TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 3f69e54f3bb976a0c2fbbd00762ed19c5129c114 / . / tests / ssl-opt.sh
blob: 226084863107eff79d569a453f8fe1f69e4fd255 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]9# Assumes a build with default options.
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]16: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]17: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]18: ${GNUTLS_CLI:=gnutls-cli}
19: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]20: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]22O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]23O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]24G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]25G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]26TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]27
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]28TESTS=0
29FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]30SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]33
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]35FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]36EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]37
38print_usage() {
39 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]40 printf " -h|--help\tPrint this help.\n"
41 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
42 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
43 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame]44 printf " --seed\tInteger seed value to use for this test run (default: random)\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45}
46
47get_options() {
48 while [ $# -gt 0 ]; do
49 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]50 -f|--filter)
51 shift; FILTER=$1
52 ;;
53 -e|--exclude)
54 shift; EXCLUDE=$1
55 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]56 -m|--memcheck)
57 MEMCHECK=1
58 ;;
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame]59 --seed)
60 shift; SEED="$1"
61 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]62 -h|--help)
63 print_usage
64 exit 0
65 ;;
66 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]67 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]68 print_usage
69 exit 1
70 ;;
71 esac
72 shift
73 done
74}
75
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]76# skip next test if the flag is not enabled in config.h
77requires_config_enabled() {
78 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
79 SKIP_NEXT="YES"
80 fi
81}
82
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]83# skip next test if the flag is enabled in config.h
84requires_config_disabled() {
85 if grep "^#define $1" $CONFIG_H > /dev/null; then
86 SKIP_NEXT="YES"
87 fi
88}
89
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]90# skip next test if OpenSSL doesn't support FALLBACK_SCSV
91requires_openssl_with_fallback_scsv() {
92 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
93 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
94 then
95 OPENSSL_HAS_FBSCSV="YES"
96 else
97 OPENSSL_HAS_FBSCSV="NO"
98 fi
99 fi
100 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
101 SKIP_NEXT="YES"
102 fi
103}
104
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]105# skip next test if GnuTLS isn't available
106requires_gnutls() {
107 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]108 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]109 GNUTLS_AVAILABLE="YES"
110 else
111 GNUTLS_AVAILABLE="NO"
112 fi
113 fi
114 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
115 SKIP_NEXT="YES"
116 fi
117}
118
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]119# skip next test if IPv6 isn't available on this host
120requires_ipv6() {
121 if [ -z "${HAS_IPV6:-}" ]; then
122 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
123 SRV_PID=$!
124 sleep 1
125 kill $SRV_PID >/dev/null 2>&1
126 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
127 HAS_IPV6="NO"
128 else
129 HAS_IPV6="YES"
130 fi
131 rm -r $SRV_OUT
132 fi
133
134 if [ "$HAS_IPV6" = "NO" ]; then
135 SKIP_NEXT="YES"
136 fi
137}
138
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]139# skip the next test if valgrind is in use
140not_with_valgrind() {
141 if [ "$MEMCHECK" -gt 0 ]; then
142 SKIP_NEXT="YES"
143 fi
144}
145
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]146# skip the next test if valgrind is NOT in use
147only_with_valgrind() {
148 if [ "$MEMCHECK" -eq 0 ]; then
149 SKIP_NEXT="YES"
150 fi
151}
152
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]153# multiply the client timeout delay by the given factor for the next test
154needs_more_time() {
155 CLI_DELAY_FACTOR=$1
156}
157
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]158# print_name <name>
159print_name() {
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]160 printf "$1 "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]161 LEN=$(( 72 - `echo "$1" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]162 for i in `seq 1 $LEN`; do printf '.'; done
163 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]164
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]165 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]166}
167
168# fail <message>
169fail() {
170 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]171 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]172
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]173 mv $SRV_OUT o-srv-${TESTS}.log
174 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]175 if [ -n "$PXY_CMD" ]; then
176 mv $PXY_OUT o-pxy-${TESTS}.log
177 fi
178 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]179
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]180 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
181 echo " ! server output:"
182 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]183 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]184 echo " ! client output:"
185 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]186 if [ -n "$PXY_CMD" ]; then
187 echo " ! ========================================================"
188 echo " ! proxy output:"
189 cat o-pxy-${TESTS}.log
190 fi
191 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]192 fi
193
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]194 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]195}
196
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]197# is_polar <cmd_line>
198is_polar() {
199 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
200}
201
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]202# openssl s_server doesn't have -www with DTLS
203check_osrv_dtls() {
204 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
205 NEEDS_INPUT=1
206 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
207 else
208 NEEDS_INPUT=0
209 fi
210}
211
212# provide input to commands that need it
213provide_input() {
214 if [ $NEEDS_INPUT -eq 0 ]; then
215 return
216 fi
217
218 while true; do
219 echo "HTTP/1.0 200 OK"
220 sleep 1
221 done
222}
223
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]224# has_mem_err <log_file_name>
225has_mem_err() {
226 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
227 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
228 then
229 return 1 # false: does not have errors
230 else
231 return 0 # true: has errors
232 fi
233}
234
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]235# Wait for process $2 to be listening on port $1
236if type lsof >/dev/null 2>/dev/null; then
237 wait_server_start() {
238 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]239 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]240 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]241 else
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]242 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]243 fi
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]244 # Make a tight loop, server normally takes less than 1s to start.
245 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
246 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
247 echo "SERVERSTART TIMEOUT"
248 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
249 break
250 fi
251 # Linux and *BSD support decimal arguments to sleep. On other
252 # OSes this may be a tight loop.
253 sleep 0.1 2>/dev/null || true
254 done
255 }
256else
257 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]258 sleep "$START_DELAY"
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]259 }
260fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]261
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]262# wait for client to terminate and set CLI_EXIT
263# must be called right after starting the client
264wait_client_done() {
265 CLI_PID=$!
266
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]267 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
268 CLI_DELAY_FACTOR=1
269
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]270 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]271 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]272
273 wait $CLI_PID
274 CLI_EXIT=$?
275
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]276 kill $DOG_PID >/dev/null 2>&1
277 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]278
279 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
280}
281
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]282# check if the given command uses dtls and sets global variable DTLS
283detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]284 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]285 DTLS=1
286 else
287 DTLS=0
288 fi
289}
290
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]291# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]292# Options: -s pattern pattern that must be present in server output
293# -c pattern pattern that must be present in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]294# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]295# -S pattern pattern that must be absent in server output
296# -C pattern pattern that must be absent in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]297# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]298run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]299 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]300 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]301
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]302 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
303 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]304 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]305 return
306 fi
307
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]308 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]309
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]310 # should we skip?
311 if [ "X$SKIP_NEXT" = "XYES" ]; then
312 SKIP_NEXT="NO"
313 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]314 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]315 return
316 fi
317
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]318 # does this test use a proxy?
319 if [ "X$1" = "X-p" ]; then
320 PXY_CMD="$2"
321 shift 2
322 else
323 PXY_CMD=""
324 fi
325
326 # get commands and client output
327 SRV_CMD="$1"
328 CLI_CMD="$2"
329 CLI_EXPECT="$3"
330 shift 3
331
332 # fix client port
333 if [ -n "$PXY_CMD" ]; then
334 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
335 else
336 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
337 fi
338
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]339 # update DTLS variable
340 detect_dtls "$SRV_CMD"
341
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]342 # prepend valgrind to our commands if active
343 if [ "$MEMCHECK" -gt 0 ]; then
344 if is_polar "$SRV_CMD"; then
345 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
346 fi
347 if is_polar "$CLI_CMD"; then
348 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
349 fi
350 fi
351
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]352 TIMES_LEFT=2
353 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]354 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]355
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]356 # run the commands
357 if [ -n "$PXY_CMD" ]; then
358 echo "$PXY_CMD" > $PXY_OUT
359 $PXY_CMD >> $PXY_OUT 2>&1 &
360 PXY_PID=$!
361 # assume proxy starts faster than server
362 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]363
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]364 check_osrv_dtls
365 echo "$SRV_CMD" > $SRV_OUT
366 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
367 SRV_PID=$!
Gilles Peskine684a5172017-12-14 18:58:42 +0100[diff] [blame]368 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]369
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]370 echo "$CLI_CMD" > $CLI_OUT
371 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
372 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]373
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]374 # terminate the server (and the proxy)
375 kill $SRV_PID
376 wait $SRV_PID
377 if [ -n "$PXY_CMD" ]; then
378 kill $PXY_PID >/dev/null 2>&1
379 wait $PXY_PID
380 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]381
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]382 # retry only on timeouts
383 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
384 printf "RETRY "
385 else
386 TIMES_LEFT=0
387 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]388 done
389
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]390 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]391 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]392 # expected client exit to incorrectly succeed in case of catastrophic
393 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]394 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]395 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]396 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]397 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]398 return
399 fi
400 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]401 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]402 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]403 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]404 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]405 return
406 fi
407 fi
408
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]409 # check server exit code
410 if [ $? != 0 ]; then
411 fail "server fail"
412 return
413 fi
414
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]415 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]416 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
417 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]418 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]419 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]420 return
421 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]422
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]423 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]424 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]425 while [ $# -gt 0 ]
426 do
427 case $1 in
428 "-s")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]429 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
430 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]431 return
432 fi
433 ;;
434
435 "-c")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]436 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
437 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]438 return
439 fi
440 ;;
441
442 "-S")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]443 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
444 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]445 return
446 fi
447 ;;
448
449 "-C")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]450 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
451 fail "pattern '$2' MUST NOT be present in the Client output"
452 return
453 fi
454 ;;
455
456 # The filtering in the following two options (-u and -U) do the following
457 # - ignore valgrind output
458 # - filter out everything but lines right after the pattern occurances
459 # - keep one of each non-unique line
460 # - count how many lines remain
461 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
462 # if there were no duplicates.
463 "-U")
464 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
465 fail "lines following pattern '$2' must be unique in Server output"
466 return
467 fi
468 ;;
469
470 "-u")
471 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
472 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]473 return
474 fi
475 ;;
476
477 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]478 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]479 exit 1
480 esac
481 shift 2
482 done
483
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]484 # check valgrind's results
485 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]486 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]487 fail "Server has memory errors"
488 return
489 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]490 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]491 fail "Client has memory errors"
492 return
493 fi
494 fi
495
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]496 # if we're here, everything is ok
497 echo "PASS"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]498 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]499}
500
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]501cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]502 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]503 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
504 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
505 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
506 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]507 exit 1
508}
509
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]510#
511# MAIN
512#
513
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]514if cd $( dirname $0 ); then :; else
515 echo "cd $( dirname $0 ) failed" >&2
516 exit 1
517fi
518
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]519get_options "$@"
520
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]521# sanity checks, avoid an avalanche of errors
522if [ ! -x "$P_SRV" ]; then
523 echo "Command '$P_SRV' is not an executable file"
524 exit 1
525fi
526if [ ! -x "$P_CLI" ]; then
527 echo "Command '$P_CLI' is not an executable file"
528 exit 1
529fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]530if [ ! -x "$P_PXY" ]; then
531 echo "Command '$P_PXY' is not an executable file"
532 exit 1
533fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]534if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
535 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]536 exit 1
537fi
538
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]539# used by watchdog
540MAIN_PID="$$"
541
Manuel Pégourié-Gonnard3f69e542018-01-22 10:22:09 +0100[diff] [blame^]542# We use somewhat arbitrary delays for tests:
543# - how long do we wait for the server to start (when lsof not available)?
544# - how long do we allow for the client to finish?
545# (not to check performance, just to avoid waiting indefinitely)
546# Things are slower with valgrind, so give extra time here.
547#
548# Note: without lsof, there is a trade-off between the running time of this
549# script and the risk of spurious errors because we didn't wait long enough.
550# The watchdog delay on the other hand doesn't affect normal running time of
551# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]552if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard3f69e542018-01-22 10:22:09 +0100[diff] [blame^]553 START_DELAY=6
554 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]555else
Manuel Pégourié-Gonnard3f69e542018-01-22 10:22:09 +0100[diff] [blame^]556 START_DELAY=2
557 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]558fi
Manuel Pégourié-Gonnard3f69e542018-01-22 10:22:09 +0100[diff] [blame^]559
560# some particular tests need more time:
561# - for the client, we multiply the usual watchdog limit by a factor
562# - for the server, we sleep for a number of seconds after the client exits
563# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]564CLI_DELAY_FACTOR=1
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]565
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]566# Pick a "unique" server port in the range 10000-19999, and a proxy port
567PORT_BASE="0000$$"
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]568PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]569SRV_PORT="1$PORT_BASE"
570PXY_PORT="2$PORT_BASE"
571unset PORT_BASE
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]572
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]573# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]574# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]575P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
576P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame]577P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]578O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]579O_CLI="$O_CLI -connect localhost:+SRV_PORT"
580G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]581G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]582
Gilles Peskine35db5ba2017-05-10 10:13:59 +0200[diff] [blame]583# Allow SHA-1, because many of our test certificates use it
584P_SRV="$P_SRV allow_sha1=1"
585P_CLI="$P_CLI allow_sha1=1"
586
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]587# Also pick a unique name for intermediate files
588SRV_OUT="srv_out.$$"
589CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]590PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]591SESSION="session.$$"
592
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]593SKIP_NEXT="NO"
594
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]595trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]596
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]597# Basic test
598
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]599# Checks that:
600# - things work with all ciphersuites active (used with config-full in all.sh)
601# - the expected (highest security) parameters are selected
602# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]603run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]604 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]605 "$P_CLI" \
606 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]607 -s "Protocol is TLSv1.2" \
608 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
609 -s "client hello v3, signature_algorithm ext: 6" \
610 -s "ECDHE curve: secp521r1" \
611 -S "error" \
612 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]613
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]614run_test "Default, DTLS" \
615 "$P_SRV dtls=1" \
616 "$P_CLI dtls=1" \
617 0 \
618 -s "Protocol is DTLSv1.2" \
619 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
620
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]621# Test for uniqueness of IVs in AEAD ciphersuites
622run_test "Unique IV in GCM" \
623 "$P_SRV exchanges=20 debug_level=4" \
624 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
625 0 \
626 -u "IV used" \
627 -U "IV used"
628
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]629# Tests for rc4 option
630
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]631requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]632run_test "RC4: server disabled, client enabled" \
633 "$P_SRV" \
634 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
635 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]636 -s "SSL - The server has no ciphersuites in common"
637
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]638requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]639run_test "RC4: server half, client enabled" \
640 "$P_SRV arc4=1" \
641 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
642 1 \
643 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]644
645run_test "RC4: server enabled, client disabled" \
646 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
647 "$P_CLI" \
648 1 \
649 -s "SSL - The server has no ciphersuites in common"
650
651run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]652 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]653 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
654 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]655 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]656 -S "SSL - The server has no ciphersuites in common"
657
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]658# Tests for SHA-1 support
659
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]660requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]661run_test "SHA-1 forbidden by default in server certificate" \
662 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
663 "$P_CLI debug_level=2 allow_sha1=0" \
664 1 \
665 -c "The certificate is signed with an unacceptable hash"
666
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]667requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
668run_test "SHA-1 forbidden by default in server certificate" \
669 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
670 "$P_CLI debug_level=2 allow_sha1=0" \
671 0
672
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]673run_test "SHA-1 explicitly allowed in server certificate" \
674 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
675 "$P_CLI allow_sha1=1" \
676 0
677
678run_test "SHA-256 allowed by default in server certificate" \
679 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
680 "$P_CLI allow_sha1=0" \
681 0
682
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]683requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]684run_test "SHA-1 forbidden by default in client certificate" \
685 "$P_SRV auth_mode=required allow_sha1=0" \
686 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
687 1 \
688 -s "The certificate is signed with an unacceptable hash"
689
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]690requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
691run_test "SHA-1 forbidden by default in client certificate" \
692 "$P_SRV auth_mode=required allow_sha1=0" \
693 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
694 0
695
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]696run_test "SHA-1 explicitly allowed in client certificate" \
697 "$P_SRV auth_mode=required allow_sha1=1" \
698 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
699 0
700
701run_test "SHA-256 allowed by default in client certificate" \
702 "$P_SRV auth_mode=required allow_sha1=0" \
703 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
704 0
705
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]706# Tests for Truncated HMAC extension
707
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]708run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]709 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]710 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]711 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]712 -s "dumping 'computed mac' (20 bytes)" \
713 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]714
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]715run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]716 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]717 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
718 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]719 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]720 -s "dumping 'computed mac' (20 bytes)" \
721 -S "dumping 'computed mac' (10 bytes)"
722
723run_test "Truncated HMAC: client enabled, server default" \
724 "$P_SRV debug_level=4" \
725 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
726 trunc_hmac=1" \
727 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]728 -s "dumping 'computed mac' (20 bytes)" \
729 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]730
731run_test "Truncated HMAC: client enabled, server disabled" \
732 "$P_SRV debug_level=4 trunc_hmac=0" \
733 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
734 trunc_hmac=1" \
735 0 \
736 -s "dumping 'computed mac' (20 bytes)" \
737 -S "dumping 'computed mac' (10 bytes)"
738
739run_test "Truncated HMAC: client enabled, server enabled" \
740 "$P_SRV debug_level=4 trunc_hmac=1" \
741 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
742 trunc_hmac=1" \
743 0 \
744 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]745 -s "dumping 'computed mac' (10 bytes)"
746
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]747# Tests for Encrypt-then-MAC extension
748
749run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]750 "$P_SRV debug_level=3 \
751 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]752 "$P_CLI debug_level=3" \
753 0 \
754 -c "client hello, adding encrypt_then_mac extension" \
755 -s "found encrypt then mac extension" \
756 -s "server hello, adding encrypt then mac extension" \
757 -c "found encrypt_then_mac extension" \
758 -c "using encrypt then mac" \
759 -s "using encrypt then mac"
760
761run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]762 "$P_SRV debug_level=3 etm=0 \
763 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]764 "$P_CLI debug_level=3 etm=1" \
765 0 \
766 -c "client hello, adding encrypt_then_mac extension" \
767 -s "found encrypt then mac extension" \
768 -S "server hello, adding encrypt then mac extension" \
769 -C "found encrypt_then_mac extension" \
770 -C "using encrypt then mac" \
771 -S "using encrypt then mac"
772
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]773run_test "Encrypt then MAC: client enabled, aead cipher" \
774 "$P_SRV debug_level=3 etm=1 \
775 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
776 "$P_CLI debug_level=3 etm=1" \
777 0 \
778 -c "client hello, adding encrypt_then_mac extension" \
779 -s "found encrypt then mac extension" \
780 -S "server hello, adding encrypt then mac extension" \
781 -C "found encrypt_then_mac extension" \
782 -C "using encrypt then mac" \
783 -S "using encrypt then mac"
784
785run_test "Encrypt then MAC: client enabled, stream cipher" \
786 "$P_SRV debug_level=3 etm=1 \
787 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]788 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]789 0 \
790 -c "client hello, adding encrypt_then_mac extension" \
791 -s "found encrypt then mac extension" \
792 -S "server hello, adding encrypt then mac extension" \
793 -C "found encrypt_then_mac extension" \
794 -C "using encrypt then mac" \
795 -S "using encrypt then mac"
796
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]797run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]798 "$P_SRV debug_level=3 etm=1 \
799 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]800 "$P_CLI debug_level=3 etm=0" \
801 0 \
802 -C "client hello, adding encrypt_then_mac extension" \
803 -S "found encrypt then mac extension" \
804 -S "server hello, adding encrypt then mac extension" \
805 -C "found encrypt_then_mac extension" \
806 -C "using encrypt then mac" \
807 -S "using encrypt then mac"
808
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]809requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]810run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]811 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]812 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]813 "$P_CLI debug_level=3 force_version=ssl3" \
814 0 \
815 -C "client hello, adding encrypt_then_mac extension" \
816 -S "found encrypt then mac extension" \
817 -S "server hello, adding encrypt then mac extension" \
818 -C "found encrypt_then_mac extension" \
819 -C "using encrypt then mac" \
820 -S "using encrypt then mac"
821
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]822requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]823run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]824 "$P_SRV debug_level=3 force_version=ssl3 \
825 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]826 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]827 0 \
828 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]829 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]830 -S "server hello, adding encrypt then mac extension" \
831 -C "found encrypt_then_mac extension" \
832 -C "using encrypt then mac" \
833 -S "using encrypt then mac"
834
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]835# Tests for Extended Master Secret extension
836
837run_test "Extended Master Secret: default" \
838 "$P_SRV debug_level=3" \
839 "$P_CLI debug_level=3" \
840 0 \
841 -c "client hello, adding extended_master_secret extension" \
842 -s "found extended master secret extension" \
843 -s "server hello, adding extended master secret extension" \
844 -c "found extended_master_secret extension" \
845 -c "using extended master secret" \
846 -s "using extended master secret"
847
848run_test "Extended Master Secret: client enabled, server disabled" \
849 "$P_SRV debug_level=3 extended_ms=0" \
850 "$P_CLI debug_level=3 extended_ms=1" \
851 0 \
852 -c "client hello, adding extended_master_secret extension" \
853 -s "found extended master secret extension" \
854 -S "server hello, adding extended master secret extension" \
855 -C "found extended_master_secret extension" \
856 -C "using extended master secret" \
857 -S "using extended master secret"
858
859run_test "Extended Master Secret: client disabled, server enabled" \
860 "$P_SRV debug_level=3 extended_ms=1" \
861 "$P_CLI debug_level=3 extended_ms=0" \
862 0 \
863 -C "client hello, adding extended_master_secret extension" \
864 -S "found extended master secret extension" \
865 -S "server hello, adding extended master secret extension" \
866 -C "found extended_master_secret extension" \
867 -C "using extended master secret" \
868 -S "using extended master secret"
869
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]870requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]871run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]872 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]873 "$P_CLI debug_level=3 force_version=ssl3" \
874 0 \
875 -C "client hello, adding extended_master_secret extension" \
876 -S "found extended master secret extension" \
877 -S "server hello, adding extended master secret extension" \
878 -C "found extended_master_secret extension" \
879 -C "using extended master secret" \
880 -S "using extended master secret"
881
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]882requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]883run_test "Extended Master Secret: client enabled, server SSLv3" \
884 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]885 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]886 0 \
887 -c "client hello, adding extended_master_secret extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]888 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]889 -S "server hello, adding extended master secret extension" \
890 -C "found extended_master_secret extension" \
891 -C "using extended master secret" \
892 -S "using extended master secret"
893
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]894# Tests for FALLBACK_SCSV
895
896run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]897 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]898 "$P_CLI debug_level=3 force_version=tls1_1" \
899 0 \
900 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]901 -S "received FALLBACK_SCSV" \
902 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]903 -C "is a fatal alert message (msg 86)"
904
905run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]906 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]907 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
908 0 \
909 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]910 -S "received FALLBACK_SCSV" \
911 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]912 -C "is a fatal alert message (msg 86)"
913
914run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]915 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]916 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]917 1 \
918 -c "adding FALLBACK_SCSV" \
919 -s "received FALLBACK_SCSV" \
920 -s "inapropriate fallback" \
921 -c "is a fatal alert message (msg 86)"
922
923run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]924 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]925 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]926 0 \
927 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]928 -s "received FALLBACK_SCSV" \
929 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]930 -C "is a fatal alert message (msg 86)"
931
932requires_openssl_with_fallback_scsv
933run_test "Fallback SCSV: default, openssl server" \
934 "$O_SRV" \
935 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
936 0 \
937 -C "adding FALLBACK_SCSV" \
938 -C "is a fatal alert message (msg 86)"
939
940requires_openssl_with_fallback_scsv
941run_test "Fallback SCSV: enabled, openssl server" \
942 "$O_SRV" \
943 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
944 1 \
945 -c "adding FALLBACK_SCSV" \
946 -c "is a fatal alert message (msg 86)"
947
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]948requires_openssl_with_fallback_scsv
949run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]950 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]951 "$O_CLI -tls1_1" \
952 0 \
953 -S "received FALLBACK_SCSV" \
954 -S "inapropriate fallback"
955
956requires_openssl_with_fallback_scsv
957run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]958 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]959 "$O_CLI -tls1_1 -fallback_scsv" \
960 1 \
961 -s "received FALLBACK_SCSV" \
962 -s "inapropriate fallback"
963
964requires_openssl_with_fallback_scsv
965run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]966 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]967 "$O_CLI -fallback_scsv" \
968 0 \
969 -s "received FALLBACK_SCSV" \
970 -S "inapropriate fallback"
971
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]972## ClientHello generated with
973## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
974## then manually twiddling the ciphersuite list.
975## The ClientHello content is spelled out below as a hex string as
976## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
977## The expected response is an inappropriate_fallback alert.
978requires_openssl_with_fallback_scsv
979run_test "Fallback SCSV: beginning of list" \
980 "$P_SRV debug_level=2" \
981 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
982 0 \
983 -s "received FALLBACK_SCSV" \
984 -s "inapropriate fallback"
985
986requires_openssl_with_fallback_scsv
987run_test "Fallback SCSV: end of list" \
988 "$P_SRV debug_level=2" \
989 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
990 0 \
991 -s "received FALLBACK_SCSV" \
992 -s "inapropriate fallback"
993
994## Here the expected response is a valid ServerHello prefix, up to the random.
995requires_openssl_with_fallback_scsv
996run_test "Fallback SCSV: not in list" \
997 "$P_SRV debug_level=2" \
998 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
999 0 \
1000 -S "received FALLBACK_SCSV" \
1001 -S "inapropriate fallback"
1002
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1003# Tests for CBC 1/n-1 record splitting
1004
1005run_test "CBC Record splitting: TLS 1.2, no splitting" \
1006 "$P_SRV" \
1007 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1008 request_size=123 force_version=tls1_2" \
1009 0 \
1010 -s "Read from client: 123 bytes read" \
1011 -S "Read from client: 1 bytes read" \
1012 -S "122 bytes read"
1013
1014run_test "CBC Record splitting: TLS 1.1, no splitting" \
1015 "$P_SRV" \
1016 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1017 request_size=123 force_version=tls1_1" \
1018 0 \
1019 -s "Read from client: 123 bytes read" \
1020 -S "Read from client: 1 bytes read" \
1021 -S "122 bytes read"
1022
1023run_test "CBC Record splitting: TLS 1.0, splitting" \
1024 "$P_SRV" \
1025 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1026 request_size=123 force_version=tls1" \
1027 0 \
1028 -S "Read from client: 123 bytes read" \
1029 -s "Read from client: 1 bytes read" \
1030 -s "122 bytes read"
1031
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]1032requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1033run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1034 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1035 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1036 request_size=123 force_version=ssl3" \
1037 0 \
1038 -S "Read from client: 123 bytes read" \
1039 -s "Read from client: 1 bytes read" \
1040 -s "122 bytes read"
1041
1042run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1043 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1044 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1045 request_size=123 force_version=tls1" \
1046 0 \
1047 -s "Read from client: 123 bytes read" \
1048 -S "Read from client: 1 bytes read" \
1049 -S "122 bytes read"
1050
1051run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1052 "$P_SRV" \
1053 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1054 request_size=123 force_version=tls1 recsplit=0" \
1055 0 \
1056 -s "Read from client: 123 bytes read" \
1057 -S "Read from client: 1 bytes read" \
1058 -S "122 bytes read"
1059
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1060run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1061 "$P_SRV nbio=2" \
1062 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1063 request_size=123 force_version=tls1" \
1064 0 \
1065 -S "Read from client: 123 bytes read" \
1066 -s "Read from client: 1 bytes read" \
1067 -s "122 bytes read"
1068
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1069# Tests for Session Tickets
1070
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1071run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1072 "$P_SRV debug_level=3 tickets=1" \
1073 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1074 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1075 -c "client hello, adding session ticket extension" \
1076 -s "found session ticket extension" \
1077 -s "server hello, adding session ticket extension" \
1078 -c "found session_ticket extension" \
1079 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1080 -S "session successfully restored from cache" \
1081 -s "session successfully restored from ticket" \
1082 -s "a session has been resumed" \
1083 -c "a session has been resumed"
1084
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1085run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1086 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1087 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1088 0 \
1089 -c "client hello, adding session ticket extension" \
1090 -s "found session ticket extension" \
1091 -s "server hello, adding session ticket extension" \
1092 -c "found session_ticket extension" \
1093 -c "parse new session ticket" \
1094 -S "session successfully restored from cache" \
1095 -s "session successfully restored from ticket" \
1096 -s "a session has been resumed" \
1097 -c "a session has been resumed"
1098
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1099run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1100 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1101 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1102 0 \
1103 -c "client hello, adding session ticket extension" \
1104 -s "found session ticket extension" \
1105 -s "server hello, adding session ticket extension" \
1106 -c "found session_ticket extension" \
1107 -c "parse new session ticket" \
1108 -S "session successfully restored from cache" \
1109 -S "session successfully restored from ticket" \
1110 -S "a session has been resumed" \
1111 -C "a session has been resumed"
1112
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1113run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1114 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1115 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1116 0 \
1117 -c "client hello, adding session ticket extension" \
1118 -c "found session_ticket extension" \
1119 -c "parse new session ticket" \
1120 -c "a session has been resumed"
1121
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1122run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1123 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1124 "( $O_CLI -sess_out $SESSION; \
1125 $O_CLI -sess_in $SESSION; \
1126 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1127 0 \
1128 -s "found session ticket extension" \
1129 -s "server hello, adding session ticket extension" \
1130 -S "session successfully restored from cache" \
1131 -s "session successfully restored from ticket" \
1132 -s "a session has been resumed"
1133
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1134# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1135
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1136run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1137 "$P_SRV debug_level=3 tickets=0" \
1138 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1139 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1140 -c "client hello, adding session ticket extension" \
1141 -s "found session ticket extension" \
1142 -S "server hello, adding session ticket extension" \
1143 -C "found session_ticket extension" \
1144 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1145 -s "session successfully restored from cache" \
1146 -S "session successfully restored from ticket" \
1147 -s "a session has been resumed" \
1148 -c "a session has been resumed"
1149
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1150run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1151 "$P_SRV debug_level=3 tickets=1" \
1152 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1153 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1154 -C "client hello, adding session ticket extension" \
1155 -S "found session ticket extension" \
1156 -S "server hello, adding session ticket extension" \
1157 -C "found session_ticket extension" \
1158 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1159 -s "session successfully restored from cache" \
1160 -S "session successfully restored from ticket" \
1161 -s "a session has been resumed" \
1162 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1163
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1164run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1165 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1166 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1167 0 \
1168 -S "session successfully restored from cache" \
1169 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1170 -S "a session has been resumed" \
1171 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1172
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1173run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1174 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1175 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1176 0 \
1177 -s "session successfully restored from cache" \
1178 -S "session successfully restored from ticket" \
1179 -s "a session has been resumed" \
1180 -c "a session has been resumed"
1181
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1182run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1183 "$P_SRV debug_level=3 tickets=0" \
1184 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1185 0 \
1186 -s "session successfully restored from cache" \
1187 -S "session successfully restored from ticket" \
1188 -s "a session has been resumed" \
1189 -c "a session has been resumed"
1190
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1191run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1192 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1193 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1194 0 \
1195 -S "session successfully restored from cache" \
1196 -S "session successfully restored from ticket" \
1197 -S "a session has been resumed" \
1198 -C "a session has been resumed"
1199
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1200run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1201 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1202 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1203 0 \
1204 -s "session successfully restored from cache" \
1205 -S "session successfully restored from ticket" \
1206 -s "a session has been resumed" \
1207 -c "a session has been resumed"
1208
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1209run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1210 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1211 "( $O_CLI -sess_out $SESSION; \
1212 $O_CLI -sess_in $SESSION; \
1213 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1214 0 \
1215 -s "found session ticket extension" \
1216 -S "server hello, adding session ticket extension" \
1217 -s "session successfully restored from cache" \
1218 -S "session successfully restored from ticket" \
1219 -s "a session has been resumed"
1220
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1221run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1222 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1223 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1224 0 \
1225 -C "found session_ticket extension" \
1226 -C "parse new session ticket" \
1227 -c "a session has been resumed"
1228
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1229# Tests for Max Fragment Length extension
1230
Hanno Becker64691dc2017-09-22 16:58:50 +0100[diff] [blame]1231MAX_CONTENT_LEN_EXPECT='16384'
1232MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1233
1234if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1235 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1236 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1237 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1238 printf "\n"
1239 printf "The tests assume this value and if it changes, the tests in this\n"
1240 printf "script should also be adjusted.\n"
1241 printf "\n"
1242
1243 exit 1
1244fi
1245
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1246requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1247run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1248 "$P_SRV debug_level=3" \
1249 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1250 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1251 -c "Maximum fragment length is 16384" \
1252 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1253 -C "client hello, adding max_fragment_length extension" \
1254 -S "found max fragment length extension" \
1255 -S "server hello, max_fragment_length extension" \
1256 -C "found max_fragment_length extension"
1257
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1258requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1259run_test "Max fragment length: enabled, default, larger message" \
1260 "$P_SRV debug_level=3" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1261 "$P_CLI debug_level=3 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1262 0 \
1263 -c "Maximum fragment length is 16384" \
1264 -s "Maximum fragment length is 16384" \
1265 -C "client hello, adding max_fragment_length extension" \
1266 -S "found max fragment length extension" \
1267 -S "server hello, max_fragment_length extension" \
1268 -C "found max_fragment_length extension" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1269 -c "16385 bytes written in 2 fragments" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1270 -s "16384 bytes read" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1271 -s "1 bytes read"
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1272
1273requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1274run_test "Max fragment length, DTLS: enabled, default, larger message" \
1275 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1276 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1277 1 \
1278 -c "Maximum fragment length is 16384" \
1279 -s "Maximum fragment length is 16384" \
1280 -C "client hello, adding max_fragment_length extension" \
1281 -S "found max fragment length extension" \
1282 -S "server hello, max_fragment_length extension" \
1283 -C "found max_fragment_length extension" \
1284 -c "fragment larger than.*maximum "
1285
1286requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1287run_test "Max fragment length: disabled, larger message" \
1288 "$P_SRV debug_level=3" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1289 "$P_CLI debug_level=3 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1290 0 \
1291 -C "Maximum fragment length is 16384" \
1292 -S "Maximum fragment length is 16384" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1293 -c "16385 bytes written in 2 fragments" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1294 -s "16384 bytes read" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1295 -s "1 bytes read"
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1296
1297requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1298run_test "Max fragment length DTLS: disabled, larger message" \
1299 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1300 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1301 1 \
1302 -C "Maximum fragment length is 16384" \
1303 -S "Maximum fragment length is 16384" \
1304 -c "fragment larger than.*maximum "
1305
1306requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1307run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1308 "$P_SRV debug_level=3" \
1309 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1310 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1311 -c "Maximum fragment length is 4096" \
1312 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1313 -c "client hello, adding max_fragment_length extension" \
1314 -s "found max fragment length extension" \
1315 -s "server hello, max_fragment_length extension" \
1316 -c "found max_fragment_length extension"
1317
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1318requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1319run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1320 "$P_SRV debug_level=3 max_frag_len=4096" \
1321 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1322 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1323 -c "Maximum fragment length is 16384" \
1324 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1325 -C "client hello, adding max_fragment_length extension" \
1326 -S "found max fragment length extension" \
1327 -S "server hello, max_fragment_length extension" \
1328 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1329
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1330requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1331requires_gnutls
1332run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1333 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1334 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1335 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1336 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1337 -c "client hello, adding max_fragment_length extension" \
1338 -c "found max_fragment_length extension"
1339
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1340requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1341run_test "Max fragment length: client, message just fits" \
1342 "$P_SRV debug_level=3" \
1343 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1344 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1345 -c "Maximum fragment length is 2048" \
1346 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1347 -c "client hello, adding max_fragment_length extension" \
1348 -s "found max fragment length extension" \
1349 -s "server hello, max_fragment_length extension" \
1350 -c "found max_fragment_length extension" \
1351 -c "2048 bytes written in 1 fragments" \
1352 -s "2048 bytes read"
1353
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1354requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1355run_test "Max fragment length: client, larger message" \
1356 "$P_SRV debug_level=3" \
1357 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1358 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1359 -c "Maximum fragment length is 2048" \
1360 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1361 -c "client hello, adding max_fragment_length extension" \
1362 -s "found max fragment length extension" \
1363 -s "server hello, max_fragment_length extension" \
1364 -c "found max_fragment_length extension" \
1365 -c "2345 bytes written in 2 fragments" \
1366 -s "2048 bytes read" \
1367 -s "297 bytes read"
1368
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1369requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1370run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1371 "$P_SRV debug_level=3 dtls=1" \
1372 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1373 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1374 -c "Maximum fragment length is 2048" \
1375 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1376 -c "client hello, adding max_fragment_length extension" \
1377 -s "found max fragment length extension" \
1378 -s "server hello, max_fragment_length extension" \
1379 -c "found max_fragment_length extension" \
1380 -c "fragment larger than.*maximum"
1381
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1382# Tests for renegotiation
1383
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1384run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1385 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1386 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1387 0 \
1388 -C "client hello, adding renegotiation extension" \
1389 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1390 -S "found renegotiation extension" \
1391 -s "server hello, secure renegotiation extension" \
1392 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1393 -C "=> renegotiate" \
1394 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1395 -S "write hello request"
1396
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1397requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1398run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1399 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1400 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1401 0 \
1402 -c "client hello, adding renegotiation extension" \
1403 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1404 -s "found renegotiation extension" \
1405 -s "server hello, secure renegotiation extension" \
1406 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1407 -c "=> renegotiate" \
1408 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1409 -S "write hello request"
1410
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1411requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1412run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1413 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1414 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1415 0 \
1416 -c "client hello, adding renegotiation extension" \
1417 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1418 -s "found renegotiation extension" \
1419 -s "server hello, secure renegotiation extension" \
1420 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1421 -c "=> renegotiate" \
1422 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1423 -s "write hello request"
1424
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1425# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1426# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1427# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1428requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1429run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1430 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1431 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1432 0 \
1433 -c "client hello, adding renegotiation extension" \
1434 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1435 -s "found renegotiation extension" \
1436 -s "server hello, secure renegotiation extension" \
1437 -c "found renegotiation extension" \
1438 -c "=> renegotiate" \
1439 -s "=> renegotiate" \
1440 -S "write hello request" \
1441 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1442
1443# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1444# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1445# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1446requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1447run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1448 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1449 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1450 0 \
1451 -c "client hello, adding renegotiation extension" \
1452 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1453 -s "found renegotiation extension" \
1454 -s "server hello, secure renegotiation extension" \
1455 -c "found renegotiation extension" \
1456 -c "=> renegotiate" \
1457 -s "=> renegotiate" \
1458 -s "write hello request" \
1459 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1460
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1461requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1462run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1463 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1464 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1465 0 \
1466 -c "client hello, adding renegotiation extension" \
1467 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1468 -s "found renegotiation extension" \
1469 -s "server hello, secure renegotiation extension" \
1470 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1471 -c "=> renegotiate" \
1472 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1473 -s "write hello request"
1474
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1475requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1476run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1477 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1478 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1479 1 \
1480 -c "client hello, adding renegotiation extension" \
1481 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1482 -S "found renegotiation extension" \
1483 -s "server hello, secure renegotiation extension" \
1484 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1485 -c "=> renegotiate" \
1486 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1487 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1488 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1489 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1490
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1491requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1492run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1493 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1494 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1495 0 \
1496 -C "client hello, adding renegotiation extension" \
1497 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1498 -S "found renegotiation extension" \
1499 -s "server hello, secure renegotiation extension" \
1500 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1501 -C "=> renegotiate" \
1502 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1503 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1504 -S "SSL - An unexpected message was received from our peer" \
1505 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1506
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1507requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1508run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1509 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1510 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1511 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1512 0 \
1513 -C "client hello, adding renegotiation extension" \
1514 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1515 -S "found renegotiation extension" \
1516 -s "server hello, secure renegotiation extension" \
1517 -c "found renegotiation extension" \
1518 -C "=> renegotiate" \
1519 -S "=> renegotiate" \
1520 -s "write hello request" \
1521 -S "SSL - An unexpected message was received from our peer" \
1522 -S "failed"
1523
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1524# delay 2 for 1 alert record + 1 application data record
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1525requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1526run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1527 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1528 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1529 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1530 0 \
1531 -C "client hello, adding renegotiation extension" \
1532 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1533 -S "found renegotiation extension" \
1534 -s "server hello, secure renegotiation extension" \
1535 -c "found renegotiation extension" \
1536 -C "=> renegotiate" \
1537 -S "=> renegotiate" \
1538 -s "write hello request" \
1539 -S "SSL - An unexpected message was received from our peer" \
1540 -S "failed"
1541
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1542requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1543run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1544 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1545 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1546 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1547 0 \
1548 -C "client hello, adding renegotiation extension" \
1549 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1550 -S "found renegotiation extension" \
1551 -s "server hello, secure renegotiation extension" \
1552 -c "found renegotiation extension" \
1553 -C "=> renegotiate" \
1554 -S "=> renegotiate" \
1555 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1556 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1557
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1558requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1559run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1560 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1561 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1562 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1563 0 \
1564 -c "client hello, adding renegotiation extension" \
1565 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1566 -s "found renegotiation extension" \
1567 -s "server hello, secure renegotiation extension" \
1568 -c "found renegotiation extension" \
1569 -c "=> renegotiate" \
1570 -s "=> renegotiate" \
1571 -s "write hello request" \
1572 -S "SSL - An unexpected message was received from our peer" \
1573 -S "failed"
1574
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1575requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1576run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1577 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1578 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1579 0 \
1580 -C "client hello, adding renegotiation extension" \
1581 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1582 -S "found renegotiation extension" \
1583 -s "server hello, secure renegotiation extension" \
1584 -c "found renegotiation extension" \
1585 -S "record counter limit reached: renegotiate" \
1586 -C "=> renegotiate" \
1587 -S "=> renegotiate" \
1588 -S "write hello request" \
1589 -S "SSL - An unexpected message was received from our peer" \
1590 -S "failed"
1591
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1592# one extra exchange to be able to complete renego
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1593requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1594run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1595 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1596 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1597 0 \
1598 -c "client hello, adding renegotiation extension" \
1599 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1600 -s "found renegotiation extension" \
1601 -s "server hello, secure renegotiation extension" \
1602 -c "found renegotiation extension" \
1603 -s "record counter limit reached: renegotiate" \
1604 -c "=> renegotiate" \
1605 -s "=> renegotiate" \
1606 -s "write hello request" \
1607 -S "SSL - An unexpected message was received from our peer" \
1608 -S "failed"
1609
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1610requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1611run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1612 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1613 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1614 0 \
1615 -c "client hello, adding renegotiation extension" \
1616 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1617 -s "found renegotiation extension" \
1618 -s "server hello, secure renegotiation extension" \
1619 -c "found renegotiation extension" \
1620 -s "record counter limit reached: renegotiate" \
1621 -c "=> renegotiate" \
1622 -s "=> renegotiate" \
1623 -s "write hello request" \
1624 -S "SSL - An unexpected message was received from our peer" \
1625 -S "failed"
1626
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1627requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1628run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1629 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1630 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1631 0 \
1632 -C "client hello, adding renegotiation extension" \
1633 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1634 -S "found renegotiation extension" \
1635 -s "server hello, secure renegotiation extension" \
1636 -c "found renegotiation extension" \
1637 -S "record counter limit reached: renegotiate" \
1638 -C "=> renegotiate" \
1639 -S "=> renegotiate" \
1640 -S "write hello request" \
1641 -S "SSL - An unexpected message was received from our peer" \
1642 -S "failed"
1643
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1644requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1645run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1646 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1647 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1648 0 \
1649 -c "client hello, adding renegotiation extension" \
1650 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1651 -s "found renegotiation extension" \
1652 -s "server hello, secure renegotiation extension" \
1653 -c "found renegotiation extension" \
1654 -c "=> renegotiate" \
1655 -s "=> renegotiate" \
1656 -S "write hello request"
1657
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1658requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1659run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1660 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1661 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1662 0 \
1663 -c "client hello, adding renegotiation extension" \
1664 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1665 -s "found renegotiation extension" \
1666 -s "server hello, secure renegotiation extension" \
1667 -c "found renegotiation extension" \
1668 -c "=> renegotiate" \
1669 -s "=> renegotiate" \
1670 -s "write hello request"
1671
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1672requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1673run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1674 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1675 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1676 0 \
1677 -c "client hello, adding renegotiation extension" \
1678 -c "found renegotiation extension" \
1679 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1680 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1681 -C "error" \
1682 -c "HTTP/1.0 200 [Oo][Kk]"
1683
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1684requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1685requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1686run_test "Renegotiation: gnutls server strict, client-initiated" \
1687 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1688 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1689 0 \
1690 -c "client hello, adding renegotiation extension" \
1691 -c "found renegotiation extension" \
1692 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1693 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1694 -C "error" \
1695 -c "HTTP/1.0 200 [Oo][Kk]"
1696
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1697requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1698requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1699run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1700 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1701 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1702 1 \
1703 -c "client hello, adding renegotiation extension" \
1704 -C "found renegotiation extension" \
1705 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1706 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1707 -c "error" \
1708 -C "HTTP/1.0 200 [Oo][Kk]"
1709
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1710requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1711requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1712run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1713 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1714 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1715 allow_legacy=0" \
1716 1 \
1717 -c "client hello, adding renegotiation extension" \
1718 -C "found renegotiation extension" \
1719 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1720 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1721 -c "error" \
1722 -C "HTTP/1.0 200 [Oo][Kk]"
1723
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1724requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1725requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1726run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1727 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1728 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1729 allow_legacy=1" \
1730 0 \
1731 -c "client hello, adding renegotiation extension" \
1732 -C "found renegotiation extension" \
1733 -c "=> renegotiate" \
1734 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1735 -C "error" \
1736 -c "HTTP/1.0 200 [Oo][Kk]"
1737
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1738requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1739run_test "Renegotiation: DTLS, client-initiated" \
1740 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1741 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1742 0 \
1743 -c "client hello, adding renegotiation extension" \
1744 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1745 -s "found renegotiation extension" \
1746 -s "server hello, secure renegotiation extension" \
1747 -c "found renegotiation extension" \
1748 -c "=> renegotiate" \
1749 -s "=> renegotiate" \
1750 -S "write hello request"
1751
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1752requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1753run_test "Renegotiation: DTLS, server-initiated" \
1754 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1755 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1756 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1757 0 \
1758 -c "client hello, adding renegotiation extension" \
1759 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1760 -s "found renegotiation extension" \
1761 -s "server hello, secure renegotiation extension" \
1762 -c "found renegotiation extension" \
1763 -c "=> renegotiate" \
1764 -s "=> renegotiate" \
1765 -s "write hello request"
1766
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1767requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]1768run_test "Renegotiation: DTLS, renego_period overflow" \
1769 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1770 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1771 0 \
1772 -c "client hello, adding renegotiation extension" \
1773 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1774 -s "found renegotiation extension" \
1775 -s "server hello, secure renegotiation extension" \
1776 -s "record counter limit reached: renegotiate" \
1777 -c "=> renegotiate" \
1778 -s "=> renegotiate" \
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1779 -s "write hello request"
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]1780
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1781requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1782requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1783run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1784 "$G_SRV -u --mtu 4096" \
1785 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1786 0 \
1787 -c "client hello, adding renegotiation extension" \
1788 -c "found renegotiation extension" \
1789 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1790 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1791 -C "error" \
1792 -s "Extra-header:"
1793
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1794# Test for the "secure renegotation" extension only (no actual renegotiation)
1795
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1796requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1797run_test "Renego ext: gnutls server strict, client default" \
1798 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1799 "$P_CLI debug_level=3" \
1800 0 \
1801 -c "found renegotiation extension" \
1802 -C "error" \
1803 -c "HTTP/1.0 200 [Oo][Kk]"
1804
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1805requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1806run_test "Renego ext: gnutls server unsafe, client default" \
1807 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1808 "$P_CLI debug_level=3" \
1809 0 \
1810 -C "found renegotiation extension" \
1811 -C "error" \
1812 -c "HTTP/1.0 200 [Oo][Kk]"
1813
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1814requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1815run_test "Renego ext: gnutls server unsafe, client break legacy" \
1816 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1817 "$P_CLI debug_level=3 allow_legacy=-1" \
1818 1 \
1819 -C "found renegotiation extension" \
1820 -c "error" \
1821 -C "HTTP/1.0 200 [Oo][Kk]"
1822
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1823requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1824run_test "Renego ext: gnutls client strict, server default" \
1825 "$P_SRV debug_level=3" \
1826 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1827 0 \
1828 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1829 -s "server hello, secure renegotiation extension"
1830
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1831requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1832run_test "Renego ext: gnutls client unsafe, server default" \
1833 "$P_SRV debug_level=3" \
1834 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1835 0 \
1836 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1837 -S "server hello, secure renegotiation extension"
1838
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1839requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1840run_test "Renego ext: gnutls client unsafe, server break legacy" \
1841 "$P_SRV debug_level=3 allow_legacy=-1" \
1842 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1843 1 \
1844 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1845 -S "server hello, secure renegotiation extension"
1846
Janos Follath365b2262016-02-17 10:11:21 +0000[diff] [blame]1847# Tests for silently dropping trailing extra bytes in .der certificates
1848
1849requires_gnutls
1850run_test "DER format: no trailing bytes" \
1851 "$P_SRV crt_file=data_files/server5-der0.crt \
1852 key_file=data_files/server5.key" \
1853 "$G_CLI " \
1854 0 \
1855 -c "Handshake was completed" \
1856
1857requires_gnutls
1858run_test "DER format: with a trailing zero byte" \
1859 "$P_SRV crt_file=data_files/server5-der1a.crt \
1860 key_file=data_files/server5.key" \
1861 "$G_CLI " \
1862 0 \
1863 -c "Handshake was completed" \
1864
1865requires_gnutls
1866run_test "DER format: with a trailing random byte" \
1867 "$P_SRV crt_file=data_files/server5-der1b.crt \
1868 key_file=data_files/server5.key" \
1869 "$G_CLI " \
1870 0 \
1871 -c "Handshake was completed" \
1872
1873requires_gnutls
1874run_test "DER format: with 2 trailing random bytes" \
1875 "$P_SRV crt_file=data_files/server5-der2.crt \
1876 key_file=data_files/server5.key" \
1877 "$G_CLI " \
1878 0 \
1879 -c "Handshake was completed" \
1880
1881requires_gnutls
1882run_test "DER format: with 4 trailing random bytes" \
1883 "$P_SRV crt_file=data_files/server5-der4.crt \
1884 key_file=data_files/server5.key" \
1885 "$G_CLI " \
1886 0 \
1887 -c "Handshake was completed" \
1888
1889requires_gnutls
1890run_test "DER format: with 8 trailing random bytes" \
1891 "$P_SRV crt_file=data_files/server5-der8.crt \
1892 key_file=data_files/server5.key" \
1893 "$G_CLI " \
1894 0 \
1895 -c "Handshake was completed" \
1896
1897requires_gnutls
1898run_test "DER format: with 9 trailing random bytes" \
1899 "$P_SRV crt_file=data_files/server5-der9.crt \
1900 key_file=data_files/server5.key" \
1901 "$G_CLI " \
1902 0 \
1903 -c "Handshake was completed" \
1904
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1905# Tests for auth_mode
1906
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1907run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1908 "$P_SRV crt_file=data_files/server5-badsign.crt \
1909 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1910 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1911 1 \
1912 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1913 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1914 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1915 -c "X509 - Certificate verification failed"
1916
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1917run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1918 "$P_SRV crt_file=data_files/server5-badsign.crt \
1919 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1920 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1921 0 \
1922 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1923 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1924 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1925 -C "X509 - Certificate verification failed"
1926
Hanno Becker61c0c702017-05-15 16:05:15 +0100[diff] [blame]1927run_test "Authentication: server goodcert, client optional, no trusted CA" \
1928 "$P_SRV" \
1929 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1930 0 \
1931 -c "x509_verify_cert() returned" \
1932 -c "! The certificate is not correctly signed by the trusted CA" \
1933 -c "! Certificate verification flags"\
1934 -C "! mbedtls_ssl_handshake returned" \
1935 -C "X509 - Certificate verification failed" \
1936 -C "SSL - No CA Chain is set, but required to operate"
1937
1938run_test "Authentication: server goodcert, client required, no trusted CA" \
1939 "$P_SRV" \
1940 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1941 1 \
1942 -c "x509_verify_cert() returned" \
1943 -c "! The certificate is not correctly signed by the trusted CA" \
1944 -c "! Certificate verification flags"\
1945 -c "! mbedtls_ssl_handshake returned" \
1946 -c "SSL - No CA Chain is set, but required to operate"
1947
1948# The purpose of the next two tests is to test the client's behaviour when receiving a server
1949# certificate with an unsupported elliptic curve. This should usually not happen because
1950# the client informs the server about the supported curves - it does, though, in the
1951# corner case of a static ECDH suite, because the server doesn't check the curve on that
1952# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1953# different means to have the server ignoring the client's supported curve list.
1954
1955requires_config_enabled MBEDTLS_ECP_C
1956run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1957 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1958 crt_file=data_files/server5.ku-ka.crt" \
1959 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1960 1 \
1961 -c "bad certificate (EC key curve)"\
1962 -c "! Certificate verification flags"\
1963 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1964
1965requires_config_enabled MBEDTLS_ECP_C
1966run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1967 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1968 crt_file=data_files/server5.ku-ka.crt" \
1969 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1970 1 \
1971 -c "bad certificate (EC key curve)"\
1972 -c "! Certificate verification flags"\
1973 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1974
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1975run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1976 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1977 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1978 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1979 0 \
1980 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1981 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1982 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1983 -C "X509 - Certificate verification failed"
1984
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1985run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1986 "$P_SRV debug_level=3 auth_mode=required" \
1987 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1988 key_file=data_files/server5.key" \
1989 1 \
1990 -S "skip write certificate request" \
1991 -C "skip parse certificate request" \
1992 -c "got a certificate request" \
1993 -C "skip write certificate" \
1994 -C "skip write certificate verify" \
1995 -S "skip parse certificate verify" \
1996 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]1997 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1998 -s "! mbedtls_ssl_handshake returned" \
1999 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2000 -s "X509 - Certificate verification failed"
2001
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2002run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2003 "$P_SRV debug_level=3 auth_mode=optional" \
2004 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2005 key_file=data_files/server5.key" \
2006 0 \
2007 -S "skip write certificate request" \
2008 -C "skip parse certificate request" \
2009 -c "got a certificate request" \
2010 -C "skip write certificate" \
2011 -C "skip write certificate verify" \
2012 -S "skip parse certificate verify" \
2013 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2014 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2015 -S "! mbedtls_ssl_handshake returned" \
2016 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2017 -S "X509 - Certificate verification failed"
2018
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2019run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2020 "$P_SRV debug_level=3 auth_mode=none" \
2021 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2022 key_file=data_files/server5.key" \
2023 0 \
2024 -s "skip write certificate request" \
2025 -C "skip parse certificate request" \
2026 -c "got no certificate request" \
2027 -c "skip write certificate" \
2028 -c "skip write certificate verify" \
2029 -s "skip parse certificate verify" \
2030 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2031 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2032 -S "! mbedtls_ssl_handshake returned" \
2033 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2034 -S "X509 - Certificate verification failed"
2035
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2036run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2037 "$P_SRV debug_level=3 auth_mode=optional" \
2038 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2039 0 \
2040 -S "skip write certificate request" \
2041 -C "skip parse certificate request" \
2042 -c "got a certificate request" \
2043 -C "skip write certificate$" \
2044 -C "got no certificate to send" \
2045 -S "SSLv3 client has no certificate" \
2046 -c "skip write certificate verify" \
2047 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2048 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2049 -S "! mbedtls_ssl_handshake returned" \
2050 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2051 -S "X509 - Certificate verification failed"
2052
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2053run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2054 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2055 "$O_CLI" \
2056 0 \
2057 -S "skip write certificate request" \
2058 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2059 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2060 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2061 -S "X509 - Certificate verification failed"
2062
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2063run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2064 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2065 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2066 0 \
2067 -C "skip parse certificate request" \
2068 -c "got a certificate request" \
2069 -C "skip write certificate$" \
2070 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2071 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2072
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2073requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2074run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2075 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2076 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2077 0 \
2078 -S "skip write certificate request" \
2079 -C "skip parse certificate request" \
2080 -c "got a certificate request" \
2081 -C "skip write certificate$" \
2082 -c "skip write certificate verify" \
2083 -c "got no certificate to send" \
2084 -s "SSLv3 client has no certificate" \
2085 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2086 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2087 -S "! mbedtls_ssl_handshake returned" \
2088 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2089 -S "X509 - Certificate verification failed"
2090
Manuel Pégourié-Gonnard591035d2017-06-26 10:45:33 +0200[diff] [blame]2091run_test "Authentication: server max_int chain, client default" \
2092 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2093 key_file=data_files/dir-maxpath/09.key" \
2094 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2095 0 \
2096 -C "X509 - A fatal error occured"
2097
2098run_test "Authentication: server max_int+1 chain, client default" \
2099 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2100 key_file=data_files/dir-maxpath/10.key" \
2101 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2102 1 \
2103 -c "X509 - A fatal error occured"
2104
2105run_test "Authentication: server max_int+1 chain, client optional" \
2106 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2107 key_file=data_files/dir-maxpath/10.key" \
2108 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2109 auth_mode=optional" \
2110 1 \
2111 -c "X509 - A fatal error occured"
2112
2113run_test "Authentication: server max_int+1 chain, client none" \
2114 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2115 key_file=data_files/dir-maxpath/10.key" \
2116 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2117 auth_mode=none" \
2118 0 \
2119 -C "X509 - A fatal error occured"
2120
2121run_test "Authentication: client max_int+1 chain, server default" \
2122 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2123 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2124 key_file=data_files/dir-maxpath/10.key" \
2125 0 \
2126 -S "X509 - A fatal error occured"
2127
2128run_test "Authentication: client max_int+1 chain, server optional" \
2129 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2130 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2131 key_file=data_files/dir-maxpath/10.key" \
2132 1 \
2133 -s "X509 - A fatal error occured"
2134
2135run_test "Authentication: client max_int+1 chain, server required" \
2136 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2137 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2138 key_file=data_files/dir-maxpath/10.key" \
2139 1 \
2140 -s "X509 - A fatal error occured"
2141
2142run_test "Authentication: client max_int chain, server required" \
2143 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2144 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2145 key_file=data_files/dir-maxpath/09.key" \
2146 0 \
2147 -S "X509 - A fatal error occured"
2148
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2149# Tests for certificate selection based on SHA verson
2150
2151run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2152 "$P_SRV crt_file=data_files/server5.crt \
2153 key_file=data_files/server5.key \
2154 crt_file2=data_files/server5-sha1.crt \
2155 key_file2=data_files/server5.key" \
2156 "$P_CLI force_version=tls1_2" \
2157 0 \
2158 -c "signed using.*ECDSA with SHA256" \
2159 -C "signed using.*ECDSA with SHA1"
2160
2161run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2162 "$P_SRV crt_file=data_files/server5.crt \
2163 key_file=data_files/server5.key \
2164 crt_file2=data_files/server5-sha1.crt \
2165 key_file2=data_files/server5.key" \
2166 "$P_CLI force_version=tls1_1" \
2167 0 \
2168 -C "signed using.*ECDSA with SHA256" \
2169 -c "signed using.*ECDSA with SHA1"
2170
2171run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2172 "$P_SRV crt_file=data_files/server5.crt \
2173 key_file=data_files/server5.key \
2174 crt_file2=data_files/server5-sha1.crt \
2175 key_file2=data_files/server5.key" \
2176 "$P_CLI force_version=tls1" \
2177 0 \
2178 -C "signed using.*ECDSA with SHA256" \
2179 -c "signed using.*ECDSA with SHA1"
2180
2181run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2182 "$P_SRV crt_file=data_files/server5.crt \
2183 key_file=data_files/server5.key \
2184 crt_file2=data_files/server6.crt \
2185 key_file2=data_files/server6.key" \
2186 "$P_CLI force_version=tls1_1" \
2187 0 \
2188 -c "serial number.*09" \
2189 -c "signed using.*ECDSA with SHA256" \
2190 -C "signed using.*ECDSA with SHA1"
2191
2192run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2193 "$P_SRV crt_file=data_files/server6.crt \
2194 key_file=data_files/server6.key \
2195 crt_file2=data_files/server5.crt \
2196 key_file2=data_files/server5.key" \
2197 "$P_CLI force_version=tls1_1" \
2198 0 \
2199 -c "serial number.*0A" \
2200 -c "signed using.*ECDSA with SHA256" \
2201 -C "signed using.*ECDSA with SHA1"
2202
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2203# tests for SNI
2204
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2205run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2206 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2207 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2208 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2209 0 \
2210 -S "parse ServerName extension" \
2211 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2212 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2213
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2214run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2215 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2216 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2217 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2218 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2219 0 \
2220 -s "parse ServerName extension" \
2221 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2222 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2223
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2224run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2225 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2226 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2227 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2228 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2229 0 \
2230 -s "parse ServerName extension" \
2231 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2232 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2233
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2234run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2235 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2236 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2237 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2238 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2239 1 \
2240 -s "parse ServerName extension" \
2241 -s "ssl_sni_wrapper() returned" \
2242 -s "mbedtls_ssl_handshake returned" \
2243 -c "mbedtls_ssl_handshake returned" \
2244 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2245
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2246run_test "SNI: client auth no override: optional" \
2247 "$P_SRV debug_level=3 auth_mode=optional \
2248 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2249 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2250 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2251 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2252 -S "skip write certificate request" \
2253 -C "skip parse certificate request" \
2254 -c "got a certificate request" \
2255 -C "skip write certificate" \
2256 -C "skip write certificate verify" \
2257 -S "skip parse certificate verify"
2258
2259run_test "SNI: client auth override: none -> optional" \
2260 "$P_SRV debug_level=3 auth_mode=none \
2261 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2262 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2263 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2264 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2265 -S "skip write certificate request" \
2266 -C "skip parse certificate request" \
2267 -c "got a certificate request" \
2268 -C "skip write certificate" \
2269 -C "skip write certificate verify" \
2270 -S "skip parse certificate verify"
2271
2272run_test "SNI: client auth override: optional -> none" \
2273 "$P_SRV debug_level=3 auth_mode=optional \
2274 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2275 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2276 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2277 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2278 -s "skip write certificate request" \
2279 -C "skip parse certificate request" \
2280 -c "got no certificate request" \
2281 -c "skip write certificate" \
2282 -c "skip write certificate verify" \
2283 -s "skip parse certificate verify"
2284
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2285run_test "SNI: CA no override" \
2286 "$P_SRV debug_level=3 auth_mode=optional \
2287 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2288 ca_file=data_files/test-ca.crt \
2289 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2290 "$P_CLI debug_level=3 server_name=localhost \
2291 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2292 1 \
2293 -S "skip write certificate request" \
2294 -C "skip parse certificate request" \
2295 -c "got a certificate request" \
2296 -C "skip write certificate" \
2297 -C "skip write certificate verify" \
2298 -S "skip parse certificate verify" \
2299 -s "x509_verify_cert() returned" \
2300 -s "! The certificate is not correctly signed by the trusted CA" \
2301 -S "The certificate has been revoked (is on a CRL)"
2302
2303run_test "SNI: CA override" \
2304 "$P_SRV debug_level=3 auth_mode=optional \
2305 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2306 ca_file=data_files/test-ca.crt \
2307 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2308 "$P_CLI debug_level=3 server_name=localhost \
2309 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2310 0 \
2311 -S "skip write certificate request" \
2312 -C "skip parse certificate request" \
2313 -c "got a certificate request" \
2314 -C "skip write certificate" \
2315 -C "skip write certificate verify" \
2316 -S "skip parse certificate verify" \
2317 -S "x509_verify_cert() returned" \
2318 -S "! The certificate is not correctly signed by the trusted CA" \
2319 -S "The certificate has been revoked (is on a CRL)"
2320
2321run_test "SNI: CA override with CRL" \
2322 "$P_SRV debug_level=3 auth_mode=optional \
2323 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2324 ca_file=data_files/test-ca.crt \
2325 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2326 "$P_CLI debug_level=3 server_name=localhost \
2327 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2328 1 \
2329 -S "skip write certificate request" \
2330 -C "skip parse certificate request" \
2331 -c "got a certificate request" \
2332 -C "skip write certificate" \
2333 -C "skip write certificate verify" \
2334 -S "skip parse certificate verify" \
2335 -s "x509_verify_cert() returned" \
2336 -S "! The certificate is not correctly signed by the trusted CA" \
2337 -s "The certificate has been revoked (is on a CRL)"
2338
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2339# Tests for non-blocking I/O: exercise a variety of handshake flows
2340
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2341run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2342 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2343 "$P_CLI nbio=2 tickets=0" \
2344 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2345 -S "mbedtls_ssl_handshake returned" \
2346 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2347 -c "Read from server: .* bytes read"
2348
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2349run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2350 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2351 "$P_CLI nbio=2 tickets=0" \
2352 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2353 -S "mbedtls_ssl_handshake returned" \
2354 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2355 -c "Read from server: .* bytes read"
2356
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2357run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2358 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2359 "$P_CLI nbio=2 tickets=1" \
2360 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2361 -S "mbedtls_ssl_handshake returned" \
2362 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2363 -c "Read from server: .* bytes read"
2364
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2365run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2366 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2367 "$P_CLI nbio=2 tickets=1" \
2368 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2369 -S "mbedtls_ssl_handshake returned" \
2370 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2371 -c "Read from server: .* bytes read"
2372
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2373run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2374 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2375 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2376 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2377 -S "mbedtls_ssl_handshake returned" \
2378 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2379 -c "Read from server: .* bytes read"
2380
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2381run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2382 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2383 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2384 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2385 -S "mbedtls_ssl_handshake returned" \
2386 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2387 -c "Read from server: .* bytes read"
2388
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2389run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2390 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2391 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2392 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2393 -S "mbedtls_ssl_handshake returned" \
2394 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2395 -c "Read from server: .* bytes read"
2396
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2397# Tests for version negotiation
2398
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2399run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2400 "$P_SRV" \
2401 "$P_CLI" \
2402 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2403 -S "mbedtls_ssl_handshake returned" \
2404 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2405 -s "Protocol is TLSv1.2" \
2406 -c "Protocol is TLSv1.2"
2407
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2408run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2409 "$P_SRV" \
2410 "$P_CLI max_version=tls1_1" \
2411 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2412 -S "mbedtls_ssl_handshake returned" \
2413 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2414 -s "Protocol is TLSv1.1" \
2415 -c "Protocol is TLSv1.1"
2416
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2417run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2418 "$P_SRV max_version=tls1_1" \
2419 "$P_CLI" \
2420 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2421 -S "mbedtls_ssl_handshake returned" \
2422 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2423 -s "Protocol is TLSv1.1" \
2424 -c "Protocol is TLSv1.1"
2425
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2426run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2427 "$P_SRV max_version=tls1_1" \
2428 "$P_CLI max_version=tls1_1" \
2429 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2430 -S "mbedtls_ssl_handshake returned" \
2431 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2432 -s "Protocol is TLSv1.1" \
2433 -c "Protocol is TLSv1.1"
2434
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2435run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2436 "$P_SRV min_version=tls1_1" \
2437 "$P_CLI max_version=tls1_1" \
2438 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2439 -S "mbedtls_ssl_handshake returned" \
2440 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2441 -s "Protocol is TLSv1.1" \
2442 -c "Protocol is TLSv1.1"
2443
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2444run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2445 "$P_SRV max_version=tls1_1" \
2446 "$P_CLI min_version=tls1_1" \
2447 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2448 -S "mbedtls_ssl_handshake returned" \
2449 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2450 -s "Protocol is TLSv1.1" \
2451 -c "Protocol is TLSv1.1"
2452
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2453run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2454 "$P_SRV max_version=tls1_1" \
2455 "$P_CLI min_version=tls1_2" \
2456 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2457 -s "mbedtls_ssl_handshake returned" \
2458 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2459 -c "SSL - Handshake protocol not within min/max boundaries"
2460
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2461run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2462 "$P_SRV min_version=tls1_2" \
2463 "$P_CLI max_version=tls1_1" \
2464 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2465 -s "mbedtls_ssl_handshake returned" \
2466 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2467 -s "SSL - Handshake protocol not within min/max boundaries"
2468
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2469# Tests for ALPN extension
2470
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2471run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2472 "$P_SRV debug_level=3" \
2473 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2474 0 \
2475 -C "client hello, adding alpn extension" \
2476 -S "found alpn extension" \
2477 -C "got an alert message, type: \\[2:120]" \
2478 -S "server hello, adding alpn extension" \
2479 -C "found alpn extension " \
2480 -C "Application Layer Protocol is" \
2481 -S "Application Layer Protocol is"
2482
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2483run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2484 "$P_SRV debug_level=3" \
2485 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2486 0 \
2487 -c "client hello, adding alpn extension" \
2488 -s "found alpn extension" \
2489 -C "got an alert message, type: \\[2:120]" \
2490 -S "server hello, adding alpn extension" \
2491 -C "found alpn extension " \
2492 -c "Application Layer Protocol is (none)" \
2493 -S "Application Layer Protocol is"
2494
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2495run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2496 "$P_SRV debug_level=3 alpn=abc,1234" \
2497 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2498 0 \
2499 -C "client hello, adding alpn extension" \
2500 -S "found alpn extension" \
2501 -C "got an alert message, type: \\[2:120]" \
2502 -S "server hello, adding alpn extension" \
2503 -C "found alpn extension " \
2504 -C "Application Layer Protocol is" \
2505 -s "Application Layer Protocol is (none)"
2506
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2507run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2508 "$P_SRV debug_level=3 alpn=abc,1234" \
2509 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2510 0 \
2511 -c "client hello, adding alpn extension" \
2512 -s "found alpn extension" \
2513 -C "got an alert message, type: \\[2:120]" \
2514 -s "server hello, adding alpn extension" \
2515 -c "found alpn extension" \
2516 -c "Application Layer Protocol is abc" \
2517 -s "Application Layer Protocol is abc"
2518
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2519run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2520 "$P_SRV debug_level=3 alpn=abc,1234" \
2521 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2522 0 \
2523 -c "client hello, adding alpn extension" \
2524 -s "found alpn extension" \
2525 -C "got an alert message, type: \\[2:120]" \
2526 -s "server hello, adding alpn extension" \
2527 -c "found alpn extension" \
2528 -c "Application Layer Protocol is abc" \
2529 -s "Application Layer Protocol is abc"
2530
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2531run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2532 "$P_SRV debug_level=3 alpn=abc,1234" \
2533 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2534 0 \
2535 -c "client hello, adding alpn extension" \
2536 -s "found alpn extension" \
2537 -C "got an alert message, type: \\[2:120]" \
2538 -s "server hello, adding alpn extension" \
2539 -c "found alpn extension" \
2540 -c "Application Layer Protocol is 1234" \
2541 -s "Application Layer Protocol is 1234"
2542
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2543run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2544 "$P_SRV debug_level=3 alpn=abc,123" \
2545 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2546 1 \
2547 -c "client hello, adding alpn extension" \
2548 -s "found alpn extension" \
2549 -c "got an alert message, type: \\[2:120]" \
2550 -S "server hello, adding alpn extension" \
2551 -C "found alpn extension" \
2552 -C "Application Layer Protocol is 1234" \
2553 -S "Application Layer Protocol is 1234"
2554
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2555
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2556# Tests for keyUsage in leaf certificates, part 1:
2557# server-side certificate/suite selection
2558
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2559run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2560 "$P_SRV key_file=data_files/server2.key \
2561 crt_file=data_files/server2.ku-ds.crt" \
2562 "$P_CLI" \
2563 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2564 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2565
2566
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2567run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2568 "$P_SRV key_file=data_files/server2.key \
2569 crt_file=data_files/server2.ku-ke.crt" \
2570 "$P_CLI" \
2571 0 \
2572 -c "Ciphersuite is TLS-RSA-WITH-"
2573
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2574run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2575 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2576 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2577 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2578 1 \
2579 -C "Ciphersuite is "
2580
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2581run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2582 "$P_SRV key_file=data_files/server5.key \
2583 crt_file=data_files/server5.ku-ds.crt" \
2584 "$P_CLI" \
2585 0 \
2586 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2587
2588
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2589run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2590 "$P_SRV key_file=data_files/server5.key \
2591 crt_file=data_files/server5.ku-ka.crt" \
2592 "$P_CLI" \
2593 0 \
2594 -c "Ciphersuite is TLS-ECDH-"
2595
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2596run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2597 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2598 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2599 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2600 1 \
2601 -C "Ciphersuite is "
2602
2603# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2604# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2605
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2606run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2607 "$O_SRV -key data_files/server2.key \
2608 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2609 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2610 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2611 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2612 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2613 -C "Processing of the Certificate handshake message failed" \
2614 -c "Ciphersuite is TLS-"
2615
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2616run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2617 "$O_SRV -key data_files/server2.key \
2618 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2619 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2620 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2621 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2622 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2623 -C "Processing of the Certificate handshake message failed" \
2624 -c "Ciphersuite is TLS-"
2625
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2626run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2627 "$O_SRV -key data_files/server2.key \
2628 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2629 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2630 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2631 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2632 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2633 -C "Processing of the Certificate handshake message failed" \
2634 -c "Ciphersuite is TLS-"
2635
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2636run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2637 "$O_SRV -key data_files/server2.key \
2638 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2639 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2640 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2641 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2642 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2643 -c "Processing of the Certificate handshake message failed" \
2644 -C "Ciphersuite is TLS-"
2645
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2646run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2647 "$O_SRV -key data_files/server2.key \
2648 -cert data_files/server2.ku-ke.crt" \
2649 "$P_CLI debug_level=1 auth_mode=optional \
2650 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2651 0 \
2652 -c "bad certificate (usage extensions)" \
2653 -C "Processing of the Certificate handshake message failed" \
2654 -c "Ciphersuite is TLS-" \
2655 -c "! Usage does not match the keyUsage extension"
2656
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2657run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2658 "$O_SRV -key data_files/server2.key \
2659 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2660 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2661 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2662 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2663 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2664 -C "Processing of the Certificate handshake message failed" \
2665 -c "Ciphersuite is TLS-"
2666
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2667run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2668 "$O_SRV -key data_files/server2.key \
2669 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2670 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2671 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2672 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2673 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2674 -c "Processing of the Certificate handshake message failed" \
2675 -C "Ciphersuite is TLS-"
2676
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2677run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2678 "$O_SRV -key data_files/server2.key \
2679 -cert data_files/server2.ku-ds.crt" \
2680 "$P_CLI debug_level=1 auth_mode=optional \
2681 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2682 0 \
2683 -c "bad certificate (usage extensions)" \
2684 -C "Processing of the Certificate handshake message failed" \
2685 -c "Ciphersuite is TLS-" \
2686 -c "! Usage does not match the keyUsage extension"
2687
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2688# Tests for keyUsage in leaf certificates, part 3:
2689# server-side checking of client cert
2690
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2691run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2692 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2693 "$O_CLI -key data_files/server2.key \
2694 -cert data_files/server2.ku-ds.crt" \
2695 0 \
2696 -S "bad certificate (usage extensions)" \
2697 -S "Processing of the Certificate handshake message failed"
2698
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2699run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2700 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2701 "$O_CLI -key data_files/server2.key \
2702 -cert data_files/server2.ku-ke.crt" \
2703 0 \
2704 -s "bad certificate (usage extensions)" \
2705 -S "Processing of the Certificate handshake message failed"
2706
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2707run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2708 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2709 "$O_CLI -key data_files/server2.key \
2710 -cert data_files/server2.ku-ke.crt" \
2711 1 \
2712 -s "bad certificate (usage extensions)" \
2713 -s "Processing of the Certificate handshake message failed"
2714
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2715run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2716 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2717 "$O_CLI -key data_files/server5.key \
2718 -cert data_files/server5.ku-ds.crt" \
2719 0 \
2720 -S "bad certificate (usage extensions)" \
2721 -S "Processing of the Certificate handshake message failed"
2722
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2723run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2724 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2725 "$O_CLI -key data_files/server5.key \
2726 -cert data_files/server5.ku-ka.crt" \
2727 0 \
2728 -s "bad certificate (usage extensions)" \
2729 -S "Processing of the Certificate handshake message failed"
2730
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2731# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2732
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2733run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2734 "$P_SRV key_file=data_files/server5.key \
2735 crt_file=data_files/server5.eku-srv.crt" \
2736 "$P_CLI" \
2737 0
2738
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2739run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2740 "$P_SRV key_file=data_files/server5.key \
2741 crt_file=data_files/server5.eku-srv.crt" \
2742 "$P_CLI" \
2743 0
2744
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2745run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2746 "$P_SRV key_file=data_files/server5.key \
2747 crt_file=data_files/server5.eku-cs_any.crt" \
2748 "$P_CLI" \
2749 0
2750
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2751run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2752 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2753 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2754 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2755 1
2756
2757# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2758
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2759run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2760 "$O_SRV -key data_files/server5.key \
2761 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2762 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2763 0 \
2764 -C "bad certificate (usage extensions)" \
2765 -C "Processing of the Certificate handshake message failed" \
2766 -c "Ciphersuite is TLS-"
2767
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2768run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2769 "$O_SRV -key data_files/server5.key \
2770 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2771 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2772 0 \
2773 -C "bad certificate (usage extensions)" \
2774 -C "Processing of the Certificate handshake message failed" \
2775 -c "Ciphersuite is TLS-"
2776
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2777run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2778 "$O_SRV -key data_files/server5.key \
2779 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2780 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2781 0 \
2782 -C "bad certificate (usage extensions)" \
2783 -C "Processing of the Certificate handshake message failed" \
2784 -c "Ciphersuite is TLS-"
2785
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2786run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2787 "$O_SRV -key data_files/server5.key \
2788 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2789 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2790 1 \
2791 -c "bad certificate (usage extensions)" \
2792 -c "Processing of the Certificate handshake message failed" \
2793 -C "Ciphersuite is TLS-"
2794
2795# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2796
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2797run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2798 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2799 "$O_CLI -key data_files/server5.key \
2800 -cert data_files/server5.eku-cli.crt" \
2801 0 \
2802 -S "bad certificate (usage extensions)" \
2803 -S "Processing of the Certificate handshake message failed"
2804
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2805run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2806 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2807 "$O_CLI -key data_files/server5.key \
2808 -cert data_files/server5.eku-srv_cli.crt" \
2809 0 \
2810 -S "bad certificate (usage extensions)" \
2811 -S "Processing of the Certificate handshake message failed"
2812
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2813run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2814 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2815 "$O_CLI -key data_files/server5.key \
2816 -cert data_files/server5.eku-cs_any.crt" \
2817 0 \
2818 -S "bad certificate (usage extensions)" \
2819 -S "Processing of the Certificate handshake message failed"
2820
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2821run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2822 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2823 "$O_CLI -key data_files/server5.key \
2824 -cert data_files/server5.eku-cs.crt" \
2825 0 \
2826 -s "bad certificate (usage extensions)" \
2827 -S "Processing of the Certificate handshake message failed"
2828
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2829run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2830 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2831 "$O_CLI -key data_files/server5.key \
2832 -cert data_files/server5.eku-cs.crt" \
2833 1 \
2834 -s "bad certificate (usage extensions)" \
2835 -s "Processing of the Certificate handshake message failed"
2836
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2837# Tests for DHM parameters loading
2838
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2839run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2840 "$P_SRV" \
2841 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2842 debug_level=3" \
2843 0 \
2844 -c "value of 'DHM: P ' (2048 bits)" \
2845 -c "value of 'DHM: G ' (2048 bits)"
2846
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2847run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2848 "$P_SRV dhm_file=data_files/dhparams.pem" \
2849 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2850 debug_level=3" \
2851 0 \
2852 -c "value of 'DHM: P ' (1024 bits)" \
2853 -c "value of 'DHM: G ' (2 bits)"
2854
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2855# Tests for DHM client-side size checking
2856
2857run_test "DHM size: server default, client default, OK" \
2858 "$P_SRV" \
2859 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2860 debug_level=1" \
2861 0 \
2862 -C "DHM prime too short:"
2863
2864run_test "DHM size: server default, client 2048, OK" \
2865 "$P_SRV" \
2866 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2867 debug_level=1 dhmlen=2048" \
2868 0 \
2869 -C "DHM prime too short:"
2870
2871run_test "DHM size: server 1024, client default, OK" \
2872 "$P_SRV dhm_file=data_files/dhparams.pem" \
2873 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2874 debug_level=1" \
2875 0 \
2876 -C "DHM prime too short:"
2877
2878run_test "DHM size: server 1000, client default, rejected" \
2879 "$P_SRV dhm_file=data_files/dh.1000.pem" \
2880 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2881 debug_level=1" \
2882 1 \
2883 -c "DHM prime too short:"
2884
2885run_test "DHM size: server default, client 2049, rejected" \
2886 "$P_SRV" \
2887 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2888 debug_level=1 dhmlen=2049" \
2889 1 \
2890 -c "DHM prime too short:"
2891
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2892# Tests for PSK callback
2893
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2894run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2895 "$P_SRV psk=abc123 psk_identity=foo" \
2896 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2897 psk_identity=foo psk=abc123" \
2898 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2899 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2900 -S "SSL - Unknown identity received" \
2901 -S "SSL - Verification of the message MAC failed"
2902
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2903run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2904 "$P_SRV" \
2905 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2906 psk_identity=foo psk=abc123" \
2907 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2908 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2909 -S "SSL - Unknown identity received" \
2910 -S "SSL - Verification of the message MAC failed"
2911
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2912run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2913 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2914 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2915 psk_identity=foo psk=abc123" \
2916 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2917 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2918 -s "SSL - Unknown identity received" \
2919 -S "SSL - Verification of the message MAC failed"
2920
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2921run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2922 "$P_SRV psk_list=abc,dead,def,beef" \
2923 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2924 psk_identity=abc psk=dead" \
2925 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2926 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2927 -S "SSL - Unknown identity received" \
2928 -S "SSL - Verification of the message MAC failed"
2929
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2930run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2931 "$P_SRV psk_list=abc,dead,def,beef" \
2932 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2933 psk_identity=def psk=beef" \
2934 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2935 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2936 -S "SSL - Unknown identity received" \
2937 -S "SSL - Verification of the message MAC failed"
2938
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2939run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2940 "$P_SRV psk_list=abc,dead,def,beef" \
2941 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2942 psk_identity=ghi psk=beef" \
2943 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2944 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2945 -s "SSL - Unknown identity received" \
2946 -S "SSL - Verification of the message MAC failed"
2947
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2948run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2949 "$P_SRV psk_list=abc,dead,def,beef" \
2950 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2951 psk_identity=abc psk=beef" \
2952 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2953 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2954 -S "SSL - Unknown identity received" \
2955 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2956
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2957# Tests for ciphersuites per version
2958
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2959requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2960run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2961 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2962 "$P_CLI force_version=ssl3" \
2963 0 \
2964 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
2965
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2966run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2967 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2968 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2969 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2970 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2971
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2972run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2973 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2974 "$P_CLI force_version=tls1_1" \
2975 0 \
2976 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
2977
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2978run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2979 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2980 "$P_CLI force_version=tls1_2" \
2981 0 \
2982 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
2983
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2984# Test for ClientHello without extensions
2985
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]2986requires_gnutls
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2987run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2988 "$P_SRV debug_level=3" \
2989 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2990 0 \
2991 -s "dumping 'client hello extensions' (0 bytes)"
2992
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2993requires_gnutls
2994run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
2995 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
2996 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2997 0 \
2998 -s "dumping 'client hello extensions' (0 bytes)"
2999
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3000# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3002run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3003 "$P_SRV" \
3004 "$P_CLI request_size=100" \
3005 0 \
3006 -s "Read from client: 100 bytes read$"
3007
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3008run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3009 "$P_SRV" \
3010 "$P_CLI request_size=500" \
3011 0 \
3012 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3013
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3014# Tests for small packets
3015
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3016requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3017run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3018 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3019 "$P_CLI request_size=1 force_version=ssl3 \
3020 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3021 0 \
3022 -s "Read from client: 1 bytes read"
3023
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3024requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3025run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3026 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3027 "$P_CLI request_size=1 force_version=ssl3 \
3028 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3029 0 \
3030 -s "Read from client: 1 bytes read"
3031
3032run_test "Small packet TLS 1.0 BlockCipher" \
3033 "$P_SRV" \
3034 "$P_CLI request_size=1 force_version=tls1 \
3035 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3036 0 \
3037 -s "Read from client: 1 bytes read"
3038
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3039run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3040 "$P_SRV" \
3041 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3042 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3043 0 \
3044 -s "Read from client: 1 bytes read"
3045
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3046run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3047 "$P_SRV" \
3048 "$P_CLI request_size=1 force_version=tls1 \
3049 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3050 trunc_hmac=1" \
3051 0 \
3052 -s "Read from client: 1 bytes read"
3053
3054run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3055 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3056 "$P_CLI request_size=1 force_version=tls1 \
3057 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3058 trunc_hmac=1" \
3059 0 \
3060 -s "Read from client: 1 bytes read"
3061
3062run_test "Small packet TLS 1.1 BlockCipher" \
3063 "$P_SRV" \
3064 "$P_CLI request_size=1 force_version=tls1_1 \
3065 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3066 0 \
3067 -s "Read from client: 1 bytes read"
3068
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3069run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3070 "$P_SRV" \
3071 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3072 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3073 0 \
3074 -s "Read from client: 1 bytes read"
3075
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3076run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3077 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3078 "$P_CLI request_size=1 force_version=tls1_1 \
3079 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3080 0 \
3081 -s "Read from client: 1 bytes read"
3082
3083run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3084 "$P_SRV" \
3085 "$P_CLI request_size=1 force_version=tls1_1 \
3086 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3087 trunc_hmac=1" \
3088 0 \
3089 -s "Read from client: 1 bytes read"
3090
3091run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3092 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3093 "$P_CLI request_size=1 force_version=tls1_1 \
3094 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3095 trunc_hmac=1" \
3096 0 \
3097 -s "Read from client: 1 bytes read"
3098
3099run_test "Small packet TLS 1.2 BlockCipher" \
3100 "$P_SRV" \
3101 "$P_CLI request_size=1 force_version=tls1_2 \
3102 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3103 0 \
3104 -s "Read from client: 1 bytes read"
3105
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3106run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3107 "$P_SRV" \
3108 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3109 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3110 0 \
3111 -s "Read from client: 1 bytes read"
3112
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3113run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3114 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3115 "$P_CLI request_size=1 force_version=tls1_2 \
3116 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3117 0 \
3118 -s "Read from client: 1 bytes read"
3119
3120run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3121 "$P_SRV" \
3122 "$P_CLI request_size=1 force_version=tls1_2 \
3123 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3124 trunc_hmac=1" \
3125 0 \
3126 -s "Read from client: 1 bytes read"
3127
3128run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3129 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3130 "$P_CLI request_size=1 force_version=tls1_2 \
3131 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3132 0 \
3133 -s "Read from client: 1 bytes read"
3134
3135run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3136 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3137 "$P_CLI request_size=1 force_version=tls1_2 \
3138 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3139 trunc_hmac=1" \
3140 0 \
3141 -s "Read from client: 1 bytes read"
3142
3143run_test "Small packet TLS 1.2 AEAD" \
3144 "$P_SRV" \
3145 "$P_CLI request_size=1 force_version=tls1_2 \
3146 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3147 0 \
3148 -s "Read from client: 1 bytes read"
3149
3150run_test "Small packet TLS 1.2 AEAD shorter tag" \
3151 "$P_SRV" \
3152 "$P_CLI request_size=1 force_version=tls1_2 \
3153 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3154 0 \
3155 -s "Read from client: 1 bytes read"
3156
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]3157# A test for extensions in SSLv3
3158
3159requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3160run_test "SSLv3 with extensions, server side" \
3161 "$P_SRV min_version=ssl3 debug_level=3" \
3162 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3163 0 \
3164 -S "dumping 'client hello extensions'" \
3165 -S "server hello, total extension length:"
3166
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3167# Test for large packets
3168
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3169requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3170run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3171 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3172 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3173 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3174 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3175 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3176 -s "Read from client: 16384 bytes read"
3177
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3178requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3179run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3180 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3181 "$P_CLI request_size=16384 force_version=ssl3 \
3182 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3183 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3184 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3185 -s "Read from client: 16384 bytes read"
3186
3187run_test "Large packet TLS 1.0 BlockCipher" \
3188 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3189 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3190 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3191 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3192 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3193 -s "Read from client: 16384 bytes read"
3194
3195run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3196 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3197 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3198 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3199 trunc_hmac=1" \
3200 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3201 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3202 -s "Read from client: 16384 bytes read"
3203
3204run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3205 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3206 "$P_CLI request_size=16384 force_version=tls1 \
3207 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3208 trunc_hmac=1" \
3209 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3210 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3211 -s "Read from client: 16384 bytes read"
3212
3213run_test "Large packet TLS 1.1 BlockCipher" \
3214 "$P_SRV" \
3215 "$P_CLI request_size=16384 force_version=tls1_1 \
3216 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3217 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3218 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3219 -s "Read from client: 16384 bytes read"
3220
3221run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3222 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3223 "$P_CLI request_size=16384 force_version=tls1_1 \
3224 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3225 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3226 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3227 -s "Read from client: 16384 bytes read"
3228
3229run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3230 "$P_SRV" \
3231 "$P_CLI request_size=16384 force_version=tls1_1 \
3232 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3233 trunc_hmac=1" \
3234 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3235 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3236 -s "Read from client: 16384 bytes read"
3237
3238run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3239 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3240 "$P_CLI request_size=16384 force_version=tls1_1 \
3241 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3242 trunc_hmac=1" \
3243 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3244 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3245 -s "Read from client: 16384 bytes read"
3246
3247run_test "Large packet TLS 1.2 BlockCipher" \
3248 "$P_SRV" \
3249 "$P_CLI request_size=16384 force_version=tls1_2 \
3250 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3251 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3252 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3253 -s "Read from client: 16384 bytes read"
3254
3255run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3256 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3257 "$P_CLI request_size=16384 force_version=tls1_2 \
3258 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3259 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3260 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3261 -s "Read from client: 16384 bytes read"
3262
3263run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3264 "$P_SRV" \
3265 "$P_CLI request_size=16384 force_version=tls1_2 \
3266 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3267 trunc_hmac=1" \
3268 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3269 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3270 -s "Read from client: 16384 bytes read"
3271
3272run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3273 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3274 "$P_CLI request_size=16384 force_version=tls1_2 \
3275 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3276 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3277 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3278 -s "Read from client: 16384 bytes read"
3279
3280run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3281 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3282 "$P_CLI request_size=16384 force_version=tls1_2 \
3283 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3284 trunc_hmac=1" \
3285 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3286 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3287 -s "Read from client: 16384 bytes read"
3288
3289run_test "Large packet TLS 1.2 AEAD" \
3290 "$P_SRV" \
3291 "$P_CLI request_size=16384 force_version=tls1_2 \
3292 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3293 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3294 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3295 -s "Read from client: 16384 bytes read"
3296
3297run_test "Large packet TLS 1.2 AEAD shorter tag" \
3298 "$P_SRV" \
3299 "$P_CLI request_size=16384 force_version=tls1_2 \
3300 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3301 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3302 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3303 -s "Read from client: 16384 bytes read"
3304
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3305# Tests for DTLS HelloVerifyRequest
3306
3307run_test "DTLS cookie: enabled" \
3308 "$P_SRV dtls=1 debug_level=2" \
3309 "$P_CLI dtls=1 debug_level=2" \
3310 0 \
3311 -s "cookie verification failed" \
3312 -s "cookie verification passed" \
3313 -S "cookie verification skipped" \
3314 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3315 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3316 -S "SSL - The requested feature is not available"
3317
3318run_test "DTLS cookie: disabled" \
3319 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3320 "$P_CLI dtls=1 debug_level=2" \
3321 0 \
3322 -S "cookie verification failed" \
3323 -S "cookie verification passed" \
3324 -s "cookie verification skipped" \
3325 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3326 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3327 -S "SSL - The requested feature is not available"
3328
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3329run_test "DTLS cookie: default (failing)" \
3330 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3331 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3332 1 \
3333 -s "cookie verification failed" \
3334 -S "cookie verification passed" \
3335 -S "cookie verification skipped" \
3336 -C "received hello verify request" \
3337 -S "hello verification requested" \
3338 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3339
3340requires_ipv6
3341run_test "DTLS cookie: enabled, IPv6" \
3342 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3343 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3344 0 \
3345 -s "cookie verification failed" \
3346 -s "cookie verification passed" \
3347 -S "cookie verification skipped" \
3348 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3349 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3350 -S "SSL - The requested feature is not available"
3351
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3352run_test "DTLS cookie: enabled, nbio" \
3353 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3354 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3355 0 \
3356 -s "cookie verification failed" \
3357 -s "cookie verification passed" \
3358 -S "cookie verification skipped" \
3359 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3360 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3361 -S "SSL - The requested feature is not available"
3362
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3363# Tests for client reconnecting from the same port with DTLS
3364
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3365not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3366run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3367 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3368 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3369 0 \
3370 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3371 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3372 -S "Client initiated reconnection from same port"
3373
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3374not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3375run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3376 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3377 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3378 0 \
3379 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3380 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3381 -s "Client initiated reconnection from same port"
3382
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3383not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3384run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3385 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3386 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3387 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3388 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3389 -s "Client initiated reconnection from same port"
3390
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3391only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3392run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3393 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3394 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3395 0 \
3396 -S "The operation timed out" \
3397 -s "Client initiated reconnection from same port"
3398
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3399run_test "DTLS client reconnect from same port: no cookies" \
3400 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3401 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3402 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3403 -s "The operation timed out" \
3404 -S "Client initiated reconnection from same port"
3405
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3406# Tests for various cases of client authentication with DTLS
3407# (focused on handshake flows and message parsing)
3408
3409run_test "DTLS client auth: required" \
3410 "$P_SRV dtls=1 auth_mode=required" \
3411 "$P_CLI dtls=1" \
3412 0 \
3413 -s "Verifying peer X.509 certificate... ok"
3414
3415run_test "DTLS client auth: optional, client has no cert" \
3416 "$P_SRV dtls=1 auth_mode=optional" \
3417 "$P_CLI dtls=1 crt_file=none key_file=none" \
3418 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3419 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3420
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3421run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3422 "$P_SRV dtls=1 auth_mode=none" \
3423 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3424 0 \
3425 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3426 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3427
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3428run_test "DTLS wrong PSK: badmac alert" \
3429 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3430 "$P_CLI dtls=1 psk=abc124" \
3431 1 \
3432 -s "SSL - Verification of the message MAC failed" \
3433 -c "SSL - A fatal alert message was received from our peer"
3434
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3435# Tests for receiving fragmented handshake messages with DTLS
3436
3437requires_gnutls
3438run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3439 "$G_SRV -u --mtu 2048 -a" \
3440 "$P_CLI dtls=1 debug_level=2" \
3441 0 \
3442 -C "found fragmented DTLS handshake message" \
3443 -C "error"
3444
3445requires_gnutls
3446run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3447 "$G_SRV -u --mtu 512" \
3448 "$P_CLI dtls=1 debug_level=2" \
3449 0 \
3450 -c "found fragmented DTLS handshake message" \
3451 -C "error"
3452
3453requires_gnutls
3454run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3455 "$G_SRV -u --mtu 128" \
3456 "$P_CLI dtls=1 debug_level=2" \
3457 0 \
3458 -c "found fragmented DTLS handshake message" \
3459 -C "error"
3460
3461requires_gnutls
3462run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3463 "$G_SRV -u --mtu 128" \
3464 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3465 0 \
3466 -c "found fragmented DTLS handshake message" \
3467 -C "error"
3468
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3469requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3470requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3471run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3472 "$G_SRV -u --mtu 256" \
3473 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3474 0 \
3475 -c "found fragmented DTLS handshake message" \
3476 -c "client hello, adding renegotiation extension" \
3477 -c "found renegotiation extension" \
3478 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3479 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3480 -C "error" \
3481 -s "Extra-header:"
3482
3483requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3484requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3485run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3486 "$G_SRV -u --mtu 256" \
3487 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3488 0 \
3489 -c "found fragmented DTLS handshake message" \
3490 -c "client hello, adding renegotiation extension" \
3491 -c "found renegotiation extension" \
3492 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3493 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3494 -C "error" \
3495 -s "Extra-header:"
3496
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3497run_test "DTLS reassembly: no fragmentation (openssl server)" \
3498 "$O_SRV -dtls1 -mtu 2048" \
3499 "$P_CLI dtls=1 debug_level=2" \
3500 0 \
3501 -C "found fragmented DTLS handshake message" \
3502 -C "error"
3503
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3504run_test "DTLS reassembly: some fragmentation (openssl server)" \
3505 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3506 "$P_CLI dtls=1 debug_level=2" \
3507 0 \
3508 -c "found fragmented DTLS handshake message" \
3509 -C "error"
3510
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3511run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3512 "$O_SRV -dtls1 -mtu 256" \
3513 "$P_CLI dtls=1 debug_level=2" \
3514 0 \
3515 -c "found fragmented DTLS handshake message" \
3516 -C "error"
3517
3518run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3519 "$O_SRV -dtls1 -mtu 256" \
3520 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3521 0 \
3522 -c "found fragmented DTLS handshake message" \
3523 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3524
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3525# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3526
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3527not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3528run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3529 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3530 "$P_SRV dtls=1 debug_level=2" \
3531 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3532 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3533 -C "replayed record" \
3534 -S "replayed record" \
3535 -C "record from another epoch" \
3536 -S "record from another epoch" \
3537 -C "discarding invalid record" \
3538 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3539 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3540 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3541 -c "HTTP/1.0 200 OK"
3542
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3543not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3544run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3545 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3546 "$P_SRV dtls=1 debug_level=2" \
3547 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3548 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3549 -c "replayed record" \
3550 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3551 -c "discarding invalid record" \
3552 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3553 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3554 -s "Extra-header:" \
3555 -c "HTTP/1.0 200 OK"
3556
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3557run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3558 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3559 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3560 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3561 0 \
3562 -c "replayed record" \
3563 -S "replayed record" \
3564 -c "discarding invalid record" \
3565 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3566 -c "resend" \
3567 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3568 -s "Extra-header:" \
3569 -c "HTTP/1.0 200 OK"
3570
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3571run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3572 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3573 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3574 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3575 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3576 -c "discarding invalid record (mac)" \
3577 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3578 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3579 -c "HTTP/1.0 200 OK" \
3580 -S "too many records with bad MAC" \
3581 -S "Verification of the message MAC failed"
3582
3583run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3584 -p "$P_PXY bad_ad=1" \
3585 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3586 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3587 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3588 -C "discarding invalid record (mac)" \
3589 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3590 -S "Extra-header:" \
3591 -C "HTTP/1.0 200 OK" \
3592 -s "too many records with bad MAC" \
3593 -s "Verification of the message MAC failed"
3594
3595run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3596 -p "$P_PXY bad_ad=1" \
3597 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3598 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3599 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3600 -c "discarding invalid record (mac)" \
3601 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3602 -s "Extra-header:" \
3603 -c "HTTP/1.0 200 OK" \
3604 -S "too many records with bad MAC" \
3605 -S "Verification of the message MAC failed"
3606
3607run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3608 -p "$P_PXY bad_ad=1" \
3609 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3610 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3611 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3612 -c "discarding invalid record (mac)" \
3613 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3614 -s "Extra-header:" \
3615 -c "HTTP/1.0 200 OK" \
3616 -s "too many records with bad MAC" \
3617 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3618
3619run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3620 -p "$P_PXY delay_ccs=1" \
3621 "$P_SRV dtls=1 debug_level=1" \
3622 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3623 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3624 -c "record from another epoch" \
3625 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3626 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3627 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3628 -s "Extra-header:" \
3629 -c "HTTP/1.0 200 OK"
3630
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3631# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3632
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3633needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3634run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3635 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3636 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3637 psk=abc123" \
3638 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3639 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3640 0 \
3641 -s "Extra-header:" \
3642 -c "HTTP/1.0 200 OK"
3643
3644needs_more_time 2
3645run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3646 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3647 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3648 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3649 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3650 0 \
3651 -s "Extra-header:" \
3652 -c "HTTP/1.0 200 OK"
3653
3654needs_more_time 2
3655run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3656 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3657 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3658 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3659 0 \
3660 -s "Extra-header:" \
3661 -c "HTTP/1.0 200 OK"
3662
3663needs_more_time 2
3664run_test "DTLS proxy: 3d, FS, client auth" \
3665 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3666 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3667 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3668 0 \
3669 -s "Extra-header:" \
3670 -c "HTTP/1.0 200 OK"
3671
3672needs_more_time 2
3673run_test "DTLS proxy: 3d, FS, ticket" \
3674 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3675 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3676 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3677 0 \
3678 -s "Extra-header:" \
3679 -c "HTTP/1.0 200 OK"
3680
3681needs_more_time 2
3682run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3683 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3684 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3685 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3686 0 \
3687 -s "Extra-header:" \
3688 -c "HTTP/1.0 200 OK"
3689
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3690needs_more_time 2
3691run_test "DTLS proxy: 3d, max handshake, nbio" \
3692 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3693 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3694 auth_mode=required" \
3695 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3696 0 \
3697 -s "Extra-header:" \
3698 -c "HTTP/1.0 200 OK"
3699
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3700needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3701run_test "DTLS proxy: 3d, min handshake, resumption" \
3702 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3703 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3704 psk=abc123 debug_level=3" \
3705 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3706 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3707 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3708 0 \
3709 -s "a session has been resumed" \
3710 -c "a session has been resumed" \
3711 -s "Extra-header:" \
3712 -c "HTTP/1.0 200 OK"
3713
3714needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3715run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3716 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3717 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3718 psk=abc123 debug_level=3 nbio=2" \
3719 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3720 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3721 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3722 0 \
3723 -s "a session has been resumed" \
3724 -c "a session has been resumed" \
3725 -s "Extra-header:" \
3726 -c "HTTP/1.0 200 OK"
3727
3728needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3729requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3730run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3731 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3732 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3733 psk=abc123 renegotiation=1 debug_level=2" \
3734 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3735 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3736 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3737 0 \
3738 -c "=> renegotiate" \
3739 -s "=> renegotiate" \
3740 -s "Extra-header:" \
3741 -c "HTTP/1.0 200 OK"
3742
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3743needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3744requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3745run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3746 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3747 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3748 psk=abc123 renegotiation=1 debug_level=2" \
3749 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3750 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3751 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3752 0 \
3753 -c "=> renegotiate" \
3754 -s "=> renegotiate" \
3755 -s "Extra-header:" \
3756 -c "HTTP/1.0 200 OK"
3757
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3758needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3759requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3760run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3761 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3762 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3763 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3764 debug_level=2" \
3765 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3766 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3767 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3768 0 \
3769 -c "=> renegotiate" \
3770 -s "=> renegotiate" \
3771 -s "Extra-header:" \
3772 -c "HTTP/1.0 200 OK"
3773
3774needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3775requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3776run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3777 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3778 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3779 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3780 debug_level=2 nbio=2" \
3781 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3782 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3783 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3784 0 \
3785 -c "=> renegotiate" \
3786 -s "=> renegotiate" \
3787 -s "Extra-header:" \
3788 -c "HTTP/1.0 200 OK"
3789
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3790needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3791not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3792run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3793 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3794 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3795 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3796 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3797 -c "HTTP/1.0 200 OK"
3798
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3799needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3800not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3801run_test "DTLS proxy: 3d, openssl server, fragmentation" \
3802 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3803 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3804 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3805 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3806 -c "HTTP/1.0 200 OK"
3807
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3808needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3809not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3810run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
3811 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3812 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3813 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3814 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3815 -c "HTTP/1.0 200 OK"
3816
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3817requires_gnutls
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3818needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3819not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3820run_test "DTLS proxy: 3d, gnutls server" \
3821 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3822 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3823 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3824 0 \
3825 -s "Extra-header:" \
3826 -c "Extra-header:"
3827
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3828requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3829needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3830not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3831run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
3832 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3833 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3834 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3835 0 \
3836 -s "Extra-header:" \
3837 -c "Extra-header:"
3838
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3839requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3840needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3841not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3842run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
3843 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3844 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3845 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3846 0 \
3847 -s "Extra-header:" \
3848 -c "Extra-header:"
3849
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3850# Final report
3851
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3852echo "------------------------------------------------------------------------"
3853
3854if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3855 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3856else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3857 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3858fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]3859PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]3860echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3861
3862exit $FAILS