" \
2120
2121requires_gnutls
2122run_test "DER format: with 2 trailing random bytes" \
2123 "$P_SRV crt_file=data_files/server5-der2.crt \
2124 key_file=data_files/server5.key" \
2125 "$G_CLI " \
2126 0 \
2127 -c "Handshake was completed" \
2128
2129requires_gnutls
2130run_test "DER format: with 4 trailing random bytes" \
2131 "$P_SRV crt_file=data_files/server5-der4.crt \
2132 key_file=data_files/server5.key" \
2133 "$G_CLI " \
2134 0 \
2135 -c "Handshake was completed" \
2136
2137requires_gnutls
2138run_test "DER format: with 8 trailing random bytes" \
2139 "$P_SRV crt_file=data_files/server5-der8.crt \
2140 key_file=data_files/server5.key" \
2141 "$G_CLI " \
2142 0 \
2143 -c "Handshake was completed" \
2144
2145requires_gnutls
2146run_test "DER format: with 9 trailing random bytes" \
2147 "$P_SRV crt_file=data_files/server5-der9.crt \
2148 key_file=data_files/server5.key" \
2149 "$G_CLI " \
2150 0 \
2151 -c "Handshake was completed" \
2152
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2153# Tests for auth_mode
2154
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2155run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2156 "$P_SRV crt_file=data_files/server5-badsign.crt \
2157 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2158 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2159 1 \
2160 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2161 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2162 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2163 -c "X509 - Certificate verification failed"
2164
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2165run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2166 "$P_SRV crt_file=data_files/server5-badsign.crt \
2167 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2168 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2169 0 \
2170 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2171 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2172 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2173 -C "X509 - Certificate verification failed"
2174
Hanno Becker61c0c702017-05-15 16:05:15 +0100[diff] [blame]2175run_test "Authentication: server goodcert, client optional, no trusted CA" \
2176 "$P_SRV" \
2177 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2178 0 \
2179 -c "x509_verify_cert() returned" \
2180 -c "! The certificate is not correctly signed by the trusted CA" \
2181 -c "! Certificate verification flags"\
2182 -C "! mbedtls_ssl_handshake returned" \
2183 -C "X509 - Certificate verification failed" \
2184 -C "SSL - No CA Chain is set, but required to operate"
2185
2186run_test "Authentication: server goodcert, client required, no trusted CA" \
2187 "$P_SRV" \
2188 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2189 1 \
2190 -c "x509_verify_cert() returned" \
2191 -c "! The certificate is not correctly signed by the trusted CA" \
2192 -c "! Certificate verification flags"\
2193 -c "! mbedtls_ssl_handshake returned" \
2194 -c "SSL - No CA Chain is set, but required to operate"
2195
2196# The purpose of the next two tests is to test the client's behaviour when receiving a server
2197# certificate with an unsupported elliptic curve. This should usually not happen because
2198# the client informs the server about the supported curves - it does, though, in the
2199# corner case of a static ECDH suite, because the server doesn't check the curve on that
2200# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2201# different means to have the server ignoring the client's supported curve list.
2202
2203requires_config_enabled MBEDTLS_ECP_C
2204run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2205 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2206 crt_file=data_files/server5.ku-ka.crt" \
2207 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2208 1 \
2209 -c "bad certificate (EC key curve)"\
2210 -c "! Certificate verification flags"\
2211 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2212
2213requires_config_enabled MBEDTLS_ECP_C
2214run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2215 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2216 crt_file=data_files/server5.ku-ka.crt" \
2217 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2218 1 \
2219 -c "bad certificate (EC key curve)"\
2220 -c "! Certificate verification flags"\
2221 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2222
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2223run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2224 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2225 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2226 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2227 0 \
2228 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2229 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2230 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2231 -C "X509 - Certificate verification failed"
2232
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2233run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2234 "$P_SRV debug_level=3 auth_mode=required" \
2235 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2236 key_file=data_files/server5.key" \
2237 1 \
2238 -S "skip write certificate request" \
2239 -C "skip parse certificate request" \
2240 -c "got a certificate request" \
2241 -C "skip write certificate" \
2242 -C "skip write certificate verify" \
2243 -S "skip parse certificate verify" \
2244 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2245 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2246 -s "! mbedtls_ssl_handshake returned" \
2247 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2248 -s "X509 - Certificate verification failed"
2249
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2250run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2251 "$P_SRV debug_level=3 auth_mode=optional" \
2252 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2253 key_file=data_files/server5.key" \
2254 0 \
2255 -S "skip write certificate request" \
2256 -C "skip parse certificate request" \
2257 -c "got a certificate request" \
2258 -C "skip write certificate" \
2259 -C "skip write certificate verify" \
2260 -S "skip parse certificate verify" \
2261 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2262 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2263 -S "! mbedtls_ssl_handshake returned" \
2264 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2265 -S "X509 - Certificate verification failed"
2266
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2267run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2268 "$P_SRV debug_level=3 auth_mode=none" \
2269 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2270 key_file=data_files/server5.key" \
2271 0 \
2272 -s "skip write certificate request" \
2273 -C "skip parse certificate request" \
2274 -c "got no certificate request" \
2275 -c "skip write certificate" \
2276 -c "skip write certificate verify" \
2277 -s "skip parse certificate verify" \
2278 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2279 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2280 -S "! mbedtls_ssl_handshake returned" \
2281 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2282 -S "X509 - Certificate verification failed"
2283
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2284run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2285 "$P_SRV debug_level=3 auth_mode=optional" \
2286 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2287 0 \
2288 -S "skip write certificate request" \
2289 -C "skip parse certificate request" \
2290 -c "got a certificate request" \
2291 -C "skip write certificate$" \
2292 -C "got no certificate to send" \
2293 -S "SSLv3 client has no certificate" \
2294 -c "skip write certificate verify" \
2295 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2296 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2297 -S "! mbedtls_ssl_handshake returned" \
2298 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2299 -S "X509 - Certificate verification failed"
2300
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2301run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2302 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2303 "$O_CLI" \
2304 0 \
2305 -S "skip write certificate request" \
2306 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2307 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2308 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2309 -S "X509 - Certificate verification failed"
2310
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2311run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2312 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2313 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2314 0 \
2315 -C "skip parse certificate request" \
2316 -c "got a certificate request" \
2317 -C "skip write certificate$" \
2318 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2319 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2320
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2321requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2322run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2323 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2324 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2325 0 \
2326 -S "skip write certificate request" \
2327 -C "skip parse certificate request" \
2328 -c "got a certificate request" \
2329 -C "skip write certificate$" \
2330 -c "skip write certificate verify" \
2331 -c "got no certificate to send" \
2332 -s "SSLv3 client has no certificate" \
2333 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2334 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2335 -S "! mbedtls_ssl_handshake returned" \
2336 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2337 -S "X509 - Certificate verification failed"
2338
Manuel Pégourié-Gonnard591035d2017-06-26 10:45:33 +0200[diff] [blame]2339run_test "Authentication: server max_int chain, client default" \
2340 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2341 key_file=data_files/dir-maxpath/09.key" \
2342 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2343 0 \
2344 -C "X509 - A fatal error occured"
2345
2346run_test "Authentication: server max_int+1 chain, client default" \
2347 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2348 key_file=data_files/dir-maxpath/10.key" \
2349 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2350 1 \
2351 -c "X509 - A fatal error occured"
2352
2353run_test "Authentication: server max_int+1 chain, client optional" \
2354 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2355 key_file=data_files/dir-maxpath/10.key" \
2356 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2357 auth_mode=optional" \
2358 1 \
2359 -c "X509 - A fatal error occured"
2360
2361run_test "Authentication: server max_int+1 chain, client none" \
2362 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2363 key_file=data_files/dir-maxpath/10.key" \
2364 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2365 auth_mode=none" \
2366 0 \
2367 -C "X509 - A fatal error occured"
2368
2369run_test "Authentication: client max_int+1 chain, server default" \
2370 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2371 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2372 key_file=data_files/dir-maxpath/10.key" \
2373 0 \
2374 -S "X509 - A fatal error occured"
2375
2376run_test "Authentication: client max_int+1 chain, server optional" \
2377 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2378 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2379 key_file=data_files/dir-maxpath/10.key" \
2380 1 \
2381 -s "X509 - A fatal error occured"
2382
2383run_test "Authentication: client max_int+1 chain, server required" \
2384 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2385 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2386 key_file=data_files/dir-maxpath/10.key" \
2387 1 \
2388 -s "X509 - A fatal error occured"
2389
2390run_test "Authentication: client max_int chain, server required" \
2391 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2392 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2393 key_file=data_files/dir-maxpath/09.key" \
2394 0 \
2395 -S "X509 - A fatal error occured"
2396
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2397# Tests for certificate selection based on SHA verson
2398
2399run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2400 "$P_SRV crt_file=data_files/server5.crt \
2401 key_file=data_files/server5.key \
2402 crt_file2=data_files/server5-sha1.crt \
2403 key_file2=data_files/server5.key" \
2404 "$P_CLI force_version=tls1_2" \
2405 0 \
2406 -c "signed using.*ECDSA with SHA256" \
2407 -C "signed using.*ECDSA with SHA1"
2408
2409run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2410 "$P_SRV crt_file=data_files/server5.crt \
2411 key_file=data_files/server5.key \
2412 crt_file2=data_files/server5-sha1.crt \
2413 key_file2=data_files/server5.key" \
2414 "$P_CLI force_version=tls1_1" \
2415 0 \
2416 -C "signed using.*ECDSA with SHA256" \
2417 -c "signed using.*ECDSA with SHA1"
2418
2419run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2420 "$P_SRV crt_file=data_files/server5.crt \
2421 key_file=data_files/server5.key \
2422 crt_file2=data_files/server5-sha1.crt \
2423 key_file2=data_files/server5.key" \
2424 "$P_CLI force_version=tls1" \
2425 0 \
2426 -C "signed using.*ECDSA with SHA256" \
2427 -c "signed using.*ECDSA with SHA1"
2428
2429run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2430 "$P_SRV crt_file=data_files/server5.crt \
2431 key_file=data_files/server5.key \
2432 crt_file2=data_files/server6.crt \
2433 key_file2=data_files/server6.key" \
2434 "$P_CLI force_version=tls1_1" \
2435 0 \
2436 -c "serial number.*09" \
2437 -c "signed using.*ECDSA with SHA256" \
2438 -C "signed using.*ECDSA with SHA1"
2439
2440run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2441 "$P_SRV crt_file=data_files/server6.crt \
2442 key_file=data_files/server6.key \
2443 crt_file2=data_files/server5.crt \
2444 key_file2=data_files/server5.key" \
2445 "$P_CLI force_version=tls1_1" \
2446 0 \
2447 -c "serial number.*0A" \
2448 -c "signed using.*ECDSA with SHA256" \
2449 -C "signed using.*ECDSA with SHA1"
2450
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2451# tests for SNI
2452
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2453run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2454 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2455 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2456 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2457 0 \
2458 -S "parse ServerName extension" \
2459 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2460 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2461
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2462run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2463 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2464 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2465 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2466 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2467 0 \
2468 -s "parse ServerName extension" \
2469 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2470 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2471
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2472run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2473 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2474 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2475 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2476 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2477 0 \
2478 -s "parse ServerName extension" \
2479 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2480 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2481
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2482run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2483 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2484 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2485 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2486 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2487 1 \
2488 -s "parse ServerName extension" \
2489 -s "ssl_sni_wrapper() returned" \
2490 -s "mbedtls_ssl_handshake returned" \
2491 -c "mbedtls_ssl_handshake returned" \
2492 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2493
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2494run_test "SNI: client auth no override: optional" \
2495 "$P_SRV debug_level=3 auth_mode=optional \
2496 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2497 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2498 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2499 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2500 -S "skip write certificate request" \
2501 -C "skip parse certificate request" \
2502 -c "got a certificate request" \
2503 -C "skip write certificate" \
2504 -C "skip write certificate verify" \
2505 -S "skip parse certificate verify"
2506
2507run_test "SNI: client auth override: none -> optional" \
2508 "$P_SRV debug_level=3 auth_mode=none \
2509 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2510 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2511 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2512 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2513 -S "skip write certificate request" \
2514 -C "skip parse certificate request" \
2515 -c "got a certificate request" \
2516 -C "skip write certificate" \
2517 -C "skip write certificate verify" \
2518 -S "skip parse certificate verify"
2519
2520run_test "SNI: client auth override: optional -> none" \
2521 "$P_SRV debug_level=3 auth_mode=optional \
2522 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2523 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2524 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2525 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2526 -s "skip write certificate request" \
2527 -C "skip parse certificate request" \
2528 -c "got no certificate request" \
2529 -c "skip write certificate" \
2530 -c "skip write certificate verify" \
2531 -s "skip parse certificate verify"
2532
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2533run_test "SNI: CA no override" \
2534 "$P_SRV debug_level=3 auth_mode=optional \
2535 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2536 ca_file=data_files/test-ca.crt \
2537 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2538 "$P_CLI debug_level=3 server_name=localhost \
2539 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2540 1 \
2541 -S "skip write certificate request" \
2542 -C "skip parse certificate request" \
2543 -c "got a certificate request" \
2544 -C "skip write certificate" \
2545 -C "skip write certificate verify" \
2546 -S "skip parse certificate verify" \
2547 -s "x509_verify_cert() returned" \
2548 -s "! The certificate is not correctly signed by the trusted CA" \
2549 -S "The certificate has been revoked (is on a CRL)"
2550
2551run_test "SNI: CA override" \
2552 "$P_SRV debug_level=3 auth_mode=optional \
2553 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2554 ca_file=data_files/test-ca.crt \
2555 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2556 "$P_CLI debug_level=3 server_name=localhost \
2557 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2558 0 \
2559 -S "skip write certificate request" \
2560 -C "skip parse certificate request" \
2561 -c "got a certificate request" \
2562 -C "skip write certificate" \
2563 -C "skip write certificate verify" \
2564 -S "skip parse certificate verify" \
2565 -S "x509_verify_cert() returned" \
2566 -S "! The certificate is not correctly signed by the trusted CA" \
2567 -S "The certificate has been revoked (is on a CRL)"
2568
2569run_test "SNI: CA override with CRL" \
2570 "$P_SRV debug_level=3 auth_mode=optional \
2571 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2572 ca_file=data_files/test-ca.crt \
2573 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2574 "$P_CLI debug_level=3 server_name=localhost \
2575 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2576 1 \
2577 -S "skip write certificate request" \
2578 -C "skip parse certificate request" \
2579 -c "got a certificate request" \
2580 -C "skip write certificate" \
2581 -C "skip write certificate verify" \
2582 -S "skip parse certificate verify" \
2583 -s "x509_verify_cert() returned" \
2584 -S "! The certificate is not correctly signed by the trusted CA" \
2585 -s "The certificate has been revoked (is on a CRL)"
2586
Andres AG52142f12016-12-07 10:01:30 +0000[diff] [blame]2587# Tests for SNI and DTLS
2588
Andres Amaya Garcia0b8eaa82018-05-01 20:27:37 +0100[diff] [blame]2589run_test "SNI: DTLS, no SNI callback" \
2590 "$P_SRV debug_level=3 dtls=1 \
2591 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2592 "$P_CLI server_name=localhost dtls=1" \
2593 0 \
2594 -S "parse ServerName extension" \
2595 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2596 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2597
Andres Amaya Garcia021ad3d2018-05-01 20:26:47 +0100[diff] [blame]2598run_test "SNI: DTLS, matching cert 1" \
Andres AG52142f12016-12-07 10:01:30 +0000[diff] [blame]2599 "$P_SRV debug_level=3 dtls=1 \
2600 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2601 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2602 "$P_CLI server_name=localhost dtls=1" \
2603 0 \
2604 -s "parse ServerName extension" \
2605 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2606 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2607
Andres Amaya Garcia0b8eaa82018-05-01 20:27:37 +0100[diff] [blame]2608run_test "SNI: DTLS, matching cert 2" \
2609 "$P_SRV debug_level=3 dtls=1 \
2610 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2611 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2612 "$P_CLI server_name=polarssl.example dtls=1" \
2613 0 \
2614 -s "parse ServerName extension" \
2615 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2616 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2617
2618run_test "SNI: DTLS, no matching cert" \
2619 "$P_SRV debug_level=3 dtls=1 \
2620 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2621 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2622 "$P_CLI server_name=nonesuch.example dtls=1" \
2623 1 \
2624 -s "parse ServerName extension" \
2625 -s "ssl_sni_wrapper() returned" \
2626 -s "mbedtls_ssl_handshake returned" \
2627 -c "mbedtls_ssl_handshake returned" \
2628 -c "SSL - A fatal alert message was received from our peer"
2629
2630run_test "SNI: DTLS, client auth no override: optional" \
2631 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2632 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2633 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2634 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2635 0 \
2636 -S "skip write certificate request" \
2637 -C "skip parse certificate request" \
2638 -c "got a certificate request" \
2639 -C "skip write certificate" \
2640 -C "skip write certificate verify" \
2641 -S "skip parse certificate verify"
2642
2643run_test "SNI: DTLS, client auth override: none -> optional" \
2644 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2645 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2646 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2647 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2648 0 \
2649 -S "skip write certificate request" \
2650 -C "skip parse certificate request" \
2651 -c "got a certificate request" \
2652 -C "skip write certificate" \
2653 -C "skip write certificate verify" \
2654 -S "skip parse certificate verify"
2655
2656run_test "SNI: DTLS, client auth override: optional -> none" \
2657 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2658 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2659 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2660 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2661 0 \
2662 -s "skip write certificate request" \
2663 -C "skip parse certificate request" \
2664 -c "got no certificate request" \
2665 -c "skip write certificate" \
2666 -c "skip write certificate verify" \
2667 -s "skip parse certificate verify"
2668
Simon Butcher12826df2018-06-16 19:46:52 +0100[diff] [blame]2669needs_more_time 4
Andres Amaya Garcia0b8eaa82018-05-01 20:27:37 +0100[diff] [blame]2670run_test "SNI: DTLS, CA no override" \
2671 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2672 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2673 ca_file=data_files/test-ca.crt \
2674 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2675 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2676 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2677 1 \
2678 -S "skip write certificate request" \
2679 -C "skip parse certificate request" \
2680 -c "got a certificate request" \
2681 -C "skip write certificate" \
2682 -C "skip write certificate verify" \
2683 -S "skip parse certificate verify" \
2684 -s "x509_verify_cert() returned" \
2685 -s "! The certificate is not correctly signed by the trusted CA" \
2686 -S "The certificate has been revoked (is on a CRL)"
2687
Andres Amaya Garcia021ad3d2018-05-01 20:26:47 +0100[diff] [blame]2688run_test "SNI: DTLS, CA override" \
Andres AG52142f12016-12-07 10:01:30 +0000[diff] [blame]2689 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2690 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2691 ca_file=data_files/test-ca.crt \
2692 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2693 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2694 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2695 0 \
2696 -S "skip write certificate request" \
2697 -C "skip parse certificate request" \
2698 -c "got a certificate request" \
2699 -C "skip write certificate" \
2700 -C "skip write certificate verify" \
2701 -S "skip parse certificate verify" \
2702 -S "x509_verify_cert() returned" \
2703 -S "! The certificate is not correctly signed by the trusted CA" \
2704 -S "The certificate has been revoked (is on a CRL)"
2705
Simon Butcher12826df2018-06-16 19:46:52 +0100[diff] [blame]2706needs_more_time 4
Andres Amaya Garcia021ad3d2018-05-01 20:26:47 +0100[diff] [blame]2707run_test "SNI: DTLS, CA override with CRL" \
Andres AG52142f12016-12-07 10:01:30 +0000[diff] [blame]2708 "$P_SRV debug_level=3 auth_mode=optional \
2709 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
2710 ca_file=data_files/test-ca.crt \
2711 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2712 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2713 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2714 1 \
2715 -S "skip write certificate request" \
2716 -C "skip parse certificate request" \
2717 -c "got a certificate request" \
2718 -C "skip write certificate" \
2719 -C "skip write certificate verify" \
2720 -S "skip parse certificate verify" \
2721 -s "x509_verify_cert() returned" \
2722 -S "! The certificate is not correctly signed by the trusted CA" \
2723 -s "The certificate has been revoked (is on a CRL)"
2724
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2725# Tests for non-blocking I/O: exercise a variety of handshake flows
2726
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2727run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2728 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2729 "$P_CLI nbio=2 tickets=0" \
2730 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2731 -S "mbedtls_ssl_handshake returned" \
2732 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2733 -c "Read from server: .* bytes read"
2734
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2735run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2736 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2737 "$P_CLI nbio=2 tickets=0" \
2738 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2739 -S "mbedtls_ssl_handshake returned" \
2740 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2741 -c "Read from server: .* bytes read"
2742
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2743run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2744 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2745 "$P_CLI nbio=2 tickets=1" \
2746 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2747 -S "mbedtls_ssl_handshake returned" \
2748 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2749 -c "Read from server: .* bytes read"
2750
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2751run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2752 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2753 "$P_CLI nbio=2 tickets=1" \
2754 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2755 -S "mbedtls_ssl_handshake returned" \
2756 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2757 -c "Read from server: .* bytes read"
2758
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2759run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2760 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2761 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2762 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2763 -S "mbedtls_ssl_handshake returned" \
2764 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2765 -c "Read from server: .* bytes read"
2766
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2767run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2768 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2769 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2770 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2771 -S "mbedtls_ssl_handshake returned" \
2772 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2773 -c "Read from server: .* bytes read"
2774
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2775run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2776 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2777 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2778 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2779 -S "mbedtls_ssl_handshake returned" \
2780 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2781 -c "Read from server: .* bytes read"
2782
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2783# Tests for version negotiation
2784
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2785run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2786 "$P_SRV" \
2787 "$P_CLI" \
2788 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2789 -S "mbedtls_ssl_handshake returned" \
2790 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2791 -s "Protocol is TLSv1.2" \
2792 -c "Protocol is TLSv1.2"
2793
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2794run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2795 "$P_SRV" \
2796 "$P_CLI max_version=tls1_1" \
2797 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2798 -S "mbedtls_ssl_handshake returned" \
2799 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2800 -s "Protocol is TLSv1.1" \
2801 -c "Protocol is TLSv1.1"
2802
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2803run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2804 "$P_SRV max_version=tls1_1" \
2805 "$P_CLI" \
2806 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2807 -S "mbedtls_ssl_handshake returned" \
2808 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2809 -s "Protocol is TLSv1.1" \
2810 -c "Protocol is TLSv1.1"
2811
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2812run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2813 "$P_SRV max_version=tls1_1" \
2814 "$P_CLI max_version=tls1_1" \
2815 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2816 -S "mbedtls_ssl_handshake returned" \
2817 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2818 -s "Protocol is TLSv1.1" \
2819 -c "Protocol is TLSv1.1"
2820
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2821run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2822 "$P_SRV min_version=tls1_1" \
2823 "$P_CLI max_version=tls1_1" \
2824 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2825 -S "mbedtls_ssl_handshake returned" \
2826 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2827 -s "Protocol is TLSv1.1" \
2828 -c "Protocol is TLSv1.1"
2829
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2830run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2831 "$P_SRV max_version=tls1_1" \
2832 "$P_CLI min_version=tls1_1" \
2833 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2834 -S "mbedtls_ssl_handshake returned" \
2835 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2836 -s "Protocol is TLSv1.1" \
2837 -c "Protocol is TLSv1.1"
2838
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2839run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2840 "$P_SRV max_version=tls1_1" \
2841 "$P_CLI min_version=tls1_2" \
2842 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2843 -s "mbedtls_ssl_handshake returned" \
2844 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2845 -c "SSL - Handshake protocol not within min/max boundaries"
2846
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2847run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2848 "$P_SRV min_version=tls1_2" \
2849 "$P_CLI max_version=tls1_1" \
2850 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2851 -s "mbedtls_ssl_handshake returned" \
2852 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2853 -s "SSL - Handshake protocol not within min/max boundaries"
2854
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2855# Tests for ALPN extension
2856
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2857run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2858 "$P_SRV debug_level=3" \
2859 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2860 0 \
2861 -C "client hello, adding alpn extension" \
2862 -S "found alpn extension" \
2863 -C "got an alert message, type: \\[2:120]" \
2864 -S "server hello, adding alpn extension" \
2865 -C "found alpn extension " \
2866 -C "Application Layer Protocol is" \
2867 -S "Application Layer Protocol is"
2868
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2869run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2870 "$P_SRV debug_level=3" \
2871 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2872 0 \
2873 -c "client hello, adding alpn extension" \
2874 -s "found alpn extension" \
2875 -C "got an alert message, type: \\[2:120]" \
2876 -S "server hello, adding alpn extension" \
2877 -C "found alpn extension " \
2878 -c "Application Layer Protocol is (none)" \
2879 -S "Application Layer Protocol is"
2880
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2881run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2882 "$P_SRV debug_level=3 alpn=abc,1234" \
2883 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2884 0 \
2885 -C "client hello, adding alpn extension" \
2886 -S "found alpn extension" \
2887 -C "got an alert message, type: \\[2:120]" \
2888 -S "server hello, adding alpn extension" \
2889 -C "found alpn extension " \
2890 -C "Application Layer Protocol is" \
2891 -s "Application Layer Protocol is (none)"
2892
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2893run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2894 "$P_SRV debug_level=3 alpn=abc,1234" \
2895 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2896 0 \
2897 -c "client hello, adding alpn extension" \
2898 -s "found alpn extension" \
2899 -C "got an alert message, type: \\[2:120]" \
2900 -s "server hello, adding alpn extension" \
2901 -c "found alpn extension" \
2902 -c "Application Layer Protocol is abc" \
2903 -s "Application Layer Protocol is abc"
2904
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2905run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2906 "$P_SRV debug_level=3 alpn=abc,1234" \
2907 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2908 0 \
2909 -c "client hello, adding alpn extension" \
2910 -s "found alpn extension" \
2911 -C "got an alert message, type: \\[2:120]" \
2912 -s "server hello, adding alpn extension" \
2913 -c "found alpn extension" \
2914 -c "Application Layer Protocol is abc" \
2915 -s "Application Layer Protocol is abc"
2916
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2917run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2918 "$P_SRV debug_level=3 alpn=abc,1234" \
2919 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2920 0 \
2921 -c "client hello, adding alpn extension" \
2922 -s "found alpn extension" \
2923 -C "got an alert message, type: \\[2:120]" \
2924 -s "server hello, adding alpn extension" \
2925 -c "found alpn extension" \
2926 -c "Application Layer Protocol is 1234" \
2927 -s "Application Layer Protocol is 1234"
2928
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2929run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2930 "$P_SRV debug_level=3 alpn=abc,123" \
2931 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2932 1 \
2933 -c "client hello, adding alpn extension" \
2934 -s "found alpn extension" \
2935 -c "got an alert message, type: \\[2:120]" \
2936 -S "server hello, adding alpn extension" \
2937 -C "found alpn extension" \
2938 -C "Application Layer Protocol is 1234" \
2939 -S "Application Layer Protocol is 1234"
2940
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2941
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2942# Tests for keyUsage in leaf certificates, part 1:
2943# server-side certificate/suite selection
2944
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2945run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2946 "$P_SRV key_file=data_files/server2.key \
2947 crt_file=data_files/server2.ku-ds.crt" \
2948 "$P_CLI" \
2949 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2950 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2951
2952
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2953run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2954 "$P_SRV key_file=data_files/server2.key \
2955 crt_file=data_files/server2.ku-ke.crt" \
2956 "$P_CLI" \
2957 0 \
2958 -c "Ciphersuite is TLS-RSA-WITH-"
2959
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2960run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2961 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2962 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2963 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2964 1 \
2965 -C "Ciphersuite is "
2966
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2967run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2968 "$P_SRV key_file=data_files/server5.key \
2969 crt_file=data_files/server5.ku-ds.crt" \
2970 "$P_CLI" \
2971 0 \
2972 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2973
2974
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2975run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2976 "$P_SRV key_file=data_files/server5.key \
2977 crt_file=data_files/server5.ku-ka.crt" \
2978 "$P_CLI" \
2979 0 \
2980 -c "Ciphersuite is TLS-ECDH-"
2981
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2982run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2983 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2984 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2985 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2986 1 \
2987 -C "Ciphersuite is "
2988
2989# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2990# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2991
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2992run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2993 "$O_SRV -key data_files/server2.key \
2994 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2995 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2996 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2997 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2998 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2999 -C "Processing of the Certificate handshake message failed" \
3000 -c "Ciphersuite is TLS-"
3001
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3002run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3003 "$O_SRV -key data_files/server2.key \
3004 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3005 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3006 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3007 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3008 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3009 -C "Processing of the Certificate handshake message failed" \
3010 -c "Ciphersuite is TLS-"
3011
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3012run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3013 "$O_SRV -key data_files/server2.key \
3014 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3015 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3016 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3017 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3018 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3019 -C "Processing of the Certificate handshake message failed" \
3020 -c "Ciphersuite is TLS-"
3021
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3022run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3023 "$O_SRV -key data_files/server2.key \
3024 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3025 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3026 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3027 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3028 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3029 -c "Processing of the Certificate handshake message failed" \
3030 -C "Ciphersuite is TLS-"
3031
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3032run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3033 "$O_SRV -key data_files/server2.key \
3034 -cert data_files/server2.ku-ke.crt" \
3035 "$P_CLI debug_level=1 auth_mode=optional \
3036 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3037 0 \
3038 -c "bad certificate (usage extensions)" \
3039 -C "Processing of the Certificate handshake message failed" \
3040 -c "Ciphersuite is TLS-" \
3041 -c "! Usage does not match the keyUsage extension"
3042
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3043run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3044 "$O_SRV -key data_files/server2.key \
3045 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3046 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3047 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3048 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3049 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3050 -C "Processing of the Certificate handshake message failed" \
3051 -c "Ciphersuite is TLS-"
3052
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3053run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3054 "$O_SRV -key data_files/server2.key \
3055 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3056 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3057 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3058 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3059 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3060 -c "Processing of the Certificate handshake message failed" \
3061 -C "Ciphersuite is TLS-"
3062
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3063run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3064 "$O_SRV -key data_files/server2.key \
3065 -cert data_files/server2.ku-ds.crt" \
3066 "$P_CLI debug_level=1 auth_mode=optional \
3067 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3068 0 \
3069 -c "bad certificate (usage extensions)" \
3070 -C "Processing of the Certificate handshake message failed" \
3071 -c "Ciphersuite is TLS-" \
3072 -c "! Usage does not match the keyUsage extension"
3073
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3074# Tests for keyUsage in leaf certificates, part 3:
3075# server-side checking of client cert
3076
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3077run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3078 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3079 "$O_CLI -key data_files/server2.key \
3080 -cert data_files/server2.ku-ds.crt" \
3081 0 \
3082 -S "bad certificate (usage extensions)" \
3083 -S "Processing of the Certificate handshake message failed"
3084
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3085run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3086 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3087 "$O_CLI -key data_files/server2.key \
3088 -cert data_files/server2.ku-ke.crt" \
3089 0 \
3090 -s "bad certificate (usage extensions)" \
3091 -S "Processing of the Certificate handshake message failed"
3092
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3093run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3094 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3095 "$O_CLI -key data_files/server2.key \
3096 -cert data_files/server2.ku-ke.crt" \
3097 1 \
3098 -s "bad certificate (usage extensions)" \
3099 -s "Processing of the Certificate handshake message failed"
3100
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3101run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3102 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3103 "$O_CLI -key data_files/server5.key \
3104 -cert data_files/server5.ku-ds.crt" \
3105 0 \
3106 -S "bad certificate (usage extensions)" \
3107 -S "Processing of the Certificate handshake message failed"
3108
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3109run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3110 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3111 "$O_CLI -key data_files/server5.key \
3112 -cert data_files/server5.ku-ka.crt" \
3113 0 \
3114 -s "bad certificate (usage extensions)" \
3115 -S "Processing of the Certificate handshake message failed"
3116
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3117# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3118
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3119run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3120 "$P_SRV key_file=data_files/server5.key \
3121 crt_file=data_files/server5.eku-srv.crt" \
3122 "$P_CLI" \
3123 0
3124
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3125run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3126 "$P_SRV key_file=data_files/server5.key \
3127 crt_file=data_files/server5.eku-srv.crt" \
3128 "$P_CLI" \
3129 0
3130
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3131run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3132 "$P_SRV key_file=data_files/server5.key \
3133 crt_file=data_files/server5.eku-cs_any.crt" \
3134 "$P_CLI" \
3135 0
3136
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3137run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3138 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3139 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3140 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3141 1
3142
3143# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3144
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3145run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3146 "$O_SRV -key data_files/server5.key \
3147 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3148 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3149 0 \
3150 -C "bad certificate (usage extensions)" \
3151 -C "Processing of the Certificate handshake message failed" \
3152 -c "Ciphersuite is TLS-"
3153
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3154run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3155 "$O_SRV -key data_files/server5.key \
3156 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3157 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3158 0 \
3159 -C "bad certificate (usage extensions)" \
3160 -C "Processing of the Certificate handshake message failed" \
3161 -c "Ciphersuite is TLS-"
3162
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3163run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3164 "$O_SRV -key data_files/server5.key \
3165 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3166 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3167 0 \
3168 -C "bad certificate (usage extensions)" \
3169 -C "Processing of the Certificate handshake message failed" \
3170 -c "Ciphersuite is TLS-"
3171
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3172run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3173 "$O_SRV -key data_files/server5.key \
3174 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3175 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3176 1 \
3177 -c "bad certificate (usage extensions)" \
3178 -c "Processing of the Certificate handshake message failed" \
3179 -C "Ciphersuite is TLS-"
3180
3181# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3182
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3183run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3184 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3185 "$O_CLI -key data_files/server5.key \
3186 -cert data_files/server5.eku-cli.crt" \
3187 0 \
3188 -S "bad certificate (usage extensions)" \
3189 -S "Processing of the Certificate handshake message failed"
3190
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3191run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3192 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3193 "$O_CLI -key data_files/server5.key \
3194 -cert data_files/server5.eku-srv_cli.crt" \
3195 0 \
3196 -S "bad certificate (usage extensions)" \
3197 -S "Processing of the Certificate handshake message failed"
3198
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3199run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3200 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3201 "$O_CLI -key data_files/server5.key \
3202 -cert data_files/server5.eku-cs_any.crt" \
3203 0 \
3204 -S "bad certificate (usage extensions)" \
3205 -S "Processing of the Certificate handshake message failed"
3206
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3207run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3208 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3209 "$O_CLI -key data_files/server5.key \
3210 -cert data_files/server5.eku-cs.crt" \
3211 0 \
3212 -s "bad certificate (usage extensions)" \
3213 -S "Processing of the Certificate handshake message failed"
3214
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3215run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3216 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3217 "$O_CLI -key data_files/server5.key \
3218 -cert data_files/server5.eku-cs.crt" \
3219 1 \
3220 -s "bad certificate (usage extensions)" \
3221 -s "Processing of the Certificate handshake message failed"
3222
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3223# Tests for DHM parameters loading
3224
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3225run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3226 "$P_SRV" \
3227 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3228 debug_level=3" \
3229 0 \
3230 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker80e0d462017-10-13 16:51:54 +0100[diff] [blame]3231 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3232
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3233run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3234 "$P_SRV dhm_file=data_files/dhparams.pem" \
3235 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3236 debug_level=3" \
3237 0 \
3238 -c "value of 'DHM: P ' (1024 bits)" \
3239 -c "value of 'DHM: G ' (2 bits)"
3240
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3241# Tests for DHM client-side size checking
3242
3243run_test "DHM size: server default, client default, OK" \
3244 "$P_SRV" \
3245 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3246 debug_level=1" \
3247 0 \
3248 -C "DHM prime too short:"
3249
3250run_test "DHM size: server default, client 2048, OK" \
3251 "$P_SRV" \
3252 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3253 debug_level=1 dhmlen=2048" \
3254 0 \
3255 -C "DHM prime too short:"
3256
3257run_test "DHM size: server 1024, client default, OK" \
3258 "$P_SRV dhm_file=data_files/dhparams.pem" \
3259 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3260 debug_level=1" \
3261 0 \
3262 -C "DHM prime too short:"
3263
3264run_test "DHM size: server 1000, client default, rejected" \
3265 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3266 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3267 debug_level=1" \
3268 1 \
3269 -c "DHM prime too short:"
3270
3271run_test "DHM size: server default, client 2049, rejected" \
3272 "$P_SRV" \
3273 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3274 debug_level=1 dhmlen=2049" \
3275 1 \
3276 -c "DHM prime too short:"
3277
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3278# Tests for PSK callback
3279
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3280run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3281 "$P_SRV psk=abc123 psk_identity=foo" \
3282 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3283 psk_identity=foo psk=abc123" \
3284 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3285 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3286 -S "SSL - Unknown identity received" \
3287 -S "SSL - Verification of the message MAC failed"
3288
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3289run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3290 "$P_SRV" \
3291 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3292 psk_identity=foo psk=abc123" \
3293 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3294 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3295 -S "SSL - Unknown identity received" \
3296 -S "SSL - Verification of the message MAC failed"
3297
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3298run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3299 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3300 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3301 psk_identity=foo psk=abc123" \
3302 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3303 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3304 -s "SSL - Unknown identity received" \
3305 -S "SSL - Verification of the message MAC failed"
3306
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3307run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3308 "$P_SRV psk_list=abc,dead,def,beef" \
3309 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3310 psk_identity=abc psk=dead" \
3311 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3312 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3313 -S "SSL - Unknown identity received" \
3314 -S "SSL - Verification of the message MAC failed"
3315
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3316run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3317 "$P_SRV psk_list=abc,dead,def,beef" \
3318 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3319 psk_identity=def psk=beef" \
3320 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3321 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3322 -S "SSL - Unknown identity received" \
3323 -S "SSL - Verification of the message MAC failed"
3324
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3325run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3326 "$P_SRV psk_list=abc,dead,def,beef" \
3327 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3328 psk_identity=ghi psk=beef" \
3329 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3330 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3331 -s "SSL - Unknown identity received" \
3332 -S "SSL - Verification of the message MAC failed"
3333
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3334run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3335 "$P_SRV psk_list=abc,dead,def,beef" \
3336 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3337 psk_identity=abc psk=beef" \
3338 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3339 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3340 -S "SSL - Unknown identity received" \
3341 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3342
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3343# Tests for ciphersuites per version
3344
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3345requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3346run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3347 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3348 "$P_CLI force_version=ssl3" \
3349 0 \
3350 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3351
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3352run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3353 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3354 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3355 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3356 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3357
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3358run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3359 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3360 "$P_CLI force_version=tls1_1" \
3361 0 \
3362 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3363
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3364run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3365 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3366 "$P_CLI force_version=tls1_2" \
3367 0 \
3368 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3369
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3370# Test for ClientHello without extensions
3371
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3372requires_gnutls
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]3373run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3374 "$P_SRV debug_level=3" \
3375 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3376 0 \
3377 -s "dumping 'client hello extensions' (0 bytes)"
3378
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]3379requires_gnutls
3380run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3381 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3382 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3383 0 \
3384 -s "dumping 'client hello extensions' (0 bytes)"
3385
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3386# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3387
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3388run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3389 "$P_SRV" \
3390 "$P_CLI request_size=100" \
3391 0 \
3392 -s "Read from client: 100 bytes read$"
3393
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3394run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3395 "$P_SRV" \
3396 "$P_CLI request_size=500" \
3397 0 \
3398 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3399
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3400# Tests for small packets
3401
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3402requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3403run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3404 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3405 "$P_CLI request_size=1 force_version=ssl3 \
3406 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3407 0 \
3408 -s "Read from client: 1 bytes read"
3409
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3410requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3411run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3412 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3413 "$P_CLI request_size=1 force_version=ssl3 \
3414 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3415 0 \
3416 -s "Read from client: 1 bytes read"
3417
3418run_test "Small packet TLS 1.0 BlockCipher" \
3419 "$P_SRV" \
3420 "$P_CLI request_size=1 force_version=tls1 \
3421 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3422 0 \
3423 -s "Read from client: 1 bytes read"
3424
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3425run_test "Small packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3426 "$P_SRV" \
3427 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3428 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3429 0 \
3430 -s "Read from client: 1 bytes read"
3431
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3432requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3433run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3434 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3435 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3436 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3437 0 \
3438 -s "Read from client: 1 bytes read"
3439
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3440requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3441run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3442 "$P_SRV trunc_hmac=1" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3443 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3444 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3445 0 \
3446 -s "Read from client: 1 bytes read"
3447
3448run_test "Small packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3449 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3450 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3451 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3452 0 \
3453 -s "Read from client: 1 bytes read"
3454
3455run_test "Small packet TLS 1.0 StreamCipher, without EtM" \
3456 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3457 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3458 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3459 0 \
3460 -s "Read from client: 1 bytes read"
3461
3462requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3463run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3464 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3465 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3466 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3467 0 \
3468 -s "Read from client: 1 bytes read"
3469
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3470requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3471run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3472 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3473 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3474 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3475 0 \
3476 -s "Read from client: 1 bytes read"
3477
3478run_test "Small packet TLS 1.1 BlockCipher" \
3479 "$P_SRV" \
3480 "$P_CLI request_size=1 force_version=tls1_1 \
3481 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3482 0 \
3483 -s "Read from client: 1 bytes read"
3484
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3485run_test "Small packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3486 "$P_SRV" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3487 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3488 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3489 0 \
3490 -s "Read from client: 1 bytes read"
3491
3492requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3493run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3494 "$P_SRV trunc_hmac=1" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3495 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3496 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3497 0 \
3498 -s "Read from client: 1 bytes read"
3499
3500requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3501run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3502 "$P_SRV trunc_hmac=1" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3503 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3504 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3505 0 \
3506 -s "Read from client: 1 bytes read"
3507
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3508run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3509 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3510 "$P_CLI request_size=1 force_version=tls1_1 \
3511 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3512 0 \
3513 -s "Read from client: 1 bytes read"
3514
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3515run_test "Small packet TLS 1.1 StreamCipher, without EtM" \
3516 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3517 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3518 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3519 0 \
3520 -s "Read from client: 1 bytes read"
3521
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3522requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3523run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3524 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3525 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3526 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3527 0 \
3528 -s "Read from client: 1 bytes read"
3529
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3530requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3531run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3532 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3533 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3534 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3535 0 \
3536 -s "Read from client: 1 bytes read"
3537
3538run_test "Small packet TLS 1.2 BlockCipher" \
3539 "$P_SRV" \
3540 "$P_CLI request_size=1 force_version=tls1_2 \
3541 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3542 0 \
3543 -s "Read from client: 1 bytes read"
3544
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3545run_test "Small packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3546 "$P_SRV" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3547 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3548 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3549 0 \
3550 -s "Read from client: 1 bytes read"
3551
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3552run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3553 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3554 "$P_CLI request_size=1 force_version=tls1_2 \
3555 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3556 0 \
3557 -s "Read from client: 1 bytes read"
3558
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3559requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3560run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3561 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3562 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3563 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3564 0 \
3565 -s "Read from client: 1 bytes read"
3566
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3567requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3568run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3569 "$P_SRV trunc_hmac=1" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3570 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3571 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3572 0 \
3573 -s "Read from client: 1 bytes read"
3574
3575run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3576 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3577 "$P_CLI request_size=1 force_version=tls1_2 \
3578 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3579 0 \
3580 -s "Read from client: 1 bytes read"
3581
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3582run_test "Small packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3583 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3584 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3585 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3586 0 \
3587 -s "Read from client: 1 bytes read"
3588
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3589requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3590run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3591 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3592 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3593 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3594 0 \
3595 -s "Read from client: 1 bytes read"
3596
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3597requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3598run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3599 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3600 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3601 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3602 0 \
3603 -s "Read from client: 1 bytes read"
3604
3605run_test "Small packet TLS 1.2 AEAD" \
3606 "$P_SRV" \
3607 "$P_CLI request_size=1 force_version=tls1_2 \
3608 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3609 0 \
3610 -s "Read from client: 1 bytes read"
3611
3612run_test "Small packet TLS 1.2 AEAD shorter tag" \
3613 "$P_SRV" \
3614 "$P_CLI request_size=1 force_version=tls1_2 \
3615 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3616 0 \
3617 -s "Read from client: 1 bytes read"
3618
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3619# Tests for small packets in DTLS
3620
3621requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3622run_test "Small packet DTLS 1.0" \
3623 "$P_SRV dtls=1 force_version=dtls1" \
3624 "$P_CLI dtls=1 request_size=1 \
3625 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3626 0 \
3627 -s "Read from client: 1 bytes read"
3628
3629requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3630run_test "Small packet DTLS 1.0, without EtM" \
3631 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
3632 "$P_CLI dtls=1 request_size=1 \
3633 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3634 0 \
3635 -s "Read from client: 1 bytes read"
3636
3637requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3638requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3639run_test "Small packet DTLS 1.0, truncated hmac" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3640 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
3641 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3642 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3643 0 \
3644 -s "Read from client: 1 bytes read"
3645
3646requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3647requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3648run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3649 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3650 "$P_CLI dtls=1 request_size=1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3651 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3652 0 \
3653 -s "Read from client: 1 bytes read"
3654
3655requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3656run_test "Small packet DTLS 1.2" \
3657 "$P_SRV dtls=1 force_version=dtls1_2" \
3658 "$P_CLI dtls=1 request_size=1 \
3659 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3660 0 \
3661 -s "Read from client: 1 bytes read"
3662
3663requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3664run_test "Small packet DTLS 1.2, without EtM" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3665 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3666 "$P_CLI dtls=1 request_size=1 \
3667 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3668 0 \
3669 -s "Read from client: 1 bytes read"
3670
3671requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3672requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3673run_test "Small packet DTLS 1.2, truncated hmac" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3674 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3675 "$P_CLI dtls=1 request_size=1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3676 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3677 0 \
3678 -s "Read from client: 1 bytes read"
3679
3680requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3681requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3682run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3683 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3684 "$P_CLI dtls=1 request_size=1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3685 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3686 0 \
3687 -s "Read from client: 1 bytes read"
3688
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]3689# A test for extensions in SSLv3
3690
3691requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3692run_test "SSLv3 with extensions, server side" \
3693 "$P_SRV min_version=ssl3 debug_level=3" \
3694 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3695 0 \
3696 -S "dumping 'client hello extensions'" \
3697 -S "server hello, total extension length:"
3698
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3699# Test for large packets
3700
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3701requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3702run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3703 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3704 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3705 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3706 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3707 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3708 -s "Read from client: 16384 bytes read"
3709
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3710requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3711run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3712 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3713 "$P_CLI request_size=16384 force_version=ssl3 \
3714 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3715 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3716 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3717 -s "Read from client: 16384 bytes read"
3718
3719run_test "Large packet TLS 1.0 BlockCipher" \
3720 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3721 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3722 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3723 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3724 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3725 -s "Read from client: 16384 bytes read"
3726
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3727run_test "Large packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3728 "$P_SRV" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3729 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
3730 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3731 0 \
3732 -s "Read from client: 16384 bytes read"
3733
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3734requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3735run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3736 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3737 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3738 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3739 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3740 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3741 -s "Read from client: 16384 bytes read"
3742
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3743requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3744run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3745 "$P_SRV trunc_hmac=1" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3746 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3747 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3748 0 \
3749 -s "Read from client: 16384 bytes read"
3750
3751run_test "Large packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3752 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3753 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3754 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3755 0 \
3756 -s "Read from client: 16384 bytes read"
3757
3758run_test "Large packet TLS 1.0 StreamCipher, without EtM" \
3759 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3760 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3761 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3762 0 \
3763 -s "Read from client: 16384 bytes read"
3764
3765requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3766run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3767 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3768 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3769 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3770 0 \
3771 -s "Read from client: 16384 bytes read"
3772
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3773requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3774run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3775 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3776 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3777 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3778 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3779 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3780 -s "Read from client: 16384 bytes read"
3781
3782run_test "Large packet TLS 1.1 BlockCipher" \
3783 "$P_SRV" \
3784 "$P_CLI request_size=16384 force_version=tls1_1 \
3785 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3786 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3787 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3788 -s "Read from client: 16384 bytes read"
3789
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3790run_test "Large packet TLS 1.1 BlockCipher, without EtM" \
3791 "$P_SRV" \
3792 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
3793 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3794 0 \
3795 -s "Read from client: 16384 bytes read"
3796
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3797requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3798run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3799 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3800 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3801 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3802 0 \
3803 -s "Read from client: 16384 bytes read"
3804
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3805requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3806run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3807 "$P_SRV trunc_hmac=1" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3808 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3809 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3810 0 \
3811 -s "Read from client: 16384 bytes read"
3812
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3813run_test "Large packet TLS 1.1 StreamCipher" \
3814 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3815 "$P_CLI request_size=16384 force_version=tls1_1 \
3816 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3817 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3818 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3819 -s "Read from client: 16384 bytes read"
3820
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3821run_test "Large packet TLS 1.1 StreamCipher, without EtM" \
3822 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3823 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3824 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3825 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3826 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3827 -s "Read from client: 16384 bytes read"
3828
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3829requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3830run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3831 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3832 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3833 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3834 0 \
3835 -s "Read from client: 16384 bytes read"
3836
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3837requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3838run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3839 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3840 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3841 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3842 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3843 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3844 -s "Read from client: 16384 bytes read"
3845
3846run_test "Large packet TLS 1.2 BlockCipher" \
3847 "$P_SRV" \
3848 "$P_CLI request_size=16384 force_version=tls1_2 \
3849 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3850 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3851 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3852 -s "Read from client: 16384 bytes read"
3853
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3854run_test "Large packet TLS 1.2 BlockCipher, without EtM" \
3855 "$P_SRV" \
3856 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
3857 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3858 0 \
3859 -s "Read from client: 16384 bytes read"
3860
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3861run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3862 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3863 "$P_CLI request_size=16384 force_version=tls1_2 \
3864 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3865 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3866 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3867 -s "Read from client: 16384 bytes read"
3868
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3869requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3870run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3871 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3872 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3873 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3874 0 \
3875 -s "Read from client: 16384 bytes read"
3876
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3877requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3878run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3879 "$P_SRV trunc_hmac=1" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3880 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3881 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3882 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3883 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3884 -s "Read from client: 16384 bytes read"
3885
3886run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3887 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3888 "$P_CLI request_size=16384 force_version=tls1_2 \
3889 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3890 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3891 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3892 -s "Read from client: 16384 bytes read"
3893
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3894run_test "Large packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3895 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3896 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3897 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
3898 0 \
3899 -s "Read from client: 16384 bytes read"
3900
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3901requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3902run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3903 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3904 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3905 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3906 0 \
3907 -s "Read from client: 16384 bytes read"
3908
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3909requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3910run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3911 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3912 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker8e75b6c2017-11-21 17:10:12 +0000[diff] [blame]3913 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3914 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3915 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3916 -s "Read from client: 16384 bytes read"
3917
3918run_test "Large packet TLS 1.2 AEAD" \
3919 "$P_SRV" \
3920 "$P_CLI request_size=16384 force_version=tls1_2 \
3921 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3922 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3923 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3924 -s "Read from client: 16384 bytes read"
3925
3926run_test "Large packet TLS 1.2 AEAD shorter tag" \
3927 "$P_SRV" \
3928 "$P_CLI request_size=16384 force_version=tls1_2 \
3929 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3930 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3931 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3932 -s "Read from client: 16384 bytes read"
3933
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3934# Tests for ECC extensions (rfc 4492)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3935
Ron Eldor2eee2e62018-06-28 16:17:00 +0300[diff] [blame]3936requires_config_enabled MBEDTLS_AES_C
3937requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
3938requires_config_enabled MBEDTLS_SHA256_C
3939requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3940run_test "Force a non ECC ciphersuite in the client side" \
3941 "$P_SRV debug_level=3" \
Ron Eldor2eee2e62018-06-28 16:17:00 +0300[diff] [blame]3942 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3943 0 \
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3944 -C "client hello, adding supported_elliptic_curves extension" \
3945 -C "client hello, adding supported_point_formats extension" \
3946 -S "found supported elliptic curves extension" \
3947 -S "found supported point formats extension"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3948
Ron Eldor2eee2e62018-06-28 16:17:00 +0300[diff] [blame]3949requires_config_enabled MBEDTLS_AES_C
3950requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
3951requires_config_enabled MBEDTLS_SHA256_C
3952requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3953run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor2eee2e62018-06-28 16:17:00 +0300[diff] [blame]3954 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3955 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3956 0 \
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3957 -C "found supported_point_formats extension" \
3958 -S "server hello, supported_point_formats extension"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3959
Ron Eldor2eee2e62018-06-28 16:17:00 +0300[diff] [blame]3960requires_config_enabled MBEDTLS_AES_C
3961requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
3962requires_config_enabled MBEDTLS_SHA256_C
3963requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3964run_test "Force an ECC ciphersuite in the client side" \
3965 "$P_SRV debug_level=3" \
3966 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3967 0 \
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3968 -c "client hello, adding supported_elliptic_curves extension" \
3969 -c "client hello, adding supported_point_formats extension" \
3970 -s "found supported elliptic curves extension" \
3971 -s "found supported point formats extension"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3972
Ron Eldor2eee2e62018-06-28 16:17:00 +0300[diff] [blame]3973requires_config_enabled MBEDTLS_AES_C
3974requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
3975requires_config_enabled MBEDTLS_SHA256_C
3976requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3977run_test "Force an ECC ciphersuite in the server side" \
3978 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
3979 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3980 0 \
Ron Eldorb27a1ab2018-06-28 13:22:05 +0300[diff] [blame]3981 -c "found supported_point_formats extension" \
3982 -s "server hello, supported_point_formats extension"
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3983
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]3984# Tests for DTLS HelloVerifyRequest
3985
3986run_test "DTLS cookie: enabled" \
3987 "$P_SRV dtls=1 debug_level=2" \
3988 "$P_CLI dtls=1 debug_level=2" \
3989 0 \
3990 -s "cookie verification failed" \
3991 -s "cookie verification passed" \
3992 -S "cookie verification skipped" \
3993 -c "received hello verify request" \
3994 -s "hello verification requested" \
3995 -S "SSL - The requested feature is not available"
3996
3997run_test "DTLS cookie: disabled" \
3998 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3999 "$P_CLI dtls=1 debug_level=2" \
4000 0 \
4001 -S "cookie verification failed" \
4002 -S "cookie verification passed" \
4003 -s "cookie verification skipped" \
4004 -C "received hello verify request" \
4005 -S "hello verification requested" \
4006 -S "SSL - The requested feature is not available"
4007
4008run_test "DTLS cookie: default (failing)" \
4009 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4010 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4011 1 \
4012 -s "cookie verification failed" \
4013 -S "cookie verification passed" \
4014 -S "cookie verification skipped" \
4015 -C "received hello verify request" \
4016 -S "hello verification requested" \
4017 -s "SSL - The requested feature is not available"
4018
4019requires_ipv6
4020run_test "DTLS cookie: enabled, IPv6" \
4021 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4022 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
4023 0 \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4024 -s "cookie verification failed" \
4025 -s "cookie verification passed" \
4026 -S "cookie verification skipped" \
4027 -c "received hello verify request" \
4028 -s "hello verification requested" \
4029 -S "SSL - The requested feature is not available"
4030
4031run_test "DTLS cookie: enabled, nbio" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4032 "$P_SRV dtls=1 nbio=2 debug_level=2" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4033 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4034 0 \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4035 -s "cookie verification failed" \
4036 -s "cookie verification passed" \
4037 -S "cookie verification skipped" \
4038 -c "received hello verify request" \
4039 -s "hello verification requested" \
4040 -S "SSL - The requested feature is not available"
4041
4042# Tests for client reconnecting from the same port with DTLS
4043
4044not_with_valgrind # spurious resend
4045run_test "DTLS client reconnect from same port: reference" \
4046 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
4047 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
4048 0 \
4049 -C "resend" \
4050 -S "The operation timed out" \
4051 -S "Client initiated reconnection from same port"
4052
4053not_with_valgrind # spurious resend
4054run_test "DTLS client reconnect from same port: reconnect" \
4055 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
4056 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4057 0 \
4058 -C "resend" \
4059 -S "The operation timed out" \
4060 -s "Client initiated reconnection from same port"
4061
4062not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
4063run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
4064 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
4065 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
4066 0 \
4067 -S "The operation timed out" \
4068 -s "Client initiated reconnection from same port"
4069
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4070only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4071run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4072 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4073 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
4074 0 \
4075 -S "The operation timed out" \
4076 -s "Client initiated reconnection from same port"
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4077
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4078run_test "DTLS client reconnect from same port: no cookies" \
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]4079 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
4080 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
4081 0 \
4082 -s "The operation timed out" \
4083 -S "Client initiated reconnection from same port"
4084
4085# Tests for various cases of client authentication with DTLS
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]4086# (focused on handshake flows and message parsing)
4087
4088run_test "DTLS client auth: required" \
4089 "$P_SRV dtls=1 auth_mode=required" \
4090 "$P_CLI dtls=1" \
4091 0 \
4092 -s "Verifying peer X.509 certificate... ok"
4093
4094run_test "DTLS client auth: optional, client has no cert" \
4095 "$P_SRV dtls=1 auth_mode=optional" \
4096 "$P_CLI dtls=1 crt_file=none key_file=none" \
4097 0 \
4098 -s "! Certificate was missing"
4099
4100run_test "DTLS client auth: none, client has no cert" \
4101 "$P_SRV dtls=1 auth_mode=none" \
4102 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
4103 0 \
4104 -c "skip write certificate$" \
4105 -s "! Certificate verification was skipped"
4106
4107run_test "DTLS wrong PSK: badmac alert" \
4108 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
4109 "$P_CLI dtls=1 psk=abc124" \
4110 1 \
4111 -s "SSL - Verification of the message MAC failed" \
4112 -c "SSL - A fatal alert message was received from our peer"
4113
4114# Tests for receiving fragmented handshake messages with DTLS
4115
4116requires_gnutls
4117run_test "DTLS reassembly: no fragmentation (gnutls server)" \
4118 "$G_SRV -u --mtu 2048 -a" \
4119 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4120 0 \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4121 -C "found fragmented DTLS handshake message" \
4122 -C "error"
4123
4124requires_gnutls
4125run_test "DTLS reassembly: some fragmentation (gnutls server)" \
4126 "$G_SRV -u --mtu 512" \
4127 "$P_CLI dtls=1 debug_level=2" \
4128 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4129 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4130 -C "error"
4131
4132requires_gnutls
4133run_test "DTLS reassembly: more fragmentation (gnutls server)" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4134 "$G_SRV -u --mtu 128" \
4135 "$P_CLI dtls=1 debug_level=2" \
4136 0 \
4137 -c "found fragmented DTLS handshake message" \
4138 -C "error"
4139
4140requires_gnutls
4141run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4142 "$G_SRV -u --mtu 128" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4143 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4144 0 \
4145 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]4146 -C "error"
4147
4148requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]4149requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4150run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
4151 "$G_SRV -u --mtu 256" \
4152 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
4153 0 \
4154 -c "found fragmented DTLS handshake message" \
4155 -c "client hello, adding renegotiation extension" \
4156 -c "found renegotiation extension" \
4157 -c "=> renegotiate" \
4158 -C "mbedtls_ssl_handshake returned" \
4159 -C "error" \
4160 -s "Extra-header:"
4161
4162requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]4163requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4164run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
4165 "$G_SRV -u --mtu 256" \
4166 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
4167 0 \
4168 -c "found fragmented DTLS handshake message" \
4169 -c "client hello, adding renegotiation extension" \
4170 -c "found renegotiation extension" \
4171 -c "=> renegotiate" \
4172 -C "mbedtls_ssl_handshake returned" \
4173 -C "error" \
4174 -s "Extra-header:"
4175
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]4176run_test "DTLS reassembly: no fragmentation (openssl server)" \
4177 "$O_SRV -dtls1 -mtu 2048" \
4178 "$P_CLI dtls=1 debug_level=2" \
4179 0 \
4180 -C "found fragmented DTLS handshake message" \
4181 -C "error"
4182
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4183run_test "DTLS reassembly: some fragmentation (openssl server)" \
4184 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]4185 "$P_CLI dtls=1 debug_level=2" \
4186 0 \
4187 -c "found fragmented DTLS handshake message" \
4188 -C "error"
4189
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4190run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]4191 "$O_SRV -dtls1 -mtu 256" \
4192 "$P_CLI dtls=1 debug_level=2" \
4193 0 \
4194 -c "found fragmented DTLS handshake message" \
4195 -C "error"
4196
4197run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
4198 "$O_SRV -dtls1 -mtu 256" \
4199 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4200 0 \
4201 -c "found fragmented DTLS handshake message" \
4202 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]4203
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]4204# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]4205
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4206not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4207run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]4208 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4209 "$P_SRV dtls=1 debug_level=2" \
4210 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4211 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4212 -C "replayed record" \
4213 -S "replayed record" \
4214 -C "record from another epoch" \
4215 -S "record from another epoch" \
4216 -C "discarding invalid record" \
4217 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4218 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4219 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4220 -c "HTTP/1.0 200 OK"
4221
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4222not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4223run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4224 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4225 "$P_SRV dtls=1 debug_level=2" \
4226 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4227 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4228 -c "replayed record" \
4229 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4230 -c "discarding invalid record" \
4231 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4232 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4233 -s "Extra-header:" \
4234 -c "HTTP/1.0 200 OK"
4235
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4236run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
4237 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4238 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
4239 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4240 0 \
4241 -c "replayed record" \
4242 -S "replayed record" \
4243 -c "discarding invalid record" \
4244 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4245 -c "resend" \
4246 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4247 -s "Extra-header:" \
4248 -c "HTTP/1.0 200 OK"
4249
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4250run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4251 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4252 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4253 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4254 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4255 -c "discarding invalid record (mac)" \
4256 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4257 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4258 -c "HTTP/1.0 200 OK" \
4259 -S "too many records with bad MAC" \
4260 -S "Verification of the message MAC failed"
4261
4262run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
4263 -p "$P_PXY bad_ad=1" \
4264 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
4265 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
4266 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4267 -C "discarding invalid record (mac)" \
4268 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4269 -S "Extra-header:" \
4270 -C "HTTP/1.0 200 OK" \
4271 -s "too many records with bad MAC" \
4272 -s "Verification of the message MAC failed"
4273
4274run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
4275 -p "$P_PXY bad_ad=1" \
4276 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
4277 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
4278 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4279 -c "discarding invalid record (mac)" \
4280 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4281 -s "Extra-header:" \
4282 -c "HTTP/1.0 200 OK" \
4283 -S "too many records with bad MAC" \
4284 -S "Verification of the message MAC failed"
4285
4286run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
4287 -p "$P_PXY bad_ad=1" \
4288 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
4289 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
4290 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4291 -c "discarding invalid record (mac)" \
4292 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4293 -s "Extra-header:" \
4294 -c "HTTP/1.0 200 OK" \
4295 -s "too many records with bad MAC" \
4296 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4297
4298run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4299 -p "$P_PXY delay_ccs=1" \
4300 "$P_SRV dtls=1 debug_level=1" \
4301 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4302 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4303 -c "record from another epoch" \
4304 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4305 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4306 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4307 -s "Extra-header:" \
4308 -c "HTTP/1.0 200 OK"
4309
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]4310# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4311
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4312needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4313run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4314 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4315 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4316 psk=abc123" \
4317 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4318 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4319 0 \
4320 -s "Extra-header:" \
4321 -c "HTTP/1.0 200 OK"
4322
4323needs_more_time 2
4324run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
4325 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4326 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
4327 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4328 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4329 0 \
4330 -s "Extra-header:" \
4331 -c "HTTP/1.0 200 OK"
4332
4333needs_more_time 2
4334run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
4335 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4336 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
4337 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4338 0 \
4339 -s "Extra-header:" \
4340 -c "HTTP/1.0 200 OK"
4341
4342needs_more_time 2
4343run_test "DTLS proxy: 3d, FS, client auth" \
4344 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4345 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
4346 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4347 0 \
4348 -s "Extra-header:" \
4349 -c "HTTP/1.0 200 OK"
4350
4351needs_more_time 2
4352run_test "DTLS proxy: 3d, FS, ticket" \
4353 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4354 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
4355 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4356 0 \
4357 -s "Extra-header:" \
4358 -c "HTTP/1.0 200 OK"
4359
4360needs_more_time 2
4361run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
4362 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4363 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
4364 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4365 0 \
4366 -s "Extra-header:" \
4367 -c "HTTP/1.0 200 OK"
4368
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4369needs_more_time 2
4370run_test "DTLS proxy: 3d, max handshake, nbio" \
4371 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4372 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
4373 auth_mode=required" \
4374 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4375 0 \
4376 -s "Extra-header:" \
4377 -c "HTTP/1.0 200 OK"
4378
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4379needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]4380run_test "DTLS proxy: 3d, min handshake, resumption" \
4381 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4382 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4383 psk=abc123 debug_level=3" \
4384 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4385 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4386 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4387 0 \
4388 -s "a session has been resumed" \
4389 -c "a session has been resumed" \
4390 -s "Extra-header:" \
4391 -c "HTTP/1.0 200 OK"
4392
4393needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]4394run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
4395 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4396 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4397 psk=abc123 debug_level=3 nbio=2" \
4398 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4399 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4400 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
4401 0 \
4402 -s "a session has been resumed" \
4403 -c "a session has been resumed" \
4404 -s "Extra-header:" \
4405 -c "HTTP/1.0 200 OK"
4406
4407needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]4408requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4409run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4410 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4411 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4412 psk=abc123 renegotiation=1 debug_level=2" \
4413 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4414 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4415 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4416 0 \
4417 -c "=> renegotiate" \
4418 -s "=> renegotiate" \
4419 -s "Extra-header:" \
4420 -c "HTTP/1.0 200 OK"
4421
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4422needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]4423requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4424run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
4425 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4426 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4427 psk=abc123 renegotiation=1 debug_level=2" \
4428 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4429 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4430 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4431 0 \
4432 -c "=> renegotiate" \
4433 -s "=> renegotiate" \
4434 -s "Extra-header:" \
4435 -c "HTTP/1.0 200 OK"
4436
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4437needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]4438requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4439run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4440 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4441 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4442 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4443 debug_level=2" \
4444 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4445 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4446 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4447 0 \
4448 -c "=> renegotiate" \
4449 -s "=> renegotiate" \
4450 -s "Extra-header:" \
4451 -c "HTTP/1.0 200 OK"
4452
4453needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]4454requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4455run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4456 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4457 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4458 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4459 debug_level=2 nbio=2" \
4460 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4461 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4462 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4463 0 \
4464 -c "=> renegotiate" \
4465 -s "=> renegotiate" \
4466 -s "Extra-header:" \
4467 -c "HTTP/1.0 200 OK"
4468
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]4469needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4470not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4471run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4472 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4473 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4474 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4475 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4476 -c "HTTP/1.0 200 OK"
4477
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]4478needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4479not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4480run_test "DTLS proxy: 3d, openssl server, fragmentation" \
4481 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4482 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4483 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4484 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4485 -c "HTTP/1.0 200 OK"
4486
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]4487needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4488not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4489run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
4490 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4491 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4492 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4493 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4494 -c "HTTP/1.0 200 OK"
4495
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4496requires_gnutls
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]4497needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4498not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4499run_test "DTLS proxy: 3d, gnutls server" \
4500 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4501 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4502 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4503 0 \
4504 -s "Extra-header:" \
4505 -c "Extra-header:"
4506
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4507requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]4508needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4509not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4510run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
4511 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4512 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4513 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4514 0 \
4515 -s "Extra-header:" \
4516 -c "Extra-header:"
4517
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4518requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]4519needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4520not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4521run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
4522 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4523 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4524 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4525 0 \
4526 -s "Extra-header:" \
4527 -c "Extra-header:"
4528
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4529# Final report
4530
4531echo "------------------------------------------------------------------------"
4532
4533if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4534 printf "PASSED"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4535else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4536 printf "FAILED"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4537fi
4538PASSES=$(( $TESTS - $FAILS ))
4539echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
4540
4541exit $FAILS