TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 52c6dc64c675d24b1be65e06d43dd67dc111e762 / . / tests / ssl-opt.sh
blob: 57d5e60532dd075df62913af664ee05d1a7ce013 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]24# default values, can be overriden by the environment
25: ${P_SRV:=../programs/ssl/ssl_server2}
26: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]27: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]28: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]29: ${GNUTLS_CLI:=gnutls-cli}
30: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]31: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]33O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]34O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]35G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]36G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]37TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]38
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]39TESTS=0
40FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]41SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]44
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]47EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]49SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]50RUN_TEST_NUMBER=''
51
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]52PRESERVE_LOGS=0
53
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]54# Pick a "unique" server port in the range 10000-19999, and a proxy
55# port which is this plus 10000. Each port number may be independently
56# overridden by a command line option.
57SRV_PORT=$(($$ % 10000 + 10000))
58PXY_PORT=$((SRV_PORT + 10000))
59
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]60print_usage() {
61 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]62 printf " -h|--help\tPrint this help.\n"
63 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]64 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
65 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]66 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]67 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]68 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
70 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]71 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72}
73
74get_options() {
75 while [ $# -gt 0 ]; do
76 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77 -f|--filter)
78 shift; FILTER=$1
79 ;;
80 -e|--exclude)
81 shift; EXCLUDE=$1
82 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]83 -m|--memcheck)
84 MEMCHECK=1
85 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]86 -n|--number)
87 shift; RUN_TEST_NUMBER=$1
88 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]89 -s|--show-numbers)
90 SHOW_TEST_NUMBER=1
91 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]92 -p|--preserve-logs)
93 PRESERVE_LOGS=1
94 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 --port)
96 shift; SRV_PORT=$1
97 ;;
98 --proxy-port)
99 shift; PXY_PORT=$1
100 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]101 --seed)
102 shift; SEED="$1"
103 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104 -h|--help)
105 print_usage
106 exit 0
107 ;;
108 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]109 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 print_usage
111 exit 1
112 ;;
113 esac
114 shift
115 done
116}
117
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]118# skip next test if the flag is not enabled in config.h
119requires_config_enabled() {
120 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
121 SKIP_NEXT="YES"
122 fi
123}
124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]125# skip next test if the flag is enabled in config.h
126requires_config_disabled() {
127 if grep "^#define $1" $CONFIG_H > /dev/null; then
128 SKIP_NEXT="YES"
129 fi
130}
131
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]132# skip next test if OpenSSL doesn't support FALLBACK_SCSV
133requires_openssl_with_fallback_scsv() {
134 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
135 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
136 then
137 OPENSSL_HAS_FBSCSV="YES"
138 else
139 OPENSSL_HAS_FBSCSV="NO"
140 fi
141 fi
142 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
143 SKIP_NEXT="YES"
144 fi
145}
146
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]147# skip next test if GnuTLS isn't available
148requires_gnutls() {
149 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]150 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]151 GNUTLS_AVAILABLE="YES"
152 else
153 GNUTLS_AVAILABLE="NO"
154 fi
155 fi
156 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]161# skip next test if IPv6 isn't available on this host
162requires_ipv6() {
163 if [ -z "${HAS_IPV6:-}" ]; then
164 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
165 SRV_PID=$!
166 sleep 1
167 kill $SRV_PID >/dev/null 2>&1
168 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
169 HAS_IPV6="NO"
170 else
171 HAS_IPV6="YES"
172 fi
173 rm -r $SRV_OUT
174 fi
175
176 if [ "$HAS_IPV6" = "NO" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]181# skip the next test if valgrind is in use
182not_with_valgrind() {
183 if [ "$MEMCHECK" -gt 0 ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]188# skip the next test if valgrind is NOT in use
189only_with_valgrind() {
190 if [ "$MEMCHECK" -eq 0 ]; then
191 SKIP_NEXT="YES"
192 fi
193}
194
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]195# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]196client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]197 CLI_DELAY_FACTOR=$1
198}
199
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]200# wait for the given seconds after the client finished in the next test
201server_needs_more_time() {
202 SRV_DELAY_SECONDS=$1
203}
204
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]205# print_name <name>
206print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]207 TESTS=$(( $TESTS + 1 ))
208 LINE=""
209
210 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
211 LINE="$TESTS "
212 fi
213
214 LINE="$LINE$1"
215 printf "$LINE "
216 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]217 for i in `seq 1 $LEN`; do printf '.'; done
218 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]219
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]220}
221
222# fail <message>
223fail() {
224 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]225 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]227 mv $SRV_OUT o-srv-${TESTS}.log
228 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]229 if [ -n "$PXY_CMD" ]; then
230 mv $PXY_OUT o-pxy-${TESTS}.log
231 fi
232 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]233
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]234 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
235 echo " ! server output:"
236 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]237 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]238 echo " ! client output:"
239 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]240 if [ -n "$PXY_CMD" ]; then
241 echo " ! ========================================================"
242 echo " ! proxy output:"
243 cat o-pxy-${TESTS}.log
244 fi
245 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]246 fi
247
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]248 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249}
250
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]251# is_polar <cmd_line>
252is_polar() {
253 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
254}
255
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]256# openssl s_server doesn't have -www with DTLS
257check_osrv_dtls() {
258 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
259 NEEDS_INPUT=1
260 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
261 else
262 NEEDS_INPUT=0
263 fi
264}
265
266# provide input to commands that need it
267provide_input() {
268 if [ $NEEDS_INPUT -eq 0 ]; then
269 return
270 fi
271
272 while true; do
273 echo "HTTP/1.0 200 OK"
274 sleep 1
275 done
276}
277
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]278# has_mem_err <log_file_name>
279has_mem_err() {
280 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
281 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
282 then
283 return 1 # false: does not have errors
284 else
285 return 0 # true: has errors
286 fi
287}
288
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]289# wait for server to start: two versions depending on lsof availability
290wait_server_start() {
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]291 if which lsof >/dev/null 2>&1; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]292 START_TIME=$( date +%s )
293 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]294
295 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]296 if [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]297 while [ $DONE -eq 0 ]; do
298 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
299 then
300 DONE=1
301 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
302 echo "SERVERSTART TIMEOUT"
303 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
304 DONE=1
305 fi
306 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]307 else
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]308 while [ $DONE -eq 0 ]; do
309 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
310 then
311 DONE=1
312 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
313 echo "SERVERSTART TIMEOUT"
314 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
315 DONE=1
316 fi
317 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]318 fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]319 else
320 sleep "$START_DELAY"
321 fi
322}
323
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]324# wait for client to terminate and set CLI_EXIT
325# must be called right after starting the client
326wait_client_done() {
327 CLI_PID=$!
328
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]329 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
330 CLI_DELAY_FACTOR=1
331
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]332 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]333 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]334
335 wait $CLI_PID
336 CLI_EXIT=$?
337
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]338 kill $DOG_PID >/dev/null 2>&1
339 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]340
341 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]342
343 sleep $SRV_DELAY_SECONDS
344 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]345}
346
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]347# check if the given command uses dtls and sets global variable DTLS
348detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]349 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]350 DTLS=1
351 else
352 DTLS=0
353 fi
354}
355
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]356# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]357# Options: -s pattern pattern that must be present in server output
358# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]359# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]360# -S pattern pattern that must be absent in server output
361# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]362# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]363run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]364 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]365 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]366
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]367 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
368 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]369 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]370 return
371 fi
372
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]373 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]374
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]375 # Do we only run numbered tests?
376 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
377 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
378 else
379 SKIP_NEXT="YES"
380 fi
381
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]382 # should we skip?
383 if [ "X$SKIP_NEXT" = "XYES" ]; then
384 SKIP_NEXT="NO"
385 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]386 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]387 return
388 fi
389
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]390 # does this test use a proxy?
391 if [ "X$1" = "X-p" ]; then
392 PXY_CMD="$2"
393 shift 2
394 else
395 PXY_CMD=""
396 fi
397
398 # get commands and client output
399 SRV_CMD="$1"
400 CLI_CMD="$2"
401 CLI_EXPECT="$3"
402 shift 3
403
404 # fix client port
405 if [ -n "$PXY_CMD" ]; then
406 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
407 else
408 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
409 fi
410
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]411 # update DTLS variable
412 detect_dtls "$SRV_CMD"
413
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]414 # prepend valgrind to our commands if active
415 if [ "$MEMCHECK" -gt 0 ]; then
416 if is_polar "$SRV_CMD"; then
417 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
418 fi
419 if is_polar "$CLI_CMD"; then
420 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
421 fi
422 fi
423
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]424 TIMES_LEFT=2
425 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]426 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]427
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]428 # run the commands
429 if [ -n "$PXY_CMD" ]; then
430 echo "$PXY_CMD" > $PXY_OUT
431 $PXY_CMD >> $PXY_OUT 2>&1 &
432 PXY_PID=$!
433 # assume proxy starts faster than server
434 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]435
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]436 check_osrv_dtls
437 echo "$SRV_CMD" > $SRV_OUT
438 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
439 SRV_PID=$!
440 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]441
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]442 echo "$CLI_CMD" > $CLI_OUT
443 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
444 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]445
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]446 sleep 0.05
447
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]448 # terminate the server (and the proxy)
449 kill $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]450 sleep 0.01
451 if kill -0 $SRV_PID >/dev/null 2>&1; then
452 kill -KILL $SRV_PID
453 wait $SRV_PID
454 fi
455
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]456 if [ -n "$PXY_CMD" ]; then
457 kill $PXY_PID >/dev/null 2>&1
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]458 sleep 0.01
459 if kill -0 $PXY_PID >/dev/null 2>&1; then
460 kill -KILL $pXY_PID
461 wait $PXY_PID
462 fi
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]463 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]464
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]465 # retry only on timeouts
466 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
467 printf "RETRY "
468 else
469 TIMES_LEFT=0
470 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]471 done
472
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]473 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]474 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]475 # expected client exit to incorrectly succeed in case of catastrophic
476 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]477 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]478 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]479 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]480 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]481 return
482 fi
483 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]484 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]485 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]486 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]487 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]488 return
489 fi
490 fi
491
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]492 # check server exit code
493 if [ $? != 0 ]; then
494 fail "server fail"
495 return
496 fi
497
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]498 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]499 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
500 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]501 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]502 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]503 return
504 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]505
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]506 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]507 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]508 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]509 while [ $# -gt 0 ]
510 do
511 case $1 in
512 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]513 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]514 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]515 return
516 fi
517 ;;
518
519 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]520 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]521 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]522 return
523 fi
524 ;;
525
526 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]527 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]528 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]529 return
530 fi
531 ;;
532
533 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]534 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]535 fail "pattern '$2' MUST NOT be present in the Client output"
536 return
537 fi
538 ;;
539
540 # The filtering in the following two options (-u and -U) do the following
541 # - ignore valgrind output
542 # - filter out everything but lines right after the pattern occurances
543 # - keep one of each non-unique line
544 # - count how many lines remain
545 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
546 # if there were no duplicates.
547 "-U")
548 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
549 fail "lines following pattern '$2' must be unique in Server output"
550 return
551 fi
552 ;;
553
554 "-u")
555 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
556 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]557 return
558 fi
559 ;;
560
561 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]562 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]563 exit 1
564 esac
565 shift 2
566 done
567
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]568 # check valgrind's results
569 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]570 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]571 fail "Server has memory errors"
572 return
573 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]574 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]575 fail "Client has memory errors"
576 return
577 fi
578 fi
579
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]580 # if we're here, everything is ok
581 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]582 if [ "$PRESERVE_LOGS" -gt 0 ]; then
583 mv $SRV_OUT o-srv-${TESTS}.log
584 mv $CLI_OUT o-cli-${TESTS}.log
585 fi
586
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]587 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]588}
589
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]590cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]591 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]592 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
593 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
594 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
595 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]596 exit 1
597}
598
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]599#
600# MAIN
601#
602
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]603if cd $( dirname $0 ); then :; else
604 echo "cd $( dirname $0 ) failed" >&2
605 exit 1
606fi
607
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]608get_options "$@"
609
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]610# sanity checks, avoid an avalanche of errors
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]611P_SRV_BIN=$(echo "$P_SRV" | sed -r -n "s/^([^ ]*).*$/\1/p")
612echo "Server binary: ${P_SRV_BIN}"
613P_CLI_BIN=$(echo "$P_CLI" | sed -r -n "s/^([^ ]*).*$/\1/p")
614echo "Client binary: ${P_CLI_BIN}"
615P_PXY_BIN=$(echo "$P_PXY" | sed -r -n "s/^([^ ]*).*$/\1/p")
616echo "Proxy binary: ${P_PXY_BIN}"
617if [ ! -x "$P_SRV_BIN" ]; then
618 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]619 exit 1
620fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]621if [ ! -x "$P_CLI_BIN" ]; then
622 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]623 exit 1
624fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]625if [ ! -x "$P_PXY_BIN" ]; then
626 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]627 exit 1
628fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]629if [ "$MEMCHECK" -gt 0 ]; then
630 if which valgrind >/dev/null 2>&1; then :; else
631 echo "Memcheck not possible. Valgrind not found"
632 exit 1
633 fi
634fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]635if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
636 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]637 exit 1
638fi
639
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]640# used by watchdog
641MAIN_PID="$$"
642
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]643# be more patient with valgrind
644if [ "$MEMCHECK" -gt 0 ]; then
645 START_DELAY=3
646 DOG_DELAY=30
647else
648 START_DELAY=1
649 DOG_DELAY=10
650fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]651CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]652SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]653
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]654# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]655# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]656P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
657P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]658P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]659O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]660O_CLI="$O_CLI -connect localhost:+SRV_PORT"
661G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]662G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]663
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]664# Allow SHA-1, because many of our test certificates use it
665P_SRV="$P_SRV allow_sha1=1"
666P_CLI="$P_CLI allow_sha1=1"
667
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]668# Also pick a unique name for intermediate files
669SRV_OUT="srv_out.$$"
670CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]671PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]672SESSION="session.$$"
673
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]674SKIP_NEXT="NO"
675
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]676trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]677
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]678# Basic test
679
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]680# Checks that:
681# - things work with all ciphersuites active (used with config-full in all.sh)
682# - the expected (highest security) parameters are selected
683# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]684run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]685 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]686 "$P_CLI" \
687 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]688 -s "Protocol is TLSv1.2" \
689 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
690 -s "client hello v3, signature_algorithm ext: 6" \
691 -s "ECDHE curve: secp521r1" \
692 -S "error" \
693 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]694
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]695run_test "Default, DTLS" \
696 "$P_SRV dtls=1" \
697 "$P_CLI dtls=1" \
698 0 \
699 -s "Protocol is DTLSv1.2" \
700 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
701
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]702# Test for uniqueness of IVs in AEAD ciphersuites
703run_test "Unique IV in GCM" \
704 "$P_SRV exchanges=20 debug_level=4" \
705 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
706 0 \
707 -u "IV used" \
708 -U "IV used"
709
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]710# Tests for rc4 option
711
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]712requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]713run_test "RC4: server disabled, client enabled" \
714 "$P_SRV" \
715 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
716 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]717 -s "SSL - The server has no ciphersuites in common"
718
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]719requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]720run_test "RC4: server half, client enabled" \
721 "$P_SRV arc4=1" \
722 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
723 1 \
724 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]725
726run_test "RC4: server enabled, client disabled" \
727 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
728 "$P_CLI" \
729 1 \
730 -s "SSL - The server has no ciphersuites in common"
731
732run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]733 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]734 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
735 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]736 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]737 -S "SSL - The server has no ciphersuites in common"
738
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]739# Tests for SHA-1 support
740
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]741requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]742run_test "SHA-1 forbidden by default in server certificate" \
743 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
744 "$P_CLI debug_level=2 allow_sha1=0" \
745 1 \
746 -c "The certificate is signed with an unacceptable hash"
747
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]748requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
749run_test "SHA-1 forbidden by default in server certificate" \
750 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
751 "$P_CLI debug_level=2 allow_sha1=0" \
752 0
753
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]754run_test "SHA-1 explicitly allowed in server certificate" \
755 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
756 "$P_CLI allow_sha1=1" \
757 0
758
759run_test "SHA-256 allowed by default in server certificate" \
760 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
761 "$P_CLI allow_sha1=0" \
762 0
763
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]764requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]765run_test "SHA-1 forbidden by default in client certificate" \
766 "$P_SRV auth_mode=required allow_sha1=0" \
767 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
768 1 \
769 -s "The certificate is signed with an unacceptable hash"
770
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]771requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
772run_test "SHA-1 forbidden by default in client certificate" \
773 "$P_SRV auth_mode=required allow_sha1=0" \
774 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
775 0
776
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]777run_test "SHA-1 explicitly allowed in client certificate" \
778 "$P_SRV auth_mode=required allow_sha1=1" \
779 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
780 0
781
782run_test "SHA-256 allowed by default in client certificate" \
783 "$P_SRV auth_mode=required allow_sha1=0" \
784 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
785 0
786
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]787# Tests for Truncated HMAC extension
788
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]789run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]790 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]791 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]792 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]793 -s "dumping 'computed mac' (20 bytes)" \
794 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]795
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]796run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]797 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]798 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
799 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]800 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]801 -s "dumping 'computed mac' (20 bytes)" \
802 -S "dumping 'computed mac' (10 bytes)"
803
804run_test "Truncated HMAC: client enabled, server default" \
805 "$P_SRV debug_level=4" \
806 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
807 trunc_hmac=1" \
808 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]809 -s "dumping 'computed mac' (20 bytes)" \
810 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]811
812run_test "Truncated HMAC: client enabled, server disabled" \
813 "$P_SRV debug_level=4 trunc_hmac=0" \
814 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
815 trunc_hmac=1" \
816 0 \
817 -s "dumping 'computed mac' (20 bytes)" \
818 -S "dumping 'computed mac' (10 bytes)"
819
820run_test "Truncated HMAC: client enabled, server enabled" \
821 "$P_SRV debug_level=4 trunc_hmac=1" \
822 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
823 trunc_hmac=1" \
824 0 \
825 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]826 -s "dumping 'computed mac' (10 bytes)"
827
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]828# Tests for Encrypt-then-MAC extension
829
830run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]831 "$P_SRV debug_level=3 \
832 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]833 "$P_CLI debug_level=3" \
834 0 \
835 -c "client hello, adding encrypt_then_mac extension" \
836 -s "found encrypt then mac extension" \
837 -s "server hello, adding encrypt then mac extension" \
838 -c "found encrypt_then_mac extension" \
839 -c "using encrypt then mac" \
840 -s "using encrypt then mac"
841
842run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]843 "$P_SRV debug_level=3 etm=0 \
844 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]845 "$P_CLI debug_level=3 etm=1" \
846 0 \
847 -c "client hello, adding encrypt_then_mac extension" \
848 -s "found encrypt then mac extension" \
849 -S "server hello, adding encrypt then mac extension" \
850 -C "found encrypt_then_mac extension" \
851 -C "using encrypt then mac" \
852 -S "using encrypt then mac"
853
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]854run_test "Encrypt then MAC: client enabled, aead cipher" \
855 "$P_SRV debug_level=3 etm=1 \
856 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
857 "$P_CLI debug_level=3 etm=1" \
858 0 \
859 -c "client hello, adding encrypt_then_mac extension" \
860 -s "found encrypt then mac extension" \
861 -S "server hello, adding encrypt then mac extension" \
862 -C "found encrypt_then_mac extension" \
863 -C "using encrypt then mac" \
864 -S "using encrypt then mac"
865
866run_test "Encrypt then MAC: client enabled, stream cipher" \
867 "$P_SRV debug_level=3 etm=1 \
868 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]869 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]870 0 \
871 -c "client hello, adding encrypt_then_mac extension" \
872 -s "found encrypt then mac extension" \
873 -S "server hello, adding encrypt then mac extension" \
874 -C "found encrypt_then_mac extension" \
875 -C "using encrypt then mac" \
876 -S "using encrypt then mac"
877
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]878run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]879 "$P_SRV debug_level=3 etm=1 \
880 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]881 "$P_CLI debug_level=3 etm=0" \
882 0 \
883 -C "client hello, adding encrypt_then_mac extension" \
884 -S "found encrypt then mac extension" \
885 -S "server hello, adding encrypt then mac extension" \
886 -C "found encrypt_then_mac extension" \
887 -C "using encrypt then mac" \
888 -S "using encrypt then mac"
889
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]890requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]891run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]892 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]893 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]894 "$P_CLI debug_level=3 force_version=ssl3" \
895 0 \
896 -C "client hello, adding encrypt_then_mac extension" \
897 -S "found encrypt then mac extension" \
898 -S "server hello, adding encrypt then mac extension" \
899 -C "found encrypt_then_mac extension" \
900 -C "using encrypt then mac" \
901 -S "using encrypt then mac"
902
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]903requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]904run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]905 "$P_SRV debug_level=3 force_version=ssl3 \
906 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]907 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]908 0 \
909 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]910 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]911 -S "server hello, adding encrypt then mac extension" \
912 -C "found encrypt_then_mac extension" \
913 -C "using encrypt then mac" \
914 -S "using encrypt then mac"
915
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]916# Tests for Extended Master Secret extension
917
918run_test "Extended Master Secret: default" \
919 "$P_SRV debug_level=3" \
920 "$P_CLI debug_level=3" \
921 0 \
922 -c "client hello, adding extended_master_secret extension" \
923 -s "found extended master secret extension" \
924 -s "server hello, adding extended master secret extension" \
925 -c "found extended_master_secret extension" \
926 -c "using extended master secret" \
927 -s "using extended master secret"
928
929run_test "Extended Master Secret: client enabled, server disabled" \
930 "$P_SRV debug_level=3 extended_ms=0" \
931 "$P_CLI debug_level=3 extended_ms=1" \
932 0 \
933 -c "client hello, adding extended_master_secret extension" \
934 -s "found extended master secret extension" \
935 -S "server hello, adding extended master secret extension" \
936 -C "found extended_master_secret extension" \
937 -C "using extended master secret" \
938 -S "using extended master secret"
939
940run_test "Extended Master Secret: client disabled, server enabled" \
941 "$P_SRV debug_level=3 extended_ms=1" \
942 "$P_CLI debug_level=3 extended_ms=0" \
943 0 \
944 -C "client hello, adding extended_master_secret extension" \
945 -S "found extended master secret extension" \
946 -S "server hello, adding extended master secret extension" \
947 -C "found extended_master_secret extension" \
948 -C "using extended master secret" \
949 -S "using extended master secret"
950
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]951requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]952run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]953 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]954 "$P_CLI debug_level=3 force_version=ssl3" \
955 0 \
956 -C "client hello, adding extended_master_secret extension" \
957 -S "found extended master secret extension" \
958 -S "server hello, adding extended master secret extension" \
959 -C "found extended_master_secret extension" \
960 -C "using extended master secret" \
961 -S "using extended master secret"
962
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]963requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]964run_test "Extended Master Secret: client enabled, server SSLv3" \
965 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]966 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]967 0 \
968 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]969 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]970 -S "server hello, adding extended master secret extension" \
971 -C "found extended_master_secret extension" \
972 -C "using extended master secret" \
973 -S "using extended master secret"
974
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]975# Tests for FALLBACK_SCSV
976
977run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]978 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]979 "$P_CLI debug_level=3 force_version=tls1_1" \
980 0 \
981 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]982 -S "received FALLBACK_SCSV" \
983 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]984 -C "is a fatal alert message (msg 86)"
985
986run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]987 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]988 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
989 0 \
990 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]991 -S "received FALLBACK_SCSV" \
992 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]993 -C "is a fatal alert message (msg 86)"
994
995run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]996 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]997 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]998 1 \
999 -c "adding FALLBACK_SCSV" \
1000 -s "received FALLBACK_SCSV" \
1001 -s "inapropriate fallback" \
1002 -c "is a fatal alert message (msg 86)"
1003
1004run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1005 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1006 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1007 0 \
1008 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1009 -s "received FALLBACK_SCSV" \
1010 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1011 -C "is a fatal alert message (msg 86)"
1012
1013requires_openssl_with_fallback_scsv
1014run_test "Fallback SCSV: default, openssl server" \
1015 "$O_SRV" \
1016 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1017 0 \
1018 -C "adding FALLBACK_SCSV" \
1019 -C "is a fatal alert message (msg 86)"
1020
1021requires_openssl_with_fallback_scsv
1022run_test "Fallback SCSV: enabled, openssl server" \
1023 "$O_SRV" \
1024 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1025 1 \
1026 -c "adding FALLBACK_SCSV" \
1027 -c "is a fatal alert message (msg 86)"
1028
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1029requires_openssl_with_fallback_scsv
1030run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1031 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1032 "$O_CLI -tls1_1" \
1033 0 \
1034 -S "received FALLBACK_SCSV" \
1035 -S "inapropriate fallback"
1036
1037requires_openssl_with_fallback_scsv
1038run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1039 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1040 "$O_CLI -tls1_1 -fallback_scsv" \
1041 1 \
1042 -s "received FALLBACK_SCSV" \
1043 -s "inapropriate fallback"
1044
1045requires_openssl_with_fallback_scsv
1046run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1047 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1048 "$O_CLI -fallback_scsv" \
1049 0 \
1050 -s "received FALLBACK_SCSV" \
1051 -S "inapropriate fallback"
1052
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1053## ClientHello generated with
1054## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1055## then manually twiddling the ciphersuite list.
1056## The ClientHello content is spelled out below as a hex string as
1057## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1058## The expected response is an inappropriate_fallback alert.
1059requires_openssl_with_fallback_scsv
1060run_test "Fallback SCSV: beginning of list" \
1061 "$P_SRV debug_level=2" \
1062 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1063 0 \
1064 -s "received FALLBACK_SCSV" \
1065 -s "inapropriate fallback"
1066
1067requires_openssl_with_fallback_scsv
1068run_test "Fallback SCSV: end of list" \
1069 "$P_SRV debug_level=2" \
1070 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1071 0 \
1072 -s "received FALLBACK_SCSV" \
1073 -s "inapropriate fallback"
1074
1075## Here the expected response is a valid ServerHello prefix, up to the random.
1076requires_openssl_with_fallback_scsv
1077run_test "Fallback SCSV: not in list" \
1078 "$P_SRV debug_level=2" \
1079 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1080 0 \
1081 -S "received FALLBACK_SCSV" \
1082 -S "inapropriate fallback"
1083
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1084# Tests for CBC 1/n-1 record splitting
1085
1086run_test "CBC Record splitting: TLS 1.2, no splitting" \
1087 "$P_SRV" \
1088 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1089 request_size=123 force_version=tls1_2" \
1090 0 \
1091 -s "Read from client: 123 bytes read" \
1092 -S "Read from client: 1 bytes read" \
1093 -S "122 bytes read"
1094
1095run_test "CBC Record splitting: TLS 1.1, no splitting" \
1096 "$P_SRV" \
1097 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1098 request_size=123 force_version=tls1_1" \
1099 0 \
1100 -s "Read from client: 123 bytes read" \
1101 -S "Read from client: 1 bytes read" \
1102 -S "122 bytes read"
1103
1104run_test "CBC Record splitting: TLS 1.0, splitting" \
1105 "$P_SRV" \
1106 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1107 request_size=123 force_version=tls1" \
1108 0 \
1109 -S "Read from client: 123 bytes read" \
1110 -s "Read from client: 1 bytes read" \
1111 -s "122 bytes read"
1112
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1113requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1114run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1115 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1116 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1117 request_size=123 force_version=ssl3" \
1118 0 \
1119 -S "Read from client: 123 bytes read" \
1120 -s "Read from client: 1 bytes read" \
1121 -s "122 bytes read"
1122
1123run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1124 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1125 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1126 request_size=123 force_version=tls1" \
1127 0 \
1128 -s "Read from client: 123 bytes read" \
1129 -S "Read from client: 1 bytes read" \
1130 -S "122 bytes read"
1131
1132run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1133 "$P_SRV" \
1134 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1135 request_size=123 force_version=tls1 recsplit=0" \
1136 0 \
1137 -s "Read from client: 123 bytes read" \
1138 -S "Read from client: 1 bytes read" \
1139 -S "122 bytes read"
1140
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1141run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1142 "$P_SRV nbio=2" \
1143 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1144 request_size=123 force_version=tls1" \
1145 0 \
1146 -S "Read from client: 123 bytes read" \
1147 -s "Read from client: 1 bytes read" \
1148 -s "122 bytes read"
1149
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1150# Tests for Session Tickets
1151
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1152run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1153 "$P_SRV debug_level=3 tickets=1" \
1154 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1155 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1156 -c "client hello, adding session ticket extension" \
1157 -s "found session ticket extension" \
1158 -s "server hello, adding session ticket extension" \
1159 -c "found session_ticket extension" \
1160 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1161 -S "session successfully restored from cache" \
1162 -s "session successfully restored from ticket" \
1163 -s "a session has been resumed" \
1164 -c "a session has been resumed"
1165
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1166run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1167 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1168 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1169 0 \
1170 -c "client hello, adding session ticket extension" \
1171 -s "found session ticket extension" \
1172 -s "server hello, adding session ticket extension" \
1173 -c "found session_ticket extension" \
1174 -c "parse new session ticket" \
1175 -S "session successfully restored from cache" \
1176 -s "session successfully restored from ticket" \
1177 -s "a session has been resumed" \
1178 -c "a session has been resumed"
1179
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1180run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1181 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1182 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1183 0 \
1184 -c "client hello, adding session ticket extension" \
1185 -s "found session ticket extension" \
1186 -s "server hello, adding session ticket extension" \
1187 -c "found session_ticket extension" \
1188 -c "parse new session ticket" \
1189 -S "session successfully restored from cache" \
1190 -S "session successfully restored from ticket" \
1191 -S "a session has been resumed" \
1192 -C "a session has been resumed"
1193
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1194run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1195 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1196 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1197 0 \
1198 -c "client hello, adding session ticket extension" \
1199 -c "found session_ticket extension" \
1200 -c "parse new session ticket" \
1201 -c "a session has been resumed"
1202
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1203run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1204 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1205 "( $O_CLI -sess_out $SESSION; \
1206 $O_CLI -sess_in $SESSION; \
1207 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1208 0 \
1209 -s "found session ticket extension" \
1210 -s "server hello, adding session ticket extension" \
1211 -S "session successfully restored from cache" \
1212 -s "session successfully restored from ticket" \
1213 -s "a session has been resumed"
1214
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1215# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1216
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1217run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1218 "$P_SRV debug_level=3 tickets=0" \
1219 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1220 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1221 -c "client hello, adding session ticket extension" \
1222 -s "found session ticket extension" \
1223 -S "server hello, adding session ticket extension" \
1224 -C "found session_ticket extension" \
1225 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1226 -s "session successfully restored from cache" \
1227 -S "session successfully restored from ticket" \
1228 -s "a session has been resumed" \
1229 -c "a session has been resumed"
1230
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1231run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1232 "$P_SRV debug_level=3 tickets=1" \
1233 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1234 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1235 -C "client hello, adding session ticket extension" \
1236 -S "found session ticket extension" \
1237 -S "server hello, adding session ticket extension" \
1238 -C "found session_ticket extension" \
1239 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1240 -s "session successfully restored from cache" \
1241 -S "session successfully restored from ticket" \
1242 -s "a session has been resumed" \
1243 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1244
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1245run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1246 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1247 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1248 0 \
1249 -S "session successfully restored from cache" \
1250 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1251 -S "a session has been resumed" \
1252 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1253
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1254run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1255 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1256 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1257 0 \
1258 -s "session successfully restored from cache" \
1259 -S "session successfully restored from ticket" \
1260 -s "a session has been resumed" \
1261 -c "a session has been resumed"
1262
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1263run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1264 "$P_SRV debug_level=3 tickets=0" \
1265 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1266 0 \
1267 -s "session successfully restored from cache" \
1268 -S "session successfully restored from ticket" \
1269 -s "a session has been resumed" \
1270 -c "a session has been resumed"
1271
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1272run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1273 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1274 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1275 0 \
1276 -S "session successfully restored from cache" \
1277 -S "session successfully restored from ticket" \
1278 -S "a session has been resumed" \
1279 -C "a session has been resumed"
1280
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1281run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1282 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1283 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1284 0 \
1285 -s "session successfully restored from cache" \
1286 -S "session successfully restored from ticket" \
1287 -s "a session has been resumed" \
1288 -c "a session has been resumed"
1289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1290run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1291 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1292 "( $O_CLI -sess_out $SESSION; \
1293 $O_CLI -sess_in $SESSION; \
1294 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1295 0 \
1296 -s "found session ticket extension" \
1297 -S "server hello, adding session ticket extension" \
1298 -s "session successfully restored from cache" \
1299 -S "session successfully restored from ticket" \
1300 -s "a session has been resumed"
1301
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1302run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1303 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1304 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1305 0 \
1306 -C "found session_ticket extension" \
1307 -C "parse new session ticket" \
1308 -c "a session has been resumed"
1309
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1310# Tests for Max Fragment Length extension
1311
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1312run_test "Max fragment length: not used, reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1313 "$P_SRV debug_level=3" \
1314 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1315 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1316 -c "Maximum fragment length is 16384" \
1317 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1318 -C "client hello, adding max_fragment_length extension" \
1319 -S "found max fragment length extension" \
1320 -S "server hello, max_fragment_length extension" \
1321 -C "found max_fragment_length extension"
1322
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1323run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1324 "$P_SRV debug_level=3" \
1325 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1326 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1327 -c "Maximum fragment length is 4096" \
1328 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1329 -c "client hello, adding max_fragment_length extension" \
1330 -s "found max fragment length extension" \
1331 -s "server hello, max_fragment_length extension" \
1332 -c "found max_fragment_length extension"
1333
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1334run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1335 "$P_SRV debug_level=3 max_frag_len=4096" \
1336 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1337 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1338 -c "Maximum fragment length is 16384" \
1339 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1340 -C "client hello, adding max_fragment_length extension" \
1341 -S "found max fragment length extension" \
1342 -S "server hello, max_fragment_length extension" \
1343 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1344
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1345requires_gnutls
1346run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1347 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1348 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1349 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1350 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1351 -c "client hello, adding max_fragment_length extension" \
1352 -c "found max_fragment_length extension"
1353
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1354run_test "Max fragment length: client, message just fits" \
1355 "$P_SRV debug_level=3" \
1356 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1357 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1358 -c "Maximum fragment length is 2048" \
1359 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1360 -c "client hello, adding max_fragment_length extension" \
1361 -s "found max fragment length extension" \
1362 -s "server hello, max_fragment_length extension" \
1363 -c "found max_fragment_length extension" \
1364 -c "2048 bytes written in 1 fragments" \
1365 -s "2048 bytes read"
1366
1367run_test "Max fragment length: client, larger message" \
1368 "$P_SRV debug_level=3" \
1369 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1370 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1371 -c "Maximum fragment length is 2048" \
1372 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1373 -c "client hello, adding max_fragment_length extension" \
1374 -s "found max fragment length extension" \
1375 -s "server hello, max_fragment_length extension" \
1376 -c "found max_fragment_length extension" \
1377 -c "2345 bytes written in 2 fragments" \
1378 -s "2048 bytes read" \
1379 -s "297 bytes read"
1380
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1381run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1382 "$P_SRV debug_level=3 dtls=1" \
1383 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1384 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1385 -c "Maximum fragment length is 2048" \
1386 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1387 -c "client hello, adding max_fragment_length extension" \
1388 -s "found max fragment length extension" \
1389 -s "server hello, max_fragment_length extension" \
1390 -c "found max_fragment_length extension" \
1391 -c "fragment larger than.*maximum"
1392
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1393# Tests for renegotiation
1394
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1395run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1396 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1397 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1398 0 \
1399 -C "client hello, adding renegotiation extension" \
1400 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1401 -S "found renegotiation extension" \
1402 -s "server hello, secure renegotiation extension" \
1403 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1404 -C "=> renegotiate" \
1405 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1406 -S "write hello request"
1407
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1408run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1409 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1410 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1411 0 \
1412 -c "client hello, adding renegotiation extension" \
1413 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1414 -s "found renegotiation extension" \
1415 -s "server hello, secure renegotiation extension" \
1416 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1417 -c "=> renegotiate" \
1418 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1419 -S "write hello request"
1420
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1421run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1422 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1423 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1424 0 \
1425 -c "client hello, adding renegotiation extension" \
1426 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1427 -s "found renegotiation extension" \
1428 -s "server hello, secure renegotiation extension" \
1429 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1430 -c "=> renegotiate" \
1431 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1432 -s "write hello request"
1433
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1434run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1435 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1436 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1437 0 \
1438 -c "client hello, adding renegotiation extension" \
1439 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1440 -s "found renegotiation extension" \
1441 -s "server hello, secure renegotiation extension" \
1442 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1443 -c "=> renegotiate" \
1444 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1445 -s "write hello request"
1446
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1447run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1448 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1449 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1450 1 \
1451 -c "client hello, adding renegotiation extension" \
1452 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1453 -S "found renegotiation extension" \
1454 -s "server hello, secure renegotiation extension" \
1455 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1456 -c "=> renegotiate" \
1457 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1458 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1459 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1460 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1461
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1462run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1463 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1464 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1465 0 \
1466 -C "client hello, adding renegotiation extension" \
1467 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1468 -S "found renegotiation extension" \
1469 -s "server hello, secure renegotiation extension" \
1470 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1471 -C "=> renegotiate" \
1472 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1473 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1474 -S "SSL - An unexpected message was received from our peer" \
1475 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1476
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1477run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1478 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1479 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1480 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1481 0 \
1482 -C "client hello, adding renegotiation extension" \
1483 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1484 -S "found renegotiation extension" \
1485 -s "server hello, secure renegotiation extension" \
1486 -c "found renegotiation extension" \
1487 -C "=> renegotiate" \
1488 -S "=> renegotiate" \
1489 -s "write hello request" \
1490 -S "SSL - An unexpected message was received from our peer" \
1491 -S "failed"
1492
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1493# delay 2 for 1 alert record + 1 application data record
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1494run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1495 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1496 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1497 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1498 0 \
1499 -C "client hello, adding renegotiation extension" \
1500 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1501 -S "found renegotiation extension" \
1502 -s "server hello, secure renegotiation extension" \
1503 -c "found renegotiation extension" \
1504 -C "=> renegotiate" \
1505 -S "=> renegotiate" \
1506 -s "write hello request" \
1507 -S "SSL - An unexpected message was received from our peer" \
1508 -S "failed"
1509
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1510run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1511 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1512 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1513 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1514 0 \
1515 -C "client hello, adding renegotiation extension" \
1516 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1517 -S "found renegotiation extension" \
1518 -s "server hello, secure renegotiation extension" \
1519 -c "found renegotiation extension" \
1520 -C "=> renegotiate" \
1521 -S "=> renegotiate" \
1522 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1523 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1524
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1525run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1526 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1527 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1528 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1529 0 \
1530 -c "client hello, adding renegotiation extension" \
1531 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1532 -s "found renegotiation extension" \
1533 -s "server hello, secure renegotiation extension" \
1534 -c "found renegotiation extension" \
1535 -c "=> renegotiate" \
1536 -s "=> renegotiate" \
1537 -s "write hello request" \
1538 -S "SSL - An unexpected message was received from our peer" \
1539 -S "failed"
1540
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1541run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1542 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1543 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1544 0 \
1545 -C "client hello, adding renegotiation extension" \
1546 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1547 -S "found renegotiation extension" \
1548 -s "server hello, secure renegotiation extension" \
1549 -c "found renegotiation extension" \
1550 -S "record counter limit reached: renegotiate" \
1551 -C "=> renegotiate" \
1552 -S "=> renegotiate" \
1553 -S "write hello request" \
1554 -S "SSL - An unexpected message was received from our peer" \
1555 -S "failed"
1556
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1557# one extra exchange to be able to complete renego
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1558run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1559 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1560 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1561 0 \
1562 -c "client hello, adding renegotiation extension" \
1563 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1564 -s "found renegotiation extension" \
1565 -s "server hello, secure renegotiation extension" \
1566 -c "found renegotiation extension" \
1567 -s "record counter limit reached: renegotiate" \
1568 -c "=> renegotiate" \
1569 -s "=> renegotiate" \
1570 -s "write hello request" \
1571 -S "SSL - An unexpected message was received from our peer" \
1572 -S "failed"
1573
1574run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1575 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1576 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1577 0 \
1578 -c "client hello, adding renegotiation extension" \
1579 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1580 -s "found renegotiation extension" \
1581 -s "server hello, secure renegotiation extension" \
1582 -c "found renegotiation extension" \
1583 -s "record counter limit reached: renegotiate" \
1584 -c "=> renegotiate" \
1585 -s "=> renegotiate" \
1586 -s "write hello request" \
1587 -S "SSL - An unexpected message was received from our peer" \
1588 -S "failed"
1589
1590run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1591 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1592 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1593 0 \
1594 -C "client hello, adding renegotiation extension" \
1595 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1596 -S "found renegotiation extension" \
1597 -s "server hello, secure renegotiation extension" \
1598 -c "found renegotiation extension" \
1599 -S "record counter limit reached: renegotiate" \
1600 -C "=> renegotiate" \
1601 -S "=> renegotiate" \
1602 -S "write hello request" \
1603 -S "SSL - An unexpected message was received from our peer" \
1604 -S "failed"
1605
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1606run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1607 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1608 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1609 0 \
1610 -c "client hello, adding renegotiation extension" \
1611 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1612 -s "found renegotiation extension" \
1613 -s "server hello, secure renegotiation extension" \
1614 -c "found renegotiation extension" \
1615 -c "=> renegotiate" \
1616 -s "=> renegotiate" \
1617 -S "write hello request"
1618
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1619run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1620 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1621 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1622 0 \
1623 -c "client hello, adding renegotiation extension" \
1624 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1625 -s "found renegotiation extension" \
1626 -s "server hello, secure renegotiation extension" \
1627 -c "found renegotiation extension" \
1628 -c "=> renegotiate" \
1629 -s "=> renegotiate" \
1630 -s "write hello request"
1631
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1632run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1633 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1634 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1635 0 \
1636 -c "client hello, adding renegotiation extension" \
1637 -c "found renegotiation extension" \
1638 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1639 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1640 -C "error" \
1641 -c "HTTP/1.0 200 [Oo][Kk]"
1642
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1643requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1644run_test "Renegotiation: gnutls server strict, client-initiated" \
1645 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1646 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1647 0 \
1648 -c "client hello, adding renegotiation extension" \
1649 -c "found renegotiation extension" \
1650 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1651 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1652 -C "error" \
1653 -c "HTTP/1.0 200 [Oo][Kk]"
1654
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1655requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1656run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1657 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1658 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1659 1 \
1660 -c "client hello, adding renegotiation extension" \
1661 -C "found renegotiation extension" \
1662 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1663 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1664 -c "error" \
1665 -C "HTTP/1.0 200 [Oo][Kk]"
1666
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1667requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1668run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1669 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1670 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1671 allow_legacy=0" \
1672 1 \
1673 -c "client hello, adding renegotiation extension" \
1674 -C "found renegotiation extension" \
1675 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1677 -c "error" \
1678 -C "HTTP/1.0 200 [Oo][Kk]"
1679
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1680requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1681run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1682 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1683 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1684 allow_legacy=1" \
1685 0 \
1686 -c "client hello, adding renegotiation extension" \
1687 -C "found renegotiation extension" \
1688 -c "=> renegotiate" \
1689 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1690 -C "error" \
1691 -c "HTTP/1.0 200 [Oo][Kk]"
1692
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1693run_test "Renegotiation: DTLS, client-initiated" \
1694 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1695 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1696 0 \
1697 -c "client hello, adding renegotiation extension" \
1698 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1699 -s "found renegotiation extension" \
1700 -s "server hello, secure renegotiation extension" \
1701 -c "found renegotiation extension" \
1702 -c "=> renegotiate" \
1703 -s "=> renegotiate" \
1704 -S "write hello request"
1705
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1706run_test "Renegotiation: DTLS, server-initiated" \
1707 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1708 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1709 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1710 0 \
1711 -c "client hello, adding renegotiation extension" \
1712 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1713 -s "found renegotiation extension" \
1714 -s "server hello, secure renegotiation extension" \
1715 -c "found renegotiation extension" \
1716 -c "=> renegotiate" \
1717 -s "=> renegotiate" \
1718 -s "write hello request"
1719
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1720run_test "Renegotiation: DTLS, renego_period overflow" \
1721 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1722 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1723 0 \
1724 -c "client hello, adding renegotiation extension" \
1725 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1726 -s "found renegotiation extension" \
1727 -s "server hello, secure renegotiation extension" \
1728 -s "record counter limit reached: renegotiate" \
1729 -c "=> renegotiate" \
1730 -s "=> renegotiate" \
1731 -s "write hello request" \
1732
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1733requires_gnutls
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1734run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1735 "$G_SRV -u --mtu 4096" \
1736 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1737 0 \
1738 -c "client hello, adding renegotiation extension" \
1739 -c "found renegotiation extension" \
1740 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1741 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1742 -C "error" \
1743 -s "Extra-header:"
1744
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1745# Test for the "secure renegotation" extension only (no actual renegotiation)
1746
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1747requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1748run_test "Renego ext: gnutls server strict, client default" \
1749 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1750 "$P_CLI debug_level=3" \
1751 0 \
1752 -c "found renegotiation extension" \
1753 -C "error" \
1754 -c "HTTP/1.0 200 [Oo][Kk]"
1755
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1756requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1757run_test "Renego ext: gnutls server unsafe, client default" \
1758 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1759 "$P_CLI debug_level=3" \
1760 0 \
1761 -C "found renegotiation extension" \
1762 -C "error" \
1763 -c "HTTP/1.0 200 [Oo][Kk]"
1764
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1765requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1766run_test "Renego ext: gnutls server unsafe, client break legacy" \
1767 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1768 "$P_CLI debug_level=3 allow_legacy=-1" \
1769 1 \
1770 -C "found renegotiation extension" \
1771 -c "error" \
1772 -C "HTTP/1.0 200 [Oo][Kk]"
1773
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1774requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1775run_test "Renego ext: gnutls client strict, server default" \
1776 "$P_SRV debug_level=3" \
1777 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1778 0 \
1779 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1780 -s "server hello, secure renegotiation extension"
1781
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1782requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1783run_test "Renego ext: gnutls client unsafe, server default" \
1784 "$P_SRV debug_level=3" \
1785 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1786 0 \
1787 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1788 -S "server hello, secure renegotiation extension"
1789
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1790requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1791run_test "Renego ext: gnutls client unsafe, server break legacy" \
1792 "$P_SRV debug_level=3 allow_legacy=-1" \
1793 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1794 1 \
1795 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1796 -S "server hello, secure renegotiation extension"
1797
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]1798# Tests for silently dropping trailing extra bytes in .der certificates
1799
1800requires_gnutls
1801run_test "DER format: no trailing bytes" \
1802 "$P_SRV crt_file=data_files/server5-der0.crt \
1803 key_file=data_files/server5.key" \
1804 "$G_CLI " \
1805 0 \
1806 -c "Handshake was completed" \
1807
1808requires_gnutls
1809run_test "DER format: with a trailing zero byte" \
1810 "$P_SRV crt_file=data_files/server5-der1a.crt \
1811 key_file=data_files/server5.key" \
1812 "$G_CLI " \
1813 0 \
1814 -c "Handshake was completed" \
1815
1816requires_gnutls
1817run_test "DER format: with a trailing random byte" \
1818 "$P_SRV crt_file=data_files/server5-der1b.crt \
1819 key_file=data_files/server5.key" \
1820 "$G_CLI " \
1821 0 \
1822 -c "Handshake was completed" \
1823
1824requires_gnutls
1825run_test "DER format: with 2 trailing random bytes" \
1826 "$P_SRV crt_file=data_files/server5-der2.crt \
1827 key_file=data_files/server5.key" \
1828 "$G_CLI " \
1829 0 \
1830 -c "Handshake was completed" \
1831
1832requires_gnutls
1833run_test "DER format: with 4 trailing random bytes" \
1834 "$P_SRV crt_file=data_files/server5-der4.crt \
1835 key_file=data_files/server5.key" \
1836 "$G_CLI " \
1837 0 \
1838 -c "Handshake was completed" \
1839
1840requires_gnutls
1841run_test "DER format: with 8 trailing random bytes" \
1842 "$P_SRV crt_file=data_files/server5-der8.crt \
1843 key_file=data_files/server5.key" \
1844 "$G_CLI " \
1845 0 \
1846 -c "Handshake was completed" \
1847
1848requires_gnutls
1849run_test "DER format: with 9 trailing random bytes" \
1850 "$P_SRV crt_file=data_files/server5-der9.crt \
1851 key_file=data_files/server5.key" \
1852 "$G_CLI " \
1853 0 \
1854 -c "Handshake was completed" \
1855
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1856# Tests for auth_mode
1857
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1858run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1859 "$P_SRV crt_file=data_files/server5-badsign.crt \
1860 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1861 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1862 1 \
1863 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1864 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1865 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1866 -c "X509 - Certificate verification failed"
1867
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1868run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1869 "$P_SRV crt_file=data_files/server5-badsign.crt \
1870 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1871 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1872 0 \
1873 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1874 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1875 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1876 -C "X509 - Certificate verification failed"
1877
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]1878run_test "Authentication: server goodcert, client optional, no trusted CA" \
1879 "$P_SRV" \
1880 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1881 0 \
1882 -c "x509_verify_cert() returned" \
1883 -c "! The certificate is not correctly signed by the trusted CA" \
1884 -c "! Certificate verification flags"\
1885 -C "! mbedtls_ssl_handshake returned" \
1886 -C "X509 - Certificate verification failed" \
1887 -C "SSL - No CA Chain is set, but required to operate"
1888
1889run_test "Authentication: server goodcert, client required, no trusted CA" \
1890 "$P_SRV" \
1891 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1892 1 \
1893 -c "x509_verify_cert() returned" \
1894 -c "! The certificate is not correctly signed by the trusted CA" \
1895 -c "! Certificate verification flags"\
1896 -c "! mbedtls_ssl_handshake returned" \
1897 -c "SSL - No CA Chain is set, but required to operate"
1898
1899# The purpose of the next two tests is to test the client's behaviour when receiving a server
1900# certificate with an unsupported elliptic curve. This should usually not happen because
1901# the client informs the server about the supported curves - it does, though, in the
1902# corner case of a static ECDH suite, because the server doesn't check the curve on that
1903# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1904# different means to have the server ignoring the client's supported curve list.
1905
1906requires_config_enabled MBEDTLS_ECP_C
1907run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1908 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1909 crt_file=data_files/server5.ku-ka.crt" \
1910 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1911 1 \
1912 -c "bad certificate (EC key curve)"\
1913 -c "! Certificate verification flags"\
1914 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1915
1916requires_config_enabled MBEDTLS_ECP_C
1917run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1918 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1919 crt_file=data_files/server5.ku-ka.crt" \
1920 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1921 1 \
1922 -c "bad certificate (EC key curve)"\
1923 -c "! Certificate verification flags"\
1924 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1925
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1926run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1927 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1928 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1929 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1930 0 \
1931 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1932 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1933 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1934 -C "X509 - Certificate verification failed"
1935
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]1936run_test "Authentication: client SHA256, server required" \
1937 "$P_SRV auth_mode=required" \
1938 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
1939 key_file=data_files/server6.key \
1940 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1941 0 \
1942 -c "Supported Signature Algorithm found: 4," \
1943 -c "Supported Signature Algorithm found: 5,"
1944
1945run_test "Authentication: client SHA384, server required" \
1946 "$P_SRV auth_mode=required" \
1947 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
1948 key_file=data_files/server6.key \
1949 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
1950 0 \
1951 -c "Supported Signature Algorithm found: 4," \
1952 -c "Supported Signature Algorithm found: 5,"
1953
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]1954requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
1955run_test "Authentication: client has no cert, server required (SSLv3)" \
1956 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
1957 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
1958 key_file=data_files/server5.key" \
1959 1 \
1960 -S "skip write certificate request" \
1961 -C "skip parse certificate request" \
1962 -c "got a certificate request" \
1963 -c "got no certificate to send" \
1964 -S "x509_verify_cert() returned" \
1965 -s "client has no certificate" \
1966 -s "! mbedtls_ssl_handshake returned" \
1967 -c "! mbedtls_ssl_handshake returned" \
1968 -s "No client certification received from the client, but required by the authentication mode"
1969
1970run_test "Authentication: client has no cert, server required (TLS)" \
1971 "$P_SRV debug_level=3 auth_mode=required" \
1972 "$P_CLI debug_level=3 crt_file=none \
1973 key_file=data_files/server5.key" \
1974 1 \
1975 -S "skip write certificate request" \
1976 -C "skip parse certificate request" \
1977 -c "got a certificate request" \
1978 -c "= write certificate$" \
1979 -C "skip write certificate$" \
1980 -S "x509_verify_cert() returned" \
1981 -s "client has no certificate" \
1982 -s "! mbedtls_ssl_handshake returned" \
1983 -c "! mbedtls_ssl_handshake returned" \
1984 -s "No client certification received from the client, but required by the authentication mode"
1985
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1986run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1987 "$P_SRV debug_level=3 auth_mode=required" \
1988 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1989 key_file=data_files/server5.key" \
1990 1 \
1991 -S "skip write certificate request" \
1992 -C "skip parse certificate request" \
1993 -c "got a certificate request" \
1994 -C "skip write certificate" \
1995 -C "skip write certificate verify" \
1996 -S "skip parse certificate verify" \
1997 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]1998 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1999 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2000 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2001 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2002 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2003# We don't check that the client receives the alert because it might
2004# detect that its write end of the connection is closed and abort
2005# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2006
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2007run_test "Authentication: client cert not trusted, server required" \
2008 "$P_SRV debug_level=3 auth_mode=required" \
2009 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2010 key_file=data_files/server5.key" \
2011 1 \
2012 -S "skip write certificate request" \
2013 -C "skip parse certificate request" \
2014 -c "got a certificate request" \
2015 -C "skip write certificate" \
2016 -C "skip write certificate verify" \
2017 -S "skip parse certificate verify" \
2018 -s "x509_verify_cert() returned" \
2019 -s "! The certificate is not correctly signed by the trusted CA" \
2020 -s "! mbedtls_ssl_handshake returned" \
2021 -c "! mbedtls_ssl_handshake returned" \
2022 -s "X509 - Certificate verification failed"
2023
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2024run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2025 "$P_SRV debug_level=3 auth_mode=optional" \
2026 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2027 key_file=data_files/server5.key" \
2028 0 \
2029 -S "skip write certificate request" \
2030 -C "skip parse certificate request" \
2031 -c "got a certificate request" \
2032 -C "skip write certificate" \
2033 -C "skip write certificate verify" \
2034 -S "skip parse certificate verify" \
2035 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2036 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037 -S "! mbedtls_ssl_handshake returned" \
2038 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2039 -S "X509 - Certificate verification failed"
2040
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2041run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2042 "$P_SRV debug_level=3 auth_mode=none" \
2043 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2044 key_file=data_files/server5.key" \
2045 0 \
2046 -s "skip write certificate request" \
2047 -C "skip parse certificate request" \
2048 -c "got no certificate request" \
2049 -c "skip write certificate" \
2050 -c "skip write certificate verify" \
2051 -s "skip parse certificate verify" \
2052 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2053 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2054 -S "! mbedtls_ssl_handshake returned" \
2055 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2056 -S "X509 - Certificate verification failed"
2057
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2058run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2059 "$P_SRV debug_level=3 auth_mode=optional" \
2060 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2061 0 \
2062 -S "skip write certificate request" \
2063 -C "skip parse certificate request" \
2064 -c "got a certificate request" \
2065 -C "skip write certificate$" \
2066 -C "got no certificate to send" \
2067 -S "SSLv3 client has no certificate" \
2068 -c "skip write certificate verify" \
2069 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2070 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2071 -S "! mbedtls_ssl_handshake returned" \
2072 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2073 -S "X509 - Certificate verification failed"
2074
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2075run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2076 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2077 "$O_CLI" \
2078 0 \
2079 -S "skip write certificate request" \
2080 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2081 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2082 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2083 -S "X509 - Certificate verification failed"
2084
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2085run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2086 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2087 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2088 0 \
2089 -C "skip parse certificate request" \
2090 -c "got a certificate request" \
2091 -C "skip write certificate$" \
2092 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2093 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2094
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2095run_test "Authentication: client no cert, openssl server required" \
2096 "$O_SRV -Verify 10" \
2097 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2098 1 \
2099 -C "skip parse certificate request" \
2100 -c "got a certificate request" \
2101 -C "skip write certificate$" \
2102 -c "skip write certificate verify" \
2103 -c "! mbedtls_ssl_handshake returned"
2104
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2105requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2106run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2107 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2108 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2109 0 \
2110 -S "skip write certificate request" \
2111 -C "skip parse certificate request" \
2112 -c "got a certificate request" \
2113 -C "skip write certificate$" \
2114 -c "skip write certificate verify" \
2115 -c "got no certificate to send" \
2116 -s "SSLv3 client has no certificate" \
2117 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2118 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2119 -S "! mbedtls_ssl_handshake returned" \
2120 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2121 -S "X509 - Certificate verification failed"
2122
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2123# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2124# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2125
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2126MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2127MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2128
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2129if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2130 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2131 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2132 printf "test value of ${MAX_IM_CA}. \n"
2133 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2134 printf "The tests assume this value and if it changes, the tests in this\n"
2135 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2136 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2137
2138 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2139fi
2140
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2141run_test "Authentication: server max_int chain, client default" \
2142 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2143 key_file=data_files/dir-maxpath/09.key" \
2144 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2145 0 \
2146 -C "X509 - A fatal error occured"
2147
2148run_test "Authentication: server max_int+1 chain, client default" \
2149 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2150 key_file=data_files/dir-maxpath/10.key" \
2151 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2152 1 \
2153 -c "X509 - A fatal error occured"
2154
2155run_test "Authentication: server max_int+1 chain, client optional" \
2156 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2157 key_file=data_files/dir-maxpath/10.key" \
2158 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2159 auth_mode=optional" \
2160 1 \
2161 -c "X509 - A fatal error occured"
2162
2163run_test "Authentication: server max_int+1 chain, client none" \
2164 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2165 key_file=data_files/dir-maxpath/10.key" \
2166 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2167 auth_mode=none" \
2168 0 \
2169 -C "X509 - A fatal error occured"
2170
2171run_test "Authentication: client max_int+1 chain, server default" \
2172 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2173 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2174 key_file=data_files/dir-maxpath/10.key" \
2175 0 \
2176 -S "X509 - A fatal error occured"
2177
2178run_test "Authentication: client max_int+1 chain, server optional" \
2179 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2180 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2181 key_file=data_files/dir-maxpath/10.key" \
2182 1 \
2183 -s "X509 - A fatal error occured"
2184
2185run_test "Authentication: client max_int+1 chain, server required" \
2186 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2187 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2188 key_file=data_files/dir-maxpath/10.key" \
2189 1 \
2190 -s "X509 - A fatal error occured"
2191
2192run_test "Authentication: client max_int chain, server required" \
2193 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2194 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2195 key_file=data_files/dir-maxpath/09.key" \
2196 0 \
2197 -S "X509 - A fatal error occured"
2198
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2199# Tests for CA list in CertificateRequest messages
2200
2201run_test "Authentication: send CA list in CertificateRequest (default)" \
2202 "$P_SRV debug_level=3 auth_mode=required" \
2203 "$P_CLI crt_file=data_files/server6.crt \
2204 key_file=data_files/server6.key" \
2205 0 \
2206 -s "requested DN"
2207
2208run_test "Authentication: do not send CA list in CertificateRequest" \
2209 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2210 "$P_CLI crt_file=data_files/server6.crt \
2211 key_file=data_files/server6.key" \
2212 0 \
2213 -S "requested DN"
2214
2215run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2216 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2217 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2218 key_file=data_files/server5.key" \
2219 1 \
2220 -S "requested DN" \
2221 -s "x509_verify_cert() returned" \
2222 -s "! The certificate is not correctly signed by the trusted CA" \
2223 -s "! mbedtls_ssl_handshake returned" \
2224 -c "! mbedtls_ssl_handshake returned" \
2225 -s "X509 - Certificate verification failed"
2226
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2227# Tests for certificate selection based on SHA verson
2228
2229run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2230 "$P_SRV crt_file=data_files/server5.crt \
2231 key_file=data_files/server5.key \
2232 crt_file2=data_files/server5-sha1.crt \
2233 key_file2=data_files/server5.key" \
2234 "$P_CLI force_version=tls1_2" \
2235 0 \
2236 -c "signed using.*ECDSA with SHA256" \
2237 -C "signed using.*ECDSA with SHA1"
2238
2239run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2240 "$P_SRV crt_file=data_files/server5.crt \
2241 key_file=data_files/server5.key \
2242 crt_file2=data_files/server5-sha1.crt \
2243 key_file2=data_files/server5.key" \
2244 "$P_CLI force_version=tls1_1" \
2245 0 \
2246 -C "signed using.*ECDSA with SHA256" \
2247 -c "signed using.*ECDSA with SHA1"
2248
2249run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2250 "$P_SRV crt_file=data_files/server5.crt \
2251 key_file=data_files/server5.key \
2252 crt_file2=data_files/server5-sha1.crt \
2253 key_file2=data_files/server5.key" \
2254 "$P_CLI force_version=tls1" \
2255 0 \
2256 -C "signed using.*ECDSA with SHA256" \
2257 -c "signed using.*ECDSA with SHA1"
2258
2259run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2260 "$P_SRV crt_file=data_files/server5.crt \
2261 key_file=data_files/server5.key \
2262 crt_file2=data_files/server6.crt \
2263 key_file2=data_files/server6.key" \
2264 "$P_CLI force_version=tls1_1" \
2265 0 \
2266 -c "serial number.*09" \
2267 -c "signed using.*ECDSA with SHA256" \
2268 -C "signed using.*ECDSA with SHA1"
2269
2270run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2271 "$P_SRV crt_file=data_files/server6.crt \
2272 key_file=data_files/server6.key \
2273 crt_file2=data_files/server5.crt \
2274 key_file2=data_files/server5.key" \
2275 "$P_CLI force_version=tls1_1" \
2276 0 \
2277 -c "serial number.*0A" \
2278 -c "signed using.*ECDSA with SHA256" \
2279 -C "signed using.*ECDSA with SHA1"
2280
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2281# tests for SNI
2282
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2283run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2284 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2285 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2286 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2287 0 \
2288 -S "parse ServerName extension" \
2289 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2290 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2291
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2292run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2293 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2294 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2295 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2296 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2297 0 \
2298 -s "parse ServerName extension" \
2299 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2300 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2301
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2302run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2303 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2304 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2305 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2306 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2307 0 \
2308 -s "parse ServerName extension" \
2309 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2310 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2311
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2312run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2313 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2314 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2315 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2316 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2317 1 \
2318 -s "parse ServerName extension" \
2319 -s "ssl_sni_wrapper() returned" \
2320 -s "mbedtls_ssl_handshake returned" \
2321 -c "mbedtls_ssl_handshake returned" \
2322 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2323
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2324run_test "SNI: client auth no override: optional" \
2325 "$P_SRV debug_level=3 auth_mode=optional \
2326 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2327 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2328 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2329 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2330 -S "skip write certificate request" \
2331 -C "skip parse certificate request" \
2332 -c "got a certificate request" \
2333 -C "skip write certificate" \
2334 -C "skip write certificate verify" \
2335 -S "skip parse certificate verify"
2336
2337run_test "SNI: client auth override: none -> optional" \
2338 "$P_SRV debug_level=3 auth_mode=none \
2339 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2340 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2341 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2342 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2343 -S "skip write certificate request" \
2344 -C "skip parse certificate request" \
2345 -c "got a certificate request" \
2346 -C "skip write certificate" \
2347 -C "skip write certificate verify" \
2348 -S "skip parse certificate verify"
2349
2350run_test "SNI: client auth override: optional -> none" \
2351 "$P_SRV debug_level=3 auth_mode=optional \
2352 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2353 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2354 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2355 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2356 -s "skip write certificate request" \
2357 -C "skip parse certificate request" \
2358 -c "got no certificate request" \
2359 -c "skip write certificate" \
2360 -c "skip write certificate verify" \
2361 -s "skip parse certificate verify"
2362
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2363run_test "SNI: CA no override" \
2364 "$P_SRV debug_level=3 auth_mode=optional \
2365 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2366 ca_file=data_files/test-ca.crt \
2367 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2368 "$P_CLI debug_level=3 server_name=localhost \
2369 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2370 1 \
2371 -S "skip write certificate request" \
2372 -C "skip parse certificate request" \
2373 -c "got a certificate request" \
2374 -C "skip write certificate" \
2375 -C "skip write certificate verify" \
2376 -S "skip parse certificate verify" \
2377 -s "x509_verify_cert() returned" \
2378 -s "! The certificate is not correctly signed by the trusted CA" \
2379 -S "The certificate has been revoked (is on a CRL)"
2380
2381run_test "SNI: CA override" \
2382 "$P_SRV debug_level=3 auth_mode=optional \
2383 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2384 ca_file=data_files/test-ca.crt \
2385 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2386 "$P_CLI debug_level=3 server_name=localhost \
2387 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2388 0 \
2389 -S "skip write certificate request" \
2390 -C "skip parse certificate request" \
2391 -c "got a certificate request" \
2392 -C "skip write certificate" \
2393 -C "skip write certificate verify" \
2394 -S "skip parse certificate verify" \
2395 -S "x509_verify_cert() returned" \
2396 -S "! The certificate is not correctly signed by the trusted CA" \
2397 -S "The certificate has been revoked (is on a CRL)"
2398
2399run_test "SNI: CA override with CRL" \
2400 "$P_SRV debug_level=3 auth_mode=optional \
2401 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2402 ca_file=data_files/test-ca.crt \
2403 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2404 "$P_CLI debug_level=3 server_name=localhost \
2405 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2406 1 \
2407 -S "skip write certificate request" \
2408 -C "skip parse certificate request" \
2409 -c "got a certificate request" \
2410 -C "skip write certificate" \
2411 -C "skip write certificate verify" \
2412 -S "skip parse certificate verify" \
2413 -s "x509_verify_cert() returned" \
2414 -S "! The certificate is not correctly signed by the trusted CA" \
2415 -s "The certificate has been revoked (is on a CRL)"
2416
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2417# Tests for non-blocking I/O: exercise a variety of handshake flows
2418
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2419run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2420 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2421 "$P_CLI nbio=2 tickets=0" \
2422 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2423 -S "mbedtls_ssl_handshake returned" \
2424 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2425 -c "Read from server: .* bytes read"
2426
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2427run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2428 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2429 "$P_CLI nbio=2 tickets=0" \
2430 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2431 -S "mbedtls_ssl_handshake returned" \
2432 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2433 -c "Read from server: .* bytes read"
2434
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2435run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2436 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2437 "$P_CLI nbio=2 tickets=1" \
2438 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2439 -S "mbedtls_ssl_handshake returned" \
2440 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2441 -c "Read from server: .* bytes read"
2442
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2443run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2444 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2445 "$P_CLI nbio=2 tickets=1" \
2446 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2447 -S "mbedtls_ssl_handshake returned" \
2448 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2449 -c "Read from server: .* bytes read"
2450
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2451run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2452 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2453 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2454 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2455 -S "mbedtls_ssl_handshake returned" \
2456 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2457 -c "Read from server: .* bytes read"
2458
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2459run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2460 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2461 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2462 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2463 -S "mbedtls_ssl_handshake returned" \
2464 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2465 -c "Read from server: .* bytes read"
2466
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2467run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2468 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2469 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2470 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2471 -S "mbedtls_ssl_handshake returned" \
2472 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2473 -c "Read from server: .* bytes read"
2474
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2475# Tests for version negotiation
2476
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2477run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2478 "$P_SRV" \
2479 "$P_CLI" \
2480 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2481 -S "mbedtls_ssl_handshake returned" \
2482 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2483 -s "Protocol is TLSv1.2" \
2484 -c "Protocol is TLSv1.2"
2485
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2486run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2487 "$P_SRV" \
2488 "$P_CLI max_version=tls1_1" \
2489 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2490 -S "mbedtls_ssl_handshake returned" \
2491 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2492 -s "Protocol is TLSv1.1" \
2493 -c "Protocol is TLSv1.1"
2494
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2495run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2496 "$P_SRV max_version=tls1_1" \
2497 "$P_CLI" \
2498 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2499 -S "mbedtls_ssl_handshake returned" \
2500 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2501 -s "Protocol is TLSv1.1" \
2502 -c "Protocol is TLSv1.1"
2503
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2504run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2505 "$P_SRV max_version=tls1_1" \
2506 "$P_CLI max_version=tls1_1" \
2507 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2508 -S "mbedtls_ssl_handshake returned" \
2509 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2510 -s "Protocol is TLSv1.1" \
2511 -c "Protocol is TLSv1.1"
2512
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2513run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2514 "$P_SRV min_version=tls1_1" \
2515 "$P_CLI max_version=tls1_1" \
2516 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2517 -S "mbedtls_ssl_handshake returned" \
2518 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2519 -s "Protocol is TLSv1.1" \
2520 -c "Protocol is TLSv1.1"
2521
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2522run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2523 "$P_SRV max_version=tls1_1" \
2524 "$P_CLI min_version=tls1_1" \
2525 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2526 -S "mbedtls_ssl_handshake returned" \
2527 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2528 -s "Protocol is TLSv1.1" \
2529 -c "Protocol is TLSv1.1"
2530
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2531run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2532 "$P_SRV max_version=tls1_1" \
2533 "$P_CLI min_version=tls1_2" \
2534 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2535 -s "mbedtls_ssl_handshake returned" \
2536 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2537 -c "SSL - Handshake protocol not within min/max boundaries"
2538
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2539run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2540 "$P_SRV min_version=tls1_2" \
2541 "$P_CLI max_version=tls1_1" \
2542 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2543 -s "mbedtls_ssl_handshake returned" \
2544 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2545 -s "SSL - Handshake protocol not within min/max boundaries"
2546
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2547# Tests for ALPN extension
2548
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2549run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2550 "$P_SRV debug_level=3" \
2551 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2552 0 \
2553 -C "client hello, adding alpn extension" \
2554 -S "found alpn extension" \
2555 -C "got an alert message, type: \\[2:120]" \
2556 -S "server hello, adding alpn extension" \
2557 -C "found alpn extension " \
2558 -C "Application Layer Protocol is" \
2559 -S "Application Layer Protocol is"
2560
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2561run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2562 "$P_SRV debug_level=3" \
2563 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2564 0 \
2565 -c "client hello, adding alpn extension" \
2566 -s "found alpn extension" \
2567 -C "got an alert message, type: \\[2:120]" \
2568 -S "server hello, adding alpn extension" \
2569 -C "found alpn extension " \
2570 -c "Application Layer Protocol is (none)" \
2571 -S "Application Layer Protocol is"
2572
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2573run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2574 "$P_SRV debug_level=3 alpn=abc,1234" \
2575 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2576 0 \
2577 -C "client hello, adding alpn extension" \
2578 -S "found alpn extension" \
2579 -C "got an alert message, type: \\[2:120]" \
2580 -S "server hello, adding alpn extension" \
2581 -C "found alpn extension " \
2582 -C "Application Layer Protocol is" \
2583 -s "Application Layer Protocol is (none)"
2584
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2585run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2586 "$P_SRV debug_level=3 alpn=abc,1234" \
2587 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2588 0 \
2589 -c "client hello, adding alpn extension" \
2590 -s "found alpn extension" \
2591 -C "got an alert message, type: \\[2:120]" \
2592 -s "server hello, adding alpn extension" \
2593 -c "found alpn extension" \
2594 -c "Application Layer Protocol is abc" \
2595 -s "Application Layer Protocol is abc"
2596
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2597run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2598 "$P_SRV debug_level=3 alpn=abc,1234" \
2599 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2600 0 \
2601 -c "client hello, adding alpn extension" \
2602 -s "found alpn extension" \
2603 -C "got an alert message, type: \\[2:120]" \
2604 -s "server hello, adding alpn extension" \
2605 -c "found alpn extension" \
2606 -c "Application Layer Protocol is abc" \
2607 -s "Application Layer Protocol is abc"
2608
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2609run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2610 "$P_SRV debug_level=3 alpn=abc,1234" \
2611 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2612 0 \
2613 -c "client hello, adding alpn extension" \
2614 -s "found alpn extension" \
2615 -C "got an alert message, type: \\[2:120]" \
2616 -s "server hello, adding alpn extension" \
2617 -c "found alpn extension" \
2618 -c "Application Layer Protocol is 1234" \
2619 -s "Application Layer Protocol is 1234"
2620
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2621run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2622 "$P_SRV debug_level=3 alpn=abc,123" \
2623 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2624 1 \
2625 -c "client hello, adding alpn extension" \
2626 -s "found alpn extension" \
2627 -c "got an alert message, type: \\[2:120]" \
2628 -S "server hello, adding alpn extension" \
2629 -C "found alpn extension" \
2630 -C "Application Layer Protocol is 1234" \
2631 -S "Application Layer Protocol is 1234"
2632
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2633
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2634# Tests for keyUsage in leaf certificates, part 1:
2635# server-side certificate/suite selection
2636
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2637run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2638 "$P_SRV key_file=data_files/server2.key \
2639 crt_file=data_files/server2.ku-ds.crt" \
2640 "$P_CLI" \
2641 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2642 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2643
2644
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2645run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2646 "$P_SRV key_file=data_files/server2.key \
2647 crt_file=data_files/server2.ku-ke.crt" \
2648 "$P_CLI" \
2649 0 \
2650 -c "Ciphersuite is TLS-RSA-WITH-"
2651
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2652run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2653 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2654 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2655 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2656 1 \
2657 -C "Ciphersuite is "
2658
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2659run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2660 "$P_SRV key_file=data_files/server5.key \
2661 crt_file=data_files/server5.ku-ds.crt" \
2662 "$P_CLI" \
2663 0 \
2664 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2665
2666
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2667run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2668 "$P_SRV key_file=data_files/server5.key \
2669 crt_file=data_files/server5.ku-ka.crt" \
2670 "$P_CLI" \
2671 0 \
2672 -c "Ciphersuite is TLS-ECDH-"
2673
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2674run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2675 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2676 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2677 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2678 1 \
2679 -C "Ciphersuite is "
2680
2681# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2682# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2683
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2684run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2685 "$O_SRV -key data_files/server2.key \
2686 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2687 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2688 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2689 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2690 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2691 -C "Processing of the Certificate handshake message failed" \
2692 -c "Ciphersuite is TLS-"
2693
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2694run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2695 "$O_SRV -key data_files/server2.key \
2696 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2697 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2698 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2699 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2700 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2701 -C "Processing of the Certificate handshake message failed" \
2702 -c "Ciphersuite is TLS-"
2703
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2704run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2705 "$O_SRV -key data_files/server2.key \
2706 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2707 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2708 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2709 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2710 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2711 -C "Processing of the Certificate handshake message failed" \
2712 -c "Ciphersuite is TLS-"
2713
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2714run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2715 "$O_SRV -key data_files/server2.key \
2716 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2717 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2718 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2719 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2720 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2721 -c "Processing of the Certificate handshake message failed" \
2722 -C "Ciphersuite is TLS-"
2723
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2724run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2725 "$O_SRV -key data_files/server2.key \
2726 -cert data_files/server2.ku-ke.crt" \
2727 "$P_CLI debug_level=1 auth_mode=optional \
2728 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2729 0 \
2730 -c "bad certificate (usage extensions)" \
2731 -C "Processing of the Certificate handshake message failed" \
2732 -c "Ciphersuite is TLS-" \
2733 -c "! Usage does not match the keyUsage extension"
2734
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2735run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2736 "$O_SRV -key data_files/server2.key \
2737 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2738 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2739 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2740 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2741 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2742 -C "Processing of the Certificate handshake message failed" \
2743 -c "Ciphersuite is TLS-"
2744
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2745run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2746 "$O_SRV -key data_files/server2.key \
2747 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2748 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2749 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2750 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2751 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2752 -c "Processing of the Certificate handshake message failed" \
2753 -C "Ciphersuite is TLS-"
2754
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2755run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2756 "$O_SRV -key data_files/server2.key \
2757 -cert data_files/server2.ku-ds.crt" \
2758 "$P_CLI debug_level=1 auth_mode=optional \
2759 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2760 0 \
2761 -c "bad certificate (usage extensions)" \
2762 -C "Processing of the Certificate handshake message failed" \
2763 -c "Ciphersuite is TLS-" \
2764 -c "! Usage does not match the keyUsage extension"
2765
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2766# Tests for keyUsage in leaf certificates, part 3:
2767# server-side checking of client cert
2768
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2769run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2770 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2771 "$O_CLI -key data_files/server2.key \
2772 -cert data_files/server2.ku-ds.crt" \
2773 0 \
2774 -S "bad certificate (usage extensions)" \
2775 -S "Processing of the Certificate handshake message failed"
2776
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2777run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2778 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2779 "$O_CLI -key data_files/server2.key \
2780 -cert data_files/server2.ku-ke.crt" \
2781 0 \
2782 -s "bad certificate (usage extensions)" \
2783 -S "Processing of the Certificate handshake message failed"
2784
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2785run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2786 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2787 "$O_CLI -key data_files/server2.key \
2788 -cert data_files/server2.ku-ke.crt" \
2789 1 \
2790 -s "bad certificate (usage extensions)" \
2791 -s "Processing of the Certificate handshake message failed"
2792
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2793run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2794 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2795 "$O_CLI -key data_files/server5.key \
2796 -cert data_files/server5.ku-ds.crt" \
2797 0 \
2798 -S "bad certificate (usage extensions)" \
2799 -S "Processing of the Certificate handshake message failed"
2800
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2801run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2802 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2803 "$O_CLI -key data_files/server5.key \
2804 -cert data_files/server5.ku-ka.crt" \
2805 0 \
2806 -s "bad certificate (usage extensions)" \
2807 -S "Processing of the Certificate handshake message failed"
2808
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2809# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2810
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2811run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2812 "$P_SRV key_file=data_files/server5.key \
2813 crt_file=data_files/server5.eku-srv.crt" \
2814 "$P_CLI" \
2815 0
2816
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2817run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2818 "$P_SRV key_file=data_files/server5.key \
2819 crt_file=data_files/server5.eku-srv.crt" \
2820 "$P_CLI" \
2821 0
2822
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2823run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2824 "$P_SRV key_file=data_files/server5.key \
2825 crt_file=data_files/server5.eku-cs_any.crt" \
2826 "$P_CLI" \
2827 0
2828
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2829run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2830 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2831 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2832 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2833 1
2834
2835# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2836
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2837run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2838 "$O_SRV -key data_files/server5.key \
2839 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2840 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2841 0 \
2842 -C "bad certificate (usage extensions)" \
2843 -C "Processing of the Certificate handshake message failed" \
2844 -c "Ciphersuite is TLS-"
2845
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2846run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2847 "$O_SRV -key data_files/server5.key \
2848 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2849 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2850 0 \
2851 -C "bad certificate (usage extensions)" \
2852 -C "Processing of the Certificate handshake message failed" \
2853 -c "Ciphersuite is TLS-"
2854
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2855run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2856 "$O_SRV -key data_files/server5.key \
2857 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2858 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2859 0 \
2860 -C "bad certificate (usage extensions)" \
2861 -C "Processing of the Certificate handshake message failed" \
2862 -c "Ciphersuite is TLS-"
2863
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2864run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2865 "$O_SRV -key data_files/server5.key \
2866 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2867 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2868 1 \
2869 -c "bad certificate (usage extensions)" \
2870 -c "Processing of the Certificate handshake message failed" \
2871 -C "Ciphersuite is TLS-"
2872
2873# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2874
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2875run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2876 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2877 "$O_CLI -key data_files/server5.key \
2878 -cert data_files/server5.eku-cli.crt" \
2879 0 \
2880 -S "bad certificate (usage extensions)" \
2881 -S "Processing of the Certificate handshake message failed"
2882
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2883run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2884 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2885 "$O_CLI -key data_files/server5.key \
2886 -cert data_files/server5.eku-srv_cli.crt" \
2887 0 \
2888 -S "bad certificate (usage extensions)" \
2889 -S "Processing of the Certificate handshake message failed"
2890
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2891run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2892 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2893 "$O_CLI -key data_files/server5.key \
2894 -cert data_files/server5.eku-cs_any.crt" \
2895 0 \
2896 -S "bad certificate (usage extensions)" \
2897 -S "Processing of the Certificate handshake message failed"
2898
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2899run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2900 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2901 "$O_CLI -key data_files/server5.key \
2902 -cert data_files/server5.eku-cs.crt" \
2903 0 \
2904 -s "bad certificate (usage extensions)" \
2905 -S "Processing of the Certificate handshake message failed"
2906
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2907run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2908 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2909 "$O_CLI -key data_files/server5.key \
2910 -cert data_files/server5.eku-cs.crt" \
2911 1 \
2912 -s "bad certificate (usage extensions)" \
2913 -s "Processing of the Certificate handshake message failed"
2914
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2915# Tests for DHM parameters loading
2916
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2917run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2918 "$P_SRV" \
2919 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2920 debug_level=3" \
2921 0 \
2922 -c "value of 'DHM: P ' (2048 bits)" \
2923 -c "value of 'DHM: G ' (2048 bits)"
2924
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2925run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2926 "$P_SRV dhm_file=data_files/dhparams.pem" \
2927 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2928 debug_level=3" \
2929 0 \
2930 -c "value of 'DHM: P ' (1024 bits)" \
2931 -c "value of 'DHM: G ' (2 bits)"
2932
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2933# Tests for DHM client-side size checking
2934
2935run_test "DHM size: server default, client default, OK" \
2936 "$P_SRV" \
2937 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2938 debug_level=1" \
2939 0 \
2940 -C "DHM prime too short:"
2941
2942run_test "DHM size: server default, client 2048, OK" \
2943 "$P_SRV" \
2944 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2945 debug_level=1 dhmlen=2048" \
2946 0 \
2947 -C "DHM prime too short:"
2948
2949run_test "DHM size: server 1024, client default, OK" \
2950 "$P_SRV dhm_file=data_files/dhparams.pem" \
2951 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2952 debug_level=1" \
2953 0 \
2954 -C "DHM prime too short:"
2955
2956run_test "DHM size: server 1000, client default, rejected" \
2957 "$P_SRV dhm_file=data_files/dh.1000.pem" \
2958 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2959 debug_level=1" \
2960 1 \
2961 -c "DHM prime too short:"
2962
2963run_test "DHM size: server default, client 2049, rejected" \
2964 "$P_SRV" \
2965 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2966 debug_level=1 dhmlen=2049" \
2967 1 \
2968 -c "DHM prime too short:"
2969
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2970# Tests for PSK callback
2971
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2972run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2973 "$P_SRV psk=abc123 psk_identity=foo" \
2974 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2975 psk_identity=foo psk=abc123" \
2976 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2977 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2978 -S "SSL - Unknown identity received" \
2979 -S "SSL - Verification of the message MAC failed"
2980
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2981run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2982 "$P_SRV" \
2983 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2984 psk_identity=foo psk=abc123" \
2985 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2986 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2987 -S "SSL - Unknown identity received" \
2988 -S "SSL - Verification of the message MAC failed"
2989
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2990run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2991 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2992 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2993 psk_identity=foo psk=abc123" \
2994 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2995 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2996 -s "SSL - Unknown identity received" \
2997 -S "SSL - Verification of the message MAC failed"
2998
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2999run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3000 "$P_SRV psk_list=abc,dead,def,beef" \
3001 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3002 psk_identity=abc psk=dead" \
3003 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3004 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3005 -S "SSL - Unknown identity received" \
3006 -S "SSL - Verification of the message MAC failed"
3007
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3008run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3009 "$P_SRV psk_list=abc,dead,def,beef" \
3010 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3011 psk_identity=def psk=beef" \
3012 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3013 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3014 -S "SSL - Unknown identity received" \
3015 -S "SSL - Verification of the message MAC failed"
3016
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3017run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3018 "$P_SRV psk_list=abc,dead,def,beef" \
3019 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3020 psk_identity=ghi psk=beef" \
3021 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3022 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3023 -s "SSL - Unknown identity received" \
3024 -S "SSL - Verification of the message MAC failed"
3025
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3026run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3027 "$P_SRV psk_list=abc,dead,def,beef" \
3028 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3029 psk_identity=abc psk=beef" \
3030 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3031 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3032 -S "SSL - Unknown identity received" \
3033 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3034
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3035# Tests for EC J-PAKE
3036
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3037requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3038run_test "ECJPAKE: client not configured" \
3039 "$P_SRV debug_level=3" \
3040 "$P_CLI debug_level=3" \
3041 0 \
3042 -C "add ciphersuite: c0ff" \
3043 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3044 -S "found ecjpake kkpp extension" \
3045 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3046 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3047 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3048 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3049 -S "None of the common ciphersuites is usable"
3050
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3051requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3052run_test "ECJPAKE: server not configured" \
3053 "$P_SRV debug_level=3" \
3054 "$P_CLI debug_level=3 ecjpake_pw=bla \
3055 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3056 1 \
3057 -c "add ciphersuite: c0ff" \
3058 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3059 -s "found ecjpake kkpp extension" \
3060 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3061 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3062 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3063 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3064 -s "None of the common ciphersuites is usable"
3065
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3066requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3067run_test "ECJPAKE: working, TLS" \
3068 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3069 "$P_CLI debug_level=3 ecjpake_pw=bla \
3070 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3071 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3072 -c "add ciphersuite: c0ff" \
3073 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3074 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3075 -s "found ecjpake kkpp extension" \
3076 -S "skip ecjpake kkpp extension" \
3077 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3078 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3079 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3080 -S "None of the common ciphersuites is usable" \
3081 -S "SSL - Verification of the message MAC failed"
3082
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3083server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3084requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3085run_test "ECJPAKE: password mismatch, TLS" \
3086 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3087 "$P_CLI debug_level=3 ecjpake_pw=bad \
3088 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3089 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3090 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3091 -s "SSL - Verification of the message MAC failed"
3092
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3093requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3094run_test "ECJPAKE: working, DTLS" \
3095 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3096 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3097 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3098 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3099 -c "re-using cached ecjpake parameters" \
3100 -S "SSL - Verification of the message MAC failed"
3101
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3102requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3103run_test "ECJPAKE: working, DTLS, no cookie" \
3104 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3105 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3106 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3107 0 \
3108 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3109 -S "SSL - Verification of the message MAC failed"
3110
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3111server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3112requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3113run_test "ECJPAKE: password mismatch, DTLS" \
3114 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3115 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3116 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3117 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3118 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3119 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3120
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3121# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3122requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3123run_test "ECJPAKE: working, DTLS, nolog" \
3124 "$P_SRV dtls=1 ecjpake_pw=bla" \
3125 "$P_CLI dtls=1 ecjpake_pw=bla \
3126 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3127 0
3128
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3129# Tests for ciphersuites per version
3130
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3131requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3132run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3133 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3134 "$P_CLI force_version=ssl3" \
3135 0 \
3136 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3137
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3138run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3139 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3140 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3141 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3142 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3143
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3144run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3145 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3146 "$P_CLI force_version=tls1_1" \
3147 0 \
3148 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3149
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3150run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3151 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3152 "$P_CLI force_version=tls1_2" \
3153 0 \
3154 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3155
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3156# Test for ClientHello without extensions
3157
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3158requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3159run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3160 "$P_SRV debug_level=3" \
3161 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3162 0 \
3163 -s "dumping 'client hello extensions' (0 bytes)"
3164
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3165requires_gnutls
3166run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3167 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3168 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3169 0 \
3170 -s "dumping 'client hello extensions' (0 bytes)"
3171
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3172# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3173
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3174run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3175 "$P_SRV" \
3176 "$P_CLI request_size=100" \
3177 0 \
3178 -s "Read from client: 100 bytes read$"
3179
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3180run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3181 "$P_SRV" \
3182 "$P_CLI request_size=500" \
3183 0 \
3184 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3185
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3186# Tests for small packets
3187
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3188requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3189run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3190 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3191 "$P_CLI request_size=1 force_version=ssl3 \
3192 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3193 0 \
3194 -s "Read from client: 1 bytes read"
3195
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3196requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3197run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3198 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3199 "$P_CLI request_size=1 force_version=ssl3 \
3200 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3201 0 \
3202 -s "Read from client: 1 bytes read"
3203
3204run_test "Small packet TLS 1.0 BlockCipher" \
3205 "$P_SRV" \
3206 "$P_CLI request_size=1 force_version=tls1 \
3207 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3208 0 \
3209 -s "Read from client: 1 bytes read"
3210
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3211run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3212 "$P_SRV" \
3213 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3214 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3215 0 \
3216 -s "Read from client: 1 bytes read"
3217
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3218run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3219 "$P_SRV" \
3220 "$P_CLI request_size=1 force_version=tls1 \
3221 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3222 trunc_hmac=1" \
3223 0 \
3224 -s "Read from client: 1 bytes read"
3225
3226run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3227 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3228 "$P_CLI request_size=1 force_version=tls1 \
3229 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3230 trunc_hmac=1" \
3231 0 \
3232 -s "Read from client: 1 bytes read"
3233
3234run_test "Small packet TLS 1.1 BlockCipher" \
3235 "$P_SRV" \
3236 "$P_CLI request_size=1 force_version=tls1_1 \
3237 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3238 0 \
3239 -s "Read from client: 1 bytes read"
3240
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3241run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3242 "$P_SRV" \
3243 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3244 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3245 0 \
3246 -s "Read from client: 1 bytes read"
3247
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3248run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3249 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3250 "$P_CLI request_size=1 force_version=tls1_1 \
3251 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3252 0 \
3253 -s "Read from client: 1 bytes read"
3254
3255run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3256 "$P_SRV" \
3257 "$P_CLI request_size=1 force_version=tls1_1 \
3258 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3259 trunc_hmac=1" \
3260 0 \
3261 -s "Read from client: 1 bytes read"
3262
3263run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3264 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3265 "$P_CLI request_size=1 force_version=tls1_1 \
3266 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3267 trunc_hmac=1" \
3268 0 \
3269 -s "Read from client: 1 bytes read"
3270
3271run_test "Small packet TLS 1.2 BlockCipher" \
3272 "$P_SRV" \
3273 "$P_CLI request_size=1 force_version=tls1_2 \
3274 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3275 0 \
3276 -s "Read from client: 1 bytes read"
3277
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3278run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3279 "$P_SRV" \
3280 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3281 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3282 0 \
3283 -s "Read from client: 1 bytes read"
3284
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3285run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3286 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3287 "$P_CLI request_size=1 force_version=tls1_2 \
3288 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3289 0 \
3290 -s "Read from client: 1 bytes read"
3291
3292run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3293 "$P_SRV" \
3294 "$P_CLI request_size=1 force_version=tls1_2 \
3295 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3296 trunc_hmac=1" \
3297 0 \
3298 -s "Read from client: 1 bytes read"
3299
3300run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3301 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3302 "$P_CLI request_size=1 force_version=tls1_2 \
3303 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3304 0 \
3305 -s "Read from client: 1 bytes read"
3306
3307run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3308 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3309 "$P_CLI request_size=1 force_version=tls1_2 \
3310 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3311 trunc_hmac=1" \
3312 0 \
3313 -s "Read from client: 1 bytes read"
3314
3315run_test "Small packet TLS 1.2 AEAD" \
3316 "$P_SRV" \
3317 "$P_CLI request_size=1 force_version=tls1_2 \
3318 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3319 0 \
3320 -s "Read from client: 1 bytes read"
3321
3322run_test "Small packet TLS 1.2 AEAD shorter tag" \
3323 "$P_SRV" \
3324 "$P_CLI request_size=1 force_version=tls1_2 \
3325 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3326 0 \
3327 -s "Read from client: 1 bytes read"
3328
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]3329# A test for extensions in SSLv3
3330
3331requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3332run_test "SSLv3 with extensions, server side" \
3333 "$P_SRV min_version=ssl3 debug_level=3" \
3334 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3335 0 \
3336 -S "dumping 'client hello extensions'" \
3337 -S "server hello, total extension length:"
3338
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3339# Test for large packets
3340
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3341requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3342run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3343 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3344 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3345 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3346 0 \
3347 -s "Read from client: 16384 bytes read"
3348
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3349requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3350run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3351 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3352 "$P_CLI request_size=16384 force_version=ssl3 \
3353 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3354 0 \
3355 -s "Read from client: 16384 bytes read"
3356
3357run_test "Large packet TLS 1.0 BlockCipher" \
3358 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3359 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3360 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3361 0 \
3362 -s "Read from client: 16384 bytes read"
3363
3364run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3365 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3366 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3367 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3368 trunc_hmac=1" \
3369 0 \
3370 -s "Read from client: 16384 bytes read"
3371
3372run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3373 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3374 "$P_CLI request_size=16384 force_version=tls1 \
3375 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3376 trunc_hmac=1" \
3377 0 \
3378 -s "Read from client: 16384 bytes read"
3379
3380run_test "Large packet TLS 1.1 BlockCipher" \
3381 "$P_SRV" \
3382 "$P_CLI request_size=16384 force_version=tls1_1 \
3383 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3384 0 \
3385 -s "Read from client: 16384 bytes read"
3386
3387run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3388 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3389 "$P_CLI request_size=16384 force_version=tls1_1 \
3390 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3391 0 \
3392 -s "Read from client: 16384 bytes read"
3393
3394run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3395 "$P_SRV" \
3396 "$P_CLI request_size=16384 force_version=tls1_1 \
3397 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3398 trunc_hmac=1" \
3399 0 \
3400 -s "Read from client: 16384 bytes read"
3401
3402run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3403 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3404 "$P_CLI request_size=16384 force_version=tls1_1 \
3405 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3406 trunc_hmac=1" \
3407 0 \
3408 -s "Read from client: 16384 bytes read"
3409
3410run_test "Large packet TLS 1.2 BlockCipher" \
3411 "$P_SRV" \
3412 "$P_CLI request_size=16384 force_version=tls1_2 \
3413 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3414 0 \
3415 -s "Read from client: 16384 bytes read"
3416
3417run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3418 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3419 "$P_CLI request_size=16384 force_version=tls1_2 \
3420 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3421 0 \
3422 -s "Read from client: 16384 bytes read"
3423
3424run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3425 "$P_SRV" \
3426 "$P_CLI request_size=16384 force_version=tls1_2 \
3427 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3428 trunc_hmac=1" \
3429 0 \
3430 -s "Read from client: 16384 bytes read"
3431
3432run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3433 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3434 "$P_CLI request_size=16384 force_version=tls1_2 \
3435 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3436 0 \
3437 -s "Read from client: 16384 bytes read"
3438
3439run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3440 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3441 "$P_CLI request_size=16384 force_version=tls1_2 \
3442 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3443 trunc_hmac=1" \
3444 0 \
3445 -s "Read from client: 16384 bytes read"
3446
3447run_test "Large packet TLS 1.2 AEAD" \
3448 "$P_SRV" \
3449 "$P_CLI request_size=16384 force_version=tls1_2 \
3450 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3451 0 \
3452 -s "Read from client: 16384 bytes read"
3453
3454run_test "Large packet TLS 1.2 AEAD shorter tag" \
3455 "$P_SRV" \
3456 "$P_CLI request_size=16384 force_version=tls1_2 \
3457 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3458 0 \
3459 -s "Read from client: 16384 bytes read"
3460
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3461# Tests for DTLS HelloVerifyRequest
3462
3463run_test "DTLS cookie: enabled" \
3464 "$P_SRV dtls=1 debug_level=2" \
3465 "$P_CLI dtls=1 debug_level=2" \
3466 0 \
3467 -s "cookie verification failed" \
3468 -s "cookie verification passed" \
3469 -S "cookie verification skipped" \
3470 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3471 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3472 -S "SSL - The requested feature is not available"
3473
3474run_test "DTLS cookie: disabled" \
3475 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3476 "$P_CLI dtls=1 debug_level=2" \
3477 0 \
3478 -S "cookie verification failed" \
3479 -S "cookie verification passed" \
3480 -s "cookie verification skipped" \
3481 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3482 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3483 -S "SSL - The requested feature is not available"
3484
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3485run_test "DTLS cookie: default (failing)" \
3486 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3487 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3488 1 \
3489 -s "cookie verification failed" \
3490 -S "cookie verification passed" \
3491 -S "cookie verification skipped" \
3492 -C "received hello verify request" \
3493 -S "hello verification requested" \
3494 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3495
3496requires_ipv6
3497run_test "DTLS cookie: enabled, IPv6" \
3498 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3499 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3500 0 \
3501 -s "cookie verification failed" \
3502 -s "cookie verification passed" \
3503 -S "cookie verification skipped" \
3504 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3505 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3506 -S "SSL - The requested feature is not available"
3507
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3508run_test "DTLS cookie: enabled, nbio" \
3509 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3510 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3511 0 \
3512 -s "cookie verification failed" \
3513 -s "cookie verification passed" \
3514 -S "cookie verification skipped" \
3515 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3516 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3517 -S "SSL - The requested feature is not available"
3518
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3519# Tests for client reconnecting from the same port with DTLS
3520
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3521not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3522run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3523 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3524 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3525 0 \
3526 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3527 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3528 -S "Client initiated reconnection from same port"
3529
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3530not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3531run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3532 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3533 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3534 0 \
3535 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3536 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3537 -s "Client initiated reconnection from same port"
3538
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3539not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3540run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3541 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3542 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3543 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3544 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3545 -s "Client initiated reconnection from same port"
3546
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3547only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3548run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3549 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3550 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3551 0 \
3552 -S "The operation timed out" \
3553 -s "Client initiated reconnection from same port"
3554
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3555run_test "DTLS client reconnect from same port: no cookies" \
3556 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3557 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3558 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3559 -s "The operation timed out" \
3560 -S "Client initiated reconnection from same port"
3561
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3562# Tests for various cases of client authentication with DTLS
3563# (focused on handshake flows and message parsing)
3564
3565run_test "DTLS client auth: required" \
3566 "$P_SRV dtls=1 auth_mode=required" \
3567 "$P_CLI dtls=1" \
3568 0 \
3569 -s "Verifying peer X.509 certificate... ok"
3570
3571run_test "DTLS client auth: optional, client has no cert" \
3572 "$P_SRV dtls=1 auth_mode=optional" \
3573 "$P_CLI dtls=1 crt_file=none key_file=none" \
3574 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3575 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3576
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3577run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3578 "$P_SRV dtls=1 auth_mode=none" \
3579 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3580 0 \
3581 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3582 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3583
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3584run_test "DTLS wrong PSK: badmac alert" \
3585 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3586 "$P_CLI dtls=1 psk=abc124" \
3587 1 \
3588 -s "SSL - Verification of the message MAC failed" \
3589 -c "SSL - A fatal alert message was received from our peer"
3590
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3591# Tests for receiving fragmented handshake messages with DTLS
3592
3593requires_gnutls
3594run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3595 "$G_SRV -u --mtu 2048 -a" \
3596 "$P_CLI dtls=1 debug_level=2" \
3597 0 \
3598 -C "found fragmented DTLS handshake message" \
3599 -C "error"
3600
3601requires_gnutls
3602run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3603 "$G_SRV -u --mtu 512" \
3604 "$P_CLI dtls=1 debug_level=2" \
3605 0 \
3606 -c "found fragmented DTLS handshake message" \
3607 -C "error"
3608
3609requires_gnutls
3610run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3611 "$G_SRV -u --mtu 128" \
3612 "$P_CLI dtls=1 debug_level=2" \
3613 0 \
3614 -c "found fragmented DTLS handshake message" \
3615 -C "error"
3616
3617requires_gnutls
3618run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3619 "$G_SRV -u --mtu 128" \
3620 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3621 0 \
3622 -c "found fragmented DTLS handshake message" \
3623 -C "error"
3624
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3625requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3626run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3627 "$G_SRV -u --mtu 256" \
3628 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3629 0 \
3630 -c "found fragmented DTLS handshake message" \
3631 -c "client hello, adding renegotiation extension" \
3632 -c "found renegotiation extension" \
3633 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3634 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3635 -C "error" \
3636 -s "Extra-header:"
3637
3638requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3639run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3640 "$G_SRV -u --mtu 256" \
3641 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3642 0 \
3643 -c "found fragmented DTLS handshake message" \
3644 -c "client hello, adding renegotiation extension" \
3645 -c "found renegotiation extension" \
3646 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3647 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3648 -C "error" \
3649 -s "Extra-header:"
3650
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3651run_test "DTLS reassembly: no fragmentation (openssl server)" \
3652 "$O_SRV -dtls1 -mtu 2048" \
3653 "$P_CLI dtls=1 debug_level=2" \
3654 0 \
3655 -C "found fragmented DTLS handshake message" \
3656 -C "error"
3657
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3658run_test "DTLS reassembly: some fragmentation (openssl server)" \
3659 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3660 "$P_CLI dtls=1 debug_level=2" \
3661 0 \
3662 -c "found fragmented DTLS handshake message" \
3663 -C "error"
3664
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3665run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3666 "$O_SRV -dtls1 -mtu 256" \
3667 "$P_CLI dtls=1 debug_level=2" \
3668 0 \
3669 -c "found fragmented DTLS handshake message" \
3670 -C "error"
3671
3672run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3673 "$O_SRV -dtls1 -mtu 256" \
3674 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3675 0 \
3676 -c "found fragmented DTLS handshake message" \
3677 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3678
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3679# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3680
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3681not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3682run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3683 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3684 "$P_SRV dtls=1 debug_level=2" \
3685 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3686 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3687 -C "replayed record" \
3688 -S "replayed record" \
3689 -C "record from another epoch" \
3690 -S "record from another epoch" \
3691 -C "discarding invalid record" \
3692 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3693 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3694 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3695 -c "HTTP/1.0 200 OK"
3696
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3697not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3698run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3699 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3700 "$P_SRV dtls=1 debug_level=2" \
3701 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3702 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3703 -c "replayed record" \
3704 -s "replayed record" \
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame^]3705 -c "record from another epoch" \
3706 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3707 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3708 -s "Extra-header:" \
3709 -c "HTTP/1.0 200 OK"
3710
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3711run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3712 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3713 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3714 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3715 0 \
3716 -c "replayed record" \
3717 -S "replayed record" \
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame^]3718 -c "record from another epoch" \
3719 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3720 -c "resend" \
3721 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3722 -s "Extra-header:" \
3723 -c "HTTP/1.0 200 OK"
3724
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3725run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3726 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3727 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3728 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3729 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3730 -c "discarding invalid record (mac)" \
3731 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3732 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3733 -c "HTTP/1.0 200 OK" \
3734 -S "too many records with bad MAC" \
3735 -S "Verification of the message MAC failed"
3736
3737run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3738 -p "$P_PXY bad_ad=1" \
3739 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3740 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3741 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3742 -C "discarding invalid record (mac)" \
3743 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3744 -S "Extra-header:" \
3745 -C "HTTP/1.0 200 OK" \
3746 -s "too many records with bad MAC" \
3747 -s "Verification of the message MAC failed"
3748
3749run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3750 -p "$P_PXY bad_ad=1" \
3751 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3752 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3753 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3754 -c "discarding invalid record (mac)" \
3755 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3756 -s "Extra-header:" \
3757 -c "HTTP/1.0 200 OK" \
3758 -S "too many records with bad MAC" \
3759 -S "Verification of the message MAC failed"
3760
3761run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3762 -p "$P_PXY bad_ad=1" \
3763 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3764 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3765 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3766 -c "discarding invalid record (mac)" \
3767 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3768 -s "Extra-header:" \
3769 -c "HTTP/1.0 200 OK" \
3770 -s "too many records with bad MAC" \
3771 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3772
3773run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3774 -p "$P_PXY delay_ccs=1" \
3775 "$P_SRV dtls=1 debug_level=1" \
3776 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3777 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3778 -c "record from another epoch" \
3779 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3780 -s "Extra-header:" \
3781 -c "HTTP/1.0 200 OK"
3782
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3783# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3784
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3785client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3786run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3787 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3788 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3789 psk=abc123" \
3790 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3791 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3792 0 \
3793 -s "Extra-header:" \
3794 -c "HTTP/1.0 200 OK"
3795
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3796client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3797run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3798 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3799 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3800 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3801 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3802 0 \
3803 -s "Extra-header:" \
3804 -c "HTTP/1.0 200 OK"
3805
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3806client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3807run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3808 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3809 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3810 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3811 0 \
3812 -s "Extra-header:" \
3813 -c "HTTP/1.0 200 OK"
3814
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3815client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3816run_test "DTLS proxy: 3d, FS, client auth" \
3817 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3818 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3819 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3820 0 \
3821 -s "Extra-header:" \
3822 -c "HTTP/1.0 200 OK"
3823
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3824client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3825run_test "DTLS proxy: 3d, FS, ticket" \
3826 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3827 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3828 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3829 0 \
3830 -s "Extra-header:" \
3831 -c "HTTP/1.0 200 OK"
3832
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3833client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3834run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3835 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3836 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3837 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3838 0 \
3839 -s "Extra-header:" \
3840 -c "HTTP/1.0 200 OK"
3841
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3842client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3843run_test "DTLS proxy: 3d, max handshake, nbio" \
3844 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3845 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3846 auth_mode=required" \
3847 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3848 0 \
3849 -s "Extra-header:" \
3850 -c "HTTP/1.0 200 OK"
3851
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3852client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3853run_test "DTLS proxy: 3d, min handshake, resumption" \
3854 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3855 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3856 psk=abc123 debug_level=3" \
3857 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3858 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3859 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3860 0 \
3861 -s "a session has been resumed" \
3862 -c "a session has been resumed" \
3863 -s "Extra-header:" \
3864 -c "HTTP/1.0 200 OK"
3865
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3866client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3867run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3868 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3869 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3870 psk=abc123 debug_level=3 nbio=2" \
3871 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3872 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3873 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3874 0 \
3875 -s "a session has been resumed" \
3876 -c "a session has been resumed" \
3877 -s "Extra-header:" \
3878 -c "HTTP/1.0 200 OK"
3879
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3880client_needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3881run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3882 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3883 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3884 psk=abc123 renegotiation=1 debug_level=2" \
3885 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3886 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3887 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3888 0 \
3889 -c "=> renegotiate" \
3890 -s "=> renegotiate" \
3891 -s "Extra-header:" \
3892 -c "HTTP/1.0 200 OK"
3893
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3894client_needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3895run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3896 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3897 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3898 psk=abc123 renegotiation=1 debug_level=2" \
3899 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3900 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3901 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3902 0 \
3903 -c "=> renegotiate" \
3904 -s "=> renegotiate" \
3905 -s "Extra-header:" \
3906 -c "HTTP/1.0 200 OK"
3907
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3908client_needs_more_time 4
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3909run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3910 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3911 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3912 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3913 debug_level=2" \
3914 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3915 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3916 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3917 0 \
3918 -c "=> renegotiate" \
3919 -s "=> renegotiate" \
3920 -s "Extra-header:" \
3921 -c "HTTP/1.0 200 OK"
3922
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3923client_needs_more_time 4
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3924run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3925 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3926 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3927 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3928 debug_level=2 nbio=2" \
3929 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3930 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3931 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3932 0 \
3933 -c "=> renegotiate" \
3934 -s "=> renegotiate" \
3935 -s "Extra-header:" \
3936 -c "HTTP/1.0 200 OK"
3937
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3938client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3939not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3940run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3941 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3942 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3943 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3944 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3945 -c "HTTP/1.0 200 OK"
3946
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3947client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3948not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3949run_test "DTLS proxy: 3d, openssl server, fragmentation" \
3950 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3951 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3952 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3953 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3954 -c "HTTP/1.0 200 OK"
3955
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3956client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3957not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3958run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
3959 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3960 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3961 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3962 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3963 -c "HTTP/1.0 200 OK"
3964
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3965requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3966client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3967not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3968run_test "DTLS proxy: 3d, gnutls server" \
3969 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3970 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3971 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3972 0 \
3973 -s "Extra-header:" \
3974 -c "Extra-header:"
3975
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3976requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3977client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3978not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3979run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
3980 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3981 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3982 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3983 0 \
3984 -s "Extra-header:" \
3985 -c "Extra-header:"
3986
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3987requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3988client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3989not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3990run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
3991 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3992 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3993 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3994 0 \
3995 -s "Extra-header:" \
3996 -c "Extra-header:"
3997
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3998# Final report
3999
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4000echo "------------------------------------------------------------------------"
4001
4002if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4003 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4004else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4005 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4006fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]4007PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]4008echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4009
4010exit $FAILS