TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a28fd41ed12d0062adc9dfa43ac476804f914a86 / . / tests / ssl-opt.sh
blob: c93154b5ff6fc6d4a7adb565554737cf003a455c [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]5# Copyright The Mbed TLS Contributors
Bence Szépkútic7da1fe2020-05-26 01:54:15 +0200[diff] [blame]6# SPDX-License-Identifier: Apache-2.0
7#
8# Licensed under the Apache License, Version 2.0 (the "License"); you may
9# not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]20# Purpose
21#
22# Executes tests to prove various TLS/SSL options and extensions.
23#
24# The goal is not to cover every ciphersuite/version, but instead to cover
25# specific options (max fragment length, truncated hmac, etc) or procedures
26# (session resumption from cache or ticket, renego, etc).
27#
28# The tests assume a build with default options, with exceptions expressed
29# with a dependency. The tests focus on functionality and do not consider
30# performance.
31#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]33set -u
34
Jaeden Amero6e70eb22019-07-03 13:51:04 +0100[diff] [blame]35# Limit the size of each log to 10 GiB, in case of failures with this script
36# where it may output seemingly unlimited length error logs.
37ulimit -f 20971520
38
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]39ORIGINAL_PWD=$PWD
40if ! cd "$(dirname "$0")"; then
41 exit 125
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]42fi
43
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]44# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]45: ${P_SRV:=../programs/ssl/ssl_server2}
46: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]47: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]48: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]49: ${GNUTLS_CLI:=gnutls-cli}
50: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]51: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]52
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]53guess_config_name() {
54 if git diff --quiet ../include/mbedtls/config.h 2>/dev/null; then
55 echo "default"
56 else
57 echo "unknown"
58 fi
59}
60: ${MBEDTLS_TEST_OUTCOME_FILE=}
61: ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"}
62: ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
63
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]64O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]65O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]66G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]67G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]68TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]69
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]70# alternative versions of OpenSSL and GnuTLS (no default path)
71
72if [ -n "${OPENSSL_LEGACY:-}" ]; then
73 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
74 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
75else
76 O_LEGACY_SRV=false
77 O_LEGACY_CLI=false
78fi
79
Paul Elliott633a74e2021-10-13 18:31:07 +0100[diff] [blame]80if [ -n "${OPENSSL_NEXT:-}" ]; then
81 O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
82 O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
83else
84 O_NEXT_SRV=false
85 O_NEXT_CLI=false
86fi
87
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]88if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]89 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
90else
91 G_NEXT_SRV=false
92fi
93
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]94if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]95 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
96else
97 G_NEXT_CLI=false
98fi
99
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]100TESTS=0
101FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]102SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]103
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]104CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]105
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]106MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]107FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]108EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]109
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]110SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]111RUN_TEST_NUMBER=''
112
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]113PRESERVE_LOGS=0
114
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]115# Pick a "unique" server port in the range 10000-19999, and a proxy
116# port which is this plus 10000. Each port number may be independently
117# overridden by a command line option.
118SRV_PORT=$(($$ % 10000 + 10000))
119PXY_PORT=$((SRV_PORT + 10000))
120
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]121print_usage() {
122 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]123 printf " -h|--help\tPrint this help.\n"
124 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]125 printf " -f|--filter\tOnly matching tests are executed (substring or BRE)\n"
126 printf " -e|--exclude\tMatching tests are excluded (substring or BRE)\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]127 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]128 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]129 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]130 printf " --outcome-file\tFile where test outcomes are written\n"
131 printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
132 printf " --port \tTCP/UDP port (default: randomish 1xxxx)\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]133 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]134 printf " --seed \tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]135}
136
137get_options() {
138 while [ $# -gt 0 ]; do
139 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]140 -f|--filter)
141 shift; FILTER=$1
142 ;;
143 -e|--exclude)
144 shift; EXCLUDE=$1
145 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]146 -m|--memcheck)
147 MEMCHECK=1
148 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]149 -n|--number)
150 shift; RUN_TEST_NUMBER=$1
151 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]152 -s|--show-numbers)
153 SHOW_TEST_NUMBER=1
154 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]155 -p|--preserve-logs)
156 PRESERVE_LOGS=1
157 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]158 --port)
159 shift; SRV_PORT=$1
160 ;;
161 --proxy-port)
162 shift; PXY_PORT=$1
163 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]164 --seed)
165 shift; SEED="$1"
166 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]167 -h|--help)
168 print_usage
169 exit 0
170 ;;
171 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]172 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]173 print_usage
174 exit 1
175 ;;
176 esac
177 shift
178 done
179}
180
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]181# Make the outcome file path relative to the original directory, not
182# to .../tests
183case "$MBEDTLS_TEST_OUTCOME_FILE" in
184 [!/]*)
185 MBEDTLS_TEST_OUTCOME_FILE="$ORIGINAL_PWD/$MBEDTLS_TEST_OUTCOME_FILE"
186 ;;
187esac
188
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]189# Read boolean configuration options from config.h for easy and quick
190# testing. Skip non-boolean options (with something other than spaces
191# and a comment after "#define SYMBOL"). The variable contains a
192# space-separated list of symbols.
193CONFIGS_ENABLED=" $(<"$CONFIG_H" \
194 sed -n 's!^ *#define *\([A-Za-z][0-9A-Z_a-z]*\) *\(/*\)*!\1!p' |
195 tr '\n' ' ')"
196
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]197# Skip next test; use this macro to skip tests which are legitimate
198# in theory and expected to be re-introduced at some point, but
199# aren't expected to succeed at the moment due to problems outside
200# our control (such as bugs in other TLS implementations).
201skip_next_test() {
202 SKIP_NEXT="YES"
203}
204
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]205# skip next test if the flag is not enabled in config.h
206requires_config_enabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]207 case $CONFIGS_ENABLED in
208 *" $1 "*) :;;
209 *) SKIP_NEXT="YES";;
210 esac
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]211}
212
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]213# skip next test if the flag is enabled in config.h
214requires_config_disabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]215 case $CONFIGS_ENABLED in
216 *" $1 "*) SKIP_NEXT="YES";;
217 esac
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]218}
219
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]220get_config_value_or_default() {
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]221 # This function uses the query_config command line option to query the
222 # required Mbed TLS compile time configuration from the ssl_server2
223 # program. The command will always return a success value if the
224 # configuration is defined and the value will be printed to stdout.
225 #
226 # Note that if the configuration is not defined or is defined to nothing,
227 # the output of this function will be an empty string.
228 ${P_SRV} "query_config=${1}"
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]229}
230
231requires_config_value_at_least() {
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]232 VAL="$( get_config_value_or_default "$1" )"
233 if [ -z "$VAL" ]; then
234 # Should never happen
235 echo "Mbed TLS configuration $1 is not defined"
236 exit 1
237 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]238 SKIP_NEXT="YES"
239 fi
240}
241
242requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]243 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]244 if [ -z "$VAL" ]; then
245 # Should never happen
246 echo "Mbed TLS configuration $1 is not defined"
247 exit 1
248 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]249 SKIP_NEXT="YES"
250 fi
251}
252
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]253requires_config_value_equals() {
254 VAL=$( get_config_value_or_default "$1" )
255 if [ -z "$VAL" ]; then
256 # Should never happen
257 echo "Mbed TLS configuration $1 is not defined"
258 exit 1
259 elif [ "$VAL" -ne "$2" ]; then
260 SKIP_NEXT="YES"
261 fi
262}
263
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]264# Space-separated list of ciphersuites supported by this build of
265# Mbed TLS.
266P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null |
267 grep TLS- |
268 tr -s ' \n' ' ')"
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]269requires_ciphersuite_enabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]270 case $P_CIPHERSUITES in
271 *" $1 "*) :;;
272 *) SKIP_NEXT="YES";;
273 esac
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]274}
275
Gilles Peskine0d721652020-06-26 23:35:53 +0200[diff] [blame]276# maybe_requires_ciphersuite_enabled CMD [RUN_TEST_OPTION...]
277# If CMD (call to a TLS client or server program) requires a specific
278# ciphersuite, arrange to only run the test case if this ciphersuite is
279# enabled. As an exception, do run the test case if it expects a ciphersuite
280# mismatch.
281maybe_requires_ciphersuite_enabled() {
282 case "$1" in
283 *\ force_ciphersuite=*) :;;
284 *) return;; # No specific required ciphersuite
285 esac
286 ciphersuite="${1##*\ force_ciphersuite=}"
287 ciphersuite="${ciphersuite%%[!-0-9A-Z_a-z]*}"
288 shift
289
290 case "$*" in
291 *"-s SSL - The server has no ciphersuites in common"*)
292 # This test case expects a ciphersuite mismatch, so it doesn't
293 # require the ciphersuite to be enabled.
294 ;;
295 *)
296 requires_ciphersuite_enabled "$ciphersuite"
297 ;;
298 esac
299
300 unset ciphersuite
301}
302
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]303# skip next test if OpenSSL doesn't support FALLBACK_SCSV
304requires_openssl_with_fallback_scsv() {
305 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
306 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
307 then
308 OPENSSL_HAS_FBSCSV="YES"
309 else
310 OPENSSL_HAS_FBSCSV="NO"
311 fi
312 fi
313 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
314 SKIP_NEXT="YES"
315 fi
316}
317
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]318# skip next test if either IN_CONTENT_LEN or MAX_CONTENT_LEN are below a value
319requires_max_content_len() {
320 requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" $1
321 requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1
322}
323
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]324# skip next test if GnuTLS isn't available
325requires_gnutls() {
326 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]327 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]328 GNUTLS_AVAILABLE="YES"
329 else
330 GNUTLS_AVAILABLE="NO"
331 fi
332 fi
333 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
334 SKIP_NEXT="YES"
335 fi
336}
337
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]338# skip next test if GnuTLS-next isn't available
339requires_gnutls_next() {
340 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
341 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
342 GNUTLS_NEXT_AVAILABLE="YES"
343 else
344 GNUTLS_NEXT_AVAILABLE="NO"
345 fi
346 fi
347 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
348 SKIP_NEXT="YES"
349 fi
350}
351
352# skip next test if OpenSSL-legacy isn't available
353requires_openssl_legacy() {
354 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
355 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
356 OPENSSL_LEGACY_AVAILABLE="YES"
357 else
358 OPENSSL_LEGACY_AVAILABLE="NO"
359 fi
360 fi
361 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
362 SKIP_NEXT="YES"
363 fi
364}
365
Paul Elliott633a74e2021-10-13 18:31:07 +0100[diff] [blame]366requires_openssl_next() {
367 if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
368 if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
369 OPENSSL_NEXT_AVAILABLE="YES"
370 else
371 OPENSSL_NEXT_AVAILABLE="NO"
372 fi
373 fi
374 if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then
375 SKIP_NEXT="YES"
376 fi
377}
378
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]379# skip next test if IPv6 isn't available on this host
380requires_ipv6() {
381 if [ -z "${HAS_IPV6:-}" ]; then
382 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
383 SRV_PID=$!
384 sleep 1
385 kill $SRV_PID >/dev/null 2>&1
386 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
387 HAS_IPV6="NO"
388 else
389 HAS_IPV6="YES"
390 fi
391 rm -r $SRV_OUT
392 fi
393
394 if [ "$HAS_IPV6" = "NO" ]; then
395 SKIP_NEXT="YES"
396 fi
397}
398
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]399# skip next test if it's i686 or uname is not available
400requires_not_i686() {
401 if [ -z "${IS_I686:-}" ]; then
402 IS_I686="YES"
403 if which "uname" >/dev/null 2>&1; then
404 if [ -z "$(uname -a | grep i686)" ]; then
405 IS_I686="NO"
406 fi
407 fi
408 fi
409 if [ "$IS_I686" = "YES" ]; then
410 SKIP_NEXT="YES"
411 fi
412}
413
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]414# Calculate the input & output maximum content lengths set in the config
Yuto Takanoab9e43332021-06-22 07:16:40 +0100[diff] [blame]415MAX_CONTENT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_MAX_CONTENT_LEN" )
416MAX_IN_LEN=$( get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN" )
417MAX_OUT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN" )
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]418
Yuto Takano18ddccc2021-06-21 19:43:33 +0100[diff] [blame]419# Calculate the maximum content length that fits both
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]420if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
421 MAX_CONTENT_LEN="$MAX_IN_LEN"
422fi
423if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
424 MAX_CONTENT_LEN="$MAX_OUT_LEN"
425fi
426
427# skip the next test if the SSL output buffer is less than 16KB
428requires_full_size_output_buffer() {
429 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
430 SKIP_NEXT="YES"
431 fi
432}
433
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]434# skip the next test if valgrind is in use
435not_with_valgrind() {
436 if [ "$MEMCHECK" -gt 0 ]; then
437 SKIP_NEXT="YES"
438 fi
439}
440
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]441# skip the next test if valgrind is NOT in use
442only_with_valgrind() {
443 if [ "$MEMCHECK" -eq 0 ]; then
444 SKIP_NEXT="YES"
445 fi
446}
447
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]448# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]449client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]450 CLI_DELAY_FACTOR=$1
451}
452
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]453# wait for the given seconds after the client finished in the next test
454server_needs_more_time() {
455 SRV_DELAY_SECONDS=$1
456}
457
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]458# print_name <name>
459print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]460 TESTS=$(( $TESTS + 1 ))
461 LINE=""
462
463 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
464 LINE="$TESTS "
465 fi
466
467 LINE="$LINE$1"
Gilles Peskine231befa2020-08-26 20:05:11 +0200[diff] [blame]468 printf "%s " "$LINE"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]469 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]470 for i in `seq 1 $LEN`; do printf '.'; done
471 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]472
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]473}
474
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]475# record_outcome <outcome> [<failure-reason>]
476# The test name must be in $NAME.
477record_outcome() {
478 echo "$1"
479 if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
480 printf '%s;%s;%s;%s;%s;%s\n' \
481 "$MBEDTLS_TEST_PLATFORM" "$MBEDTLS_TEST_CONFIGURATION" \
482 "ssl-opt" "$NAME" \
483 "$1" "${2-}" \
484 >>"$MBEDTLS_TEST_OUTCOME_FILE"
485 fi
486}
487
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]488# fail <message>
489fail() {
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]490 record_outcome "FAIL" "$1"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]491 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]492
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]493 mv $SRV_OUT o-srv-${TESTS}.log
494 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]495 if [ -n "$PXY_CMD" ]; then
496 mv $PXY_OUT o-pxy-${TESTS}.log
497 fi
498 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]499
Manuel Pégourié-Gonnard3f3302f2020-06-08 11:49:05 +0200[diff] [blame]500 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]501 echo " ! server output:"
502 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]503 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]504 echo " ! client output:"
505 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]506 if [ -n "$PXY_CMD" ]; then
507 echo " ! ========================================================"
508 echo " ! proxy output:"
509 cat o-pxy-${TESTS}.log
510 fi
511 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]512 fi
513
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]514 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]515}
516
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]517# is_polar <cmd_line>
518is_polar() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]519 case "$1" in
520 *ssl_client2*) true;;
521 *ssl_server2*) true;;
522 *) false;;
523 esac
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]524}
525
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]526# openssl s_server doesn't have -www with DTLS
527check_osrv_dtls() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]528 case "$SRV_CMD" in
529 *s_server*-dtls*)
530 NEEDS_INPUT=1
531 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )";;
532 *) NEEDS_INPUT=0;;
533 esac
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]534}
535
536# provide input to commands that need it
537provide_input() {
538 if [ $NEEDS_INPUT -eq 0 ]; then
539 return
540 fi
541
542 while true; do
543 echo "HTTP/1.0 200 OK"
544 sleep 1
545 done
546}
547
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]548# has_mem_err <log_file_name>
549has_mem_err() {
550 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
551 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
552 then
553 return 1 # false: does not have errors
554 else
555 return 0 # true: has errors
556 fi
557}
558
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]559# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]560if type lsof >/dev/null 2>/dev/null; then
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]561 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]562 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]563 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]564 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]565 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]566 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]567 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]568 # Make a tight loop, server normally takes less than 1s to start.
569 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
570 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]571 echo "$3 START TIMEOUT"
572 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]573 break
574 fi
575 # Linux and *BSD support decimal arguments to sleep. On other
576 # OSes this may be a tight loop.
577 sleep 0.1 2>/dev/null || true
578 done
579 }
580else
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]581 echo "Warning: lsof not available, wait_app_start = sleep"
582 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]583 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]584 }
585fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]586
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]587# Wait for server process $2 to be listening on port $1.
588wait_server_start() {
589 wait_app_start $1 $2 "SERVER" $SRV_OUT
590}
591
592# Wait for proxy process $2 to be listening on port $1.
593wait_proxy_start() {
594 wait_app_start $1 $2 "PROXY" $PXY_OUT
595}
596
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]597# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]598# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]599# acceptable bounds
600check_server_hello_time() {
601 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]602 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]603 # Get the Unix timestamp for now
604 CUR_TIME=$(date +'%s')
605 THRESHOLD_IN_SECS=300
606
607 # Check if the ServerHello time was printed
608 if [ -z "$SERVER_HELLO_TIME" ]; then
609 return 1
610 fi
611
612 # Check the time in ServerHello is within acceptable bounds
613 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
614 # The time in ServerHello is at least 5 minutes before now
615 return 1
616 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]617 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]618 return 1
619 else
620 return 0
621 fi
622}
623
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]624# Get handshake memory usage from server or client output and put it into the variable specified by the first argument
625handshake_memory_get() {
626 OUTPUT_VARIABLE="$1"
627 OUTPUT_FILE="$2"
628
629 # Get memory usage from a pattern like "Heap memory usage after handshake: 23112 bytes. Peak memory usage was 33112"
630 MEM_USAGE=$(sed -n 's/.*Heap memory usage after handshake: //p' < "$OUTPUT_FILE" | grep -o "[0-9]*" | head -1)
631
632 # Check if memory usage was read
633 if [ -z "$MEM_USAGE" ]; then
634 echo "Error: Can not read the value of handshake memory usage"
635 return 1
636 else
637 eval "$OUTPUT_VARIABLE=$MEM_USAGE"
638 return 0
639 fi
640}
641
642# Get handshake memory usage from server or client output and check if this value
643# is not higher than the maximum given by the first argument
644handshake_memory_check() {
645 MAX_MEMORY="$1"
646 OUTPUT_FILE="$2"
647
648 # Get memory usage
649 if ! handshake_memory_get "MEMORY_USAGE" "$OUTPUT_FILE"; then
650 return 1
651 fi
652
653 # Check if memory usage is below max value
654 if [ "$MEMORY_USAGE" -gt "$MAX_MEMORY" ]; then
655 echo "\nFailed: Handshake memory usage was $MEMORY_USAGE bytes," \
656 "but should be below $MAX_MEMORY bytes"
657 return 1
658 else
659 return 0
660 fi
661}
662
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]663# wait for client to terminate and set CLI_EXIT
664# must be called right after starting the client
665wait_client_done() {
666 CLI_PID=$!
667
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]668 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
669 CLI_DELAY_FACTOR=1
670
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]671 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]672 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]673
674 wait $CLI_PID
675 CLI_EXIT=$?
676
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]677 kill $DOG_PID >/dev/null 2>&1
678 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]679
680 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]681
682 sleep $SRV_DELAY_SECONDS
683 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]684}
685
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]686# check if the given command uses dtls and sets global variable DTLS
687detect_dtls() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]688 case "$1" in
Paul Elliott405fccc2021-10-12 16:02:55 +0100[diff] [blame]689 *dtls=1*|*-dtls*|*-u*) DTLS=1;;
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]690 *) DTLS=0;;
691 esac
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]692}
693
Dave Rodgman0279c2f2021-02-10 12:45:41 +0000[diff] [blame]694# check if the given command uses gnutls and sets global variable CMD_IS_GNUTLS
695is_gnutls() {
696 case "$1" in
697 *gnutls-cli*)
698 CMD_IS_GNUTLS=1
699 ;;
700 *gnutls-serv*)
701 CMD_IS_GNUTLS=1
702 ;;
703 *)
704 CMD_IS_GNUTLS=0
705 ;;
706 esac
707}
708
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]709# Compare file content
710# Usage: find_in_both pattern file1 file2
711# extract from file1 the first line matching the pattern
712# check in file2 that the same line can be found
713find_in_both() {
714 srv_pattern=$(grep -m 1 "$1" "$2");
715 if [ -z "$srv_pattern" ]; then
716 return 1;
717 fi
718
719 if grep "$srv_pattern" $3 >/dev/null; then :
Johan Pascal10403152020-10-09 20:43:51 +0200[diff] [blame]720 return 0;
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]721 else
722 return 1;
723 fi
724}
725
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]726# Analyze the commands that will be used in a test.
727#
728# Analyze and possibly instrument $PXY_CMD, $CLI_CMD, $SRV_CMD to pass
729# extra arguments or go through wrappers.
730# Set $DTLS (0=TLS, 1=DTLS).
731analyze_test_commands() {
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]732 # update DTLS variable
733 detect_dtls "$SRV_CMD"
734
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]735 # if the test uses DTLS but no custom proxy, add a simple proxy
736 # as it provides timing info that's useful to debug failures
Manuel Pégourié-Gonnard70fce982020-06-25 09:54:46 +0200[diff] [blame]737 if [ -z "$PXY_CMD" ] && [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]738 PXY_CMD="$P_PXY"
Manuel Pégourié-Gonnard8779e9a2020-07-16 10:19:32 +0200[diff] [blame]739 case " $SRV_CMD " in
740 *' server_addr=::1 '*)
741 PXY_CMD="$PXY_CMD server_addr=::1 listen_addr=::1";;
742 esac
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]743 fi
744
Dave Rodgman0279c2f2021-02-10 12:45:41 +0000[diff] [blame]745 # update CMD_IS_GNUTLS variable
746 is_gnutls "$SRV_CMD"
747
748 # if the server uses gnutls but doesn't set priority, explicitly
749 # set the default priority
750 if [ "$CMD_IS_GNUTLS" -eq 1 ]; then
751 case "$SRV_CMD" in
752 *--priority*) :;;
753 *) SRV_CMD="$SRV_CMD --priority=NORMAL";;
754 esac
755 fi
756
757 # update CMD_IS_GNUTLS variable
758 is_gnutls "$CLI_CMD"
759
760 # if the client uses gnutls but doesn't set priority, explicitly
761 # set the default priority
762 if [ "$CMD_IS_GNUTLS" -eq 1 ]; then
763 case "$CLI_CMD" in
764 *--priority*) :;;
765 *) CLI_CMD="$CLI_CMD --priority=NORMAL";;
766 esac
767 fi
768
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]769 # fix client port
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]770 if [ -n "$PXY_CMD" ]; then
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]771 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
772 else
773 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
774 fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]775
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]776 # prepend valgrind to our commands if active
777 if [ "$MEMCHECK" -gt 0 ]; then
778 if is_polar "$SRV_CMD"; then
779 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
780 fi
781 if is_polar "$CLI_CMD"; then
782 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
783 fi
784 fi
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]785}
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]786
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]787# Check for failure conditions after a test case.
788#
789# Inputs from run_test:
790# * positional parameters: test options (see run_test documentation)
791# * $CLI_EXIT: client return code
792# * $CLI_EXPECT: expected client return code
793# * $SRV_RET: server return code
794# * $CLI_OUT, $SRV_OUT, $PXY_OUT: files containing client/server/proxy logs
Gilles Peskinea28fd412021-10-19 17:23:25 +0200[diff] [blame^]795# * $TIMES_LEFT: if nonzero, a RETRY outcome is allowed
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]796#
797# Outputs:
Gilles Peskinea28fd412021-10-19 17:23:25 +0200[diff] [blame^]798# * $outcome: one of PASS/RETRY/FAIL
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]799check_test_failure() {
Gilles Peskinea28fd412021-10-19 17:23:25 +0200[diff] [blame^]800 outcome=FAIL
801
802 if [ $TIMES_LEFT -gt 0 ] &&
803 grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null
804 then
805 outcome=RETRY
806 return
807 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]808
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]809 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]810 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]811 # expected client exit to incorrectly succeed in case of catastrophic
812 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]813 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]814 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]815 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]816 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]817 return
818 fi
819 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]820 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]821 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]822 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]823 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]824 return
825 fi
826 fi
827
Gilles Peskineaaf866e2021-02-09 21:01:33 +0100[diff] [blame]828 # Check server exit code (only for Mbed TLS: GnuTLS and OpenSSL don't
829 # exit with status 0 when interrupted by a signal, and we don't really
830 # care anyway), in case e.g. the server reports a memory leak.
831 if [ $SRV_RET != 0 ] && is_polar "$SRV_CMD"; then
Gilles Peskine7f919de2021-02-02 23:29:03 +0100[diff] [blame]832 fail "Server exited with status $SRV_RET"
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]833 return
834 fi
835
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]836 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]837 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
838 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]839 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]840 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]841 return
842 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]843
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]844 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]845 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]846 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]847 while [ $# -gt 0 ]
848 do
849 case $1 in
850 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]851 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]852 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]853 return
854 fi
855 ;;
856
857 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]858 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]859 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]860 return
861 fi
862 ;;
863
864 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]865 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]866 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]867 return
868 fi
869 ;;
870
871 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]872 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]873 fail "pattern '$2' MUST NOT be present in the Client output"
874 return
875 fi
876 ;;
877
878 # The filtering in the following two options (-u and -U) do the following
879 # - ignore valgrind output
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]880 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]881 # - keep one of each non-unique line
882 # - count how many lines remain
883 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
884 # if there were no duplicates.
885 "-U")
886 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
887 fail "lines following pattern '$2' must be unique in Server output"
888 return
889 fi
890 ;;
891
892 "-u")
893 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
894 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]895 return
896 fi
897 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]898 "-F")
899 if ! $2 "$SRV_OUT"; then
900 fail "function call to '$2' failed on Server output"
901 return
902 fi
903 ;;
904 "-f")
905 if ! $2 "$CLI_OUT"; then
906 fail "function call to '$2' failed on Client output"
907 return
908 fi
909 ;;
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]910 "-g")
911 if ! eval "$2 '$SRV_OUT' '$CLI_OUT'"; then
912 fail "function call to '$2' failed on Server and Client output"
913 return
914 fi
915 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]916
917 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]918 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]919 exit 1
920 esac
921 shift 2
922 done
923
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]924 # check valgrind's results
925 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]926 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]927 fail "Server has memory errors"
928 return
929 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]930 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]931 fail "Client has memory errors"
932 return
933 fi
934 fi
935
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]936 # if we're here, everything is ok
Gilles Peskinea28fd412021-10-19 17:23:25 +0200[diff] [blame^]937 outcome=PASS
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]938}
939
Gilles Peskine5d8e7022021-10-19 16:35:35 +0200[diff] [blame]940# Run the current test case: start the server and if applicable the proxy, run
941# the client, wait for all processes to finish or time out.
942#
943# Inputs:
944# * $NAME: test case name
945# * $CLI_CMD, $SRV_CMD, $PXY_CMD: commands to run
946# * $CLI_OUT, $SRV_OUT, $PXY_OUT: files to contain client/server/proxy logs
947#
948# Outputs:
949# * $CLI_EXIT: client return code
950# * $SRV_RET: server return code
951do_run_test_once() {
952 # run the commands
953 if [ -n "$PXY_CMD" ]; then
954 printf "# %s\n%s\n" "$NAME" "$PXY_CMD" > $PXY_OUT
955 $PXY_CMD >> $PXY_OUT 2>&1 &
956 PXY_PID=$!
957 wait_proxy_start "$PXY_PORT" "$PXY_PID"
958 fi
959
960 check_osrv_dtls
961 printf '# %s\n%s\n' "$NAME" "$SRV_CMD" > $SRV_OUT
962 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
963 SRV_PID=$!
964 wait_server_start "$SRV_PORT" "$SRV_PID"
965
966 printf '# %s\n%s\n' "$NAME" "$CLI_CMD" > $CLI_OUT
967 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
968 wait_client_done
969
970 sleep 0.05
971
972 # terminate the server (and the proxy)
973 kill $SRV_PID
974 wait $SRV_PID
975 SRV_RET=$?
976
977 if [ -n "$PXY_CMD" ]; then
978 kill $PXY_PID >/dev/null 2>&1
979 wait $PXY_PID
980 fi
981}
982
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]983# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
984# Options: -s pattern pattern that must be present in server output
985# -c pattern pattern that must be present in client output
986# -u pattern lines after pattern must be unique in client output
987# -f call shell function on client output
988# -S pattern pattern that must be absent in server output
989# -C pattern pattern that must be absent in client output
990# -U pattern lines after pattern must be unique in server output
991# -F call shell function on server output
992# -g call shell function on server and client output
993run_test() {
994 NAME="$1"
995 shift 1
996
997 if is_excluded "$NAME"; then
998 SKIP_NEXT="NO"
999 # There was no request to run the test, so don't record its outcome.
1000 return
1001 fi
1002
1003 print_name "$NAME"
1004
1005 # Do we only run numbered tests?
1006 if [ -n "$RUN_TEST_NUMBER" ]; then
1007 case ",$RUN_TEST_NUMBER," in
1008 *",$TESTS,"*) :;;
1009 *) SKIP_NEXT="YES";;
1010 esac
1011 fi
1012
1013 # does this test use a proxy?
1014 if [ "X$1" = "X-p" ]; then
1015 PXY_CMD="$2"
1016 shift 2
1017 else
1018 PXY_CMD=""
1019 fi
1020
1021 # get commands and client output
1022 SRV_CMD="$1"
1023 CLI_CMD="$2"
1024 CLI_EXPECT="$3"
1025 shift 3
1026
1027 # Check if test uses files
1028 case "$SRV_CMD $CLI_CMD" in
1029 *data_files/*)
1030 requires_config_enabled MBEDTLS_FS_IO;;
1031 esac
1032
1033 # If the client or serve requires a ciphersuite, check that it's enabled.
1034 maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@"
1035 maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@"
1036
1037 # should we skip?
1038 if [ "X$SKIP_NEXT" = "XYES" ]; then
1039 SKIP_NEXT="NO"
1040 record_outcome "SKIP"
1041 SKIPS=$(( $SKIPS + 1 ))
1042 return
1043 fi
1044
1045 analyze_test_commands "$@"
1046
1047 TIMES_LEFT=2
1048 while [ $TIMES_LEFT -gt 0 ]; do
1049 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
1050
Gilles Peskine5d8e7022021-10-19 16:35:35 +0200[diff] [blame]1051 do_run_test_once
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]1052
Gilles Peskinea28fd412021-10-19 17:23:25 +0200[diff] [blame^]1053 check_test_failure "$@"
1054 case $outcome in
1055 PASS) break;;
1056 RETRY) printf "RETRY ";;
1057 FAIL) return;;
1058 esac
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame]1059 done
1060
Gilles Peskinea28fd412021-10-19 17:23:25 +0200[diff] [blame^]1061 # If we get this far, the test case passed.
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]1062 record_outcome "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]1063 if [ "$PRESERVE_LOGS" -gt 0 ]; then
1064 mv $SRV_OUT o-srv-${TESTS}.log
1065 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]1066 if [ -n "$PXY_CMD" ]; then
1067 mv $PXY_OUT o-pxy-${TESTS}.log
1068 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]1069 fi
1070
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1071 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1072}
1073
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1074run_test_psa() {
1075 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Hanno Beckere9420c22018-11-20 11:37:34 +0000[diff] [blame]1076 run_test "PSA-supported ciphersuite: $1" \
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]1077 "$P_SRV debug_level=3 force_version=tls1_2" \
1078 "$P_CLI debug_level=3 force_version=tls1_2 force_ciphersuite=$1" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1079 0 \
1080 -c "Successfully setup PSA-based decryption cipher context" \
1081 -c "Successfully setup PSA-based encryption cipher context" \
Andrzej Kurek683d77e2019-01-30 03:50:42 -0500[diff] [blame]1082 -c "PSA calc verify" \
Andrzej Kurek92dd4d02019-01-30 04:10:19 -0500[diff] [blame]1083 -c "calc PSA finished" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1084 -s "Successfully setup PSA-based decryption cipher context" \
1085 -s "Successfully setup PSA-based encryption cipher context" \
Andrzej Kurek683d77e2019-01-30 03:50:42 -0500[diff] [blame]1086 -s "PSA calc verify" \
Andrzej Kurek92dd4d02019-01-30 04:10:19 -0500[diff] [blame]1087 -s "calc PSA finished" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1088 -C "Failed to setup PSA-based cipher context"\
1089 -S "Failed to setup PSA-based cipher context"\
1090 -s "Protocol is TLSv1.2" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1091 -c "Perform PSA-based ECDH computation."\
Andrzej Kureke85414e2019-01-15 05:23:59 -0500[diff] [blame]1092 -c "Perform PSA-based computation of digest of ServerKeyExchange" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1093 -S "error" \
1094 -C "error"
1095}
1096
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1097run_test_psa_force_curve() {
1098 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
1099 run_test "PSA - ECDH with $1" \
1100 "$P_SRV debug_level=4 force_version=tls1_2" \
1101 "$P_CLI debug_level=4 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \
1102 0 \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1103 -c "Successfully setup PSA-based decryption cipher context" \
1104 -c "Successfully setup PSA-based encryption cipher context" \
1105 -c "PSA calc verify" \
1106 -c "calc PSA finished" \
1107 -s "Successfully setup PSA-based decryption cipher context" \
1108 -s "Successfully setup PSA-based encryption cipher context" \
1109 -s "PSA calc verify" \
1110 -s "calc PSA finished" \
1111 -C "Failed to setup PSA-based cipher context"\
1112 -S "Failed to setup PSA-based cipher context"\
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1113 -s "Protocol is TLSv1.2" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1114 -c "Perform PSA-based ECDH computation."\
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1115 -c "Perform PSA-based computation of digest of ServerKeyExchange" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1116 -S "error" \
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1117 -C "error"
1118}
1119
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1120# Test that the server's memory usage after a handshake is reduced when a client specifies
1121# a maximum fragment length.
1122# first argument ($1) is MFL for SSL client
1123# second argument ($2) is memory usage for SSL client with default MFL (16k)
1124run_test_memory_after_hanshake_with_mfl()
1125{
1126 # The test passes if the difference is around 2*(16k-MFL)
Gilles Peskine5b428d72020-08-26 21:52:23 +0200[diff] [blame]1127 MEMORY_USAGE_LIMIT="$(( $2 - ( 2 * ( 16384 - $1 )) ))"
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1128
1129 # Leave some margin for robustness
1130 MEMORY_USAGE_LIMIT="$(( ( MEMORY_USAGE_LIMIT * 110 ) / 100 ))"
1131
1132 run_test "Handshake memory usage (MFL $1)" \
1133 "$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \
1134 "$P_CLI debug_level=3 force_version=tls1_2 \
1135 crt_file=data_files/server5.crt key_file=data_files/server5.key \
1136 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \
1137 0 \
1138 -F "handshake_memory_check $MEMORY_USAGE_LIMIT"
1139}
1140
1141
1142# Test that the server's memory usage after a handshake is reduced when a client specifies
1143# different values of Maximum Fragment Length: default (16k), 4k, 2k, 1k and 512 bytes
1144run_tests_memory_after_hanshake()
1145{
1146 # all tests in this sequence requires the same configuration (see requires_config_enabled())
1147 SKIP_THIS_TESTS="$SKIP_NEXT"
1148
1149 # first test with default MFU is to get reference memory usage
1150 MEMORY_USAGE_MFL_16K=0
1151 run_test "Handshake memory usage initial (MFL 16384 - default)" \
1152 "$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \
1153 "$P_CLI debug_level=3 force_version=tls1_2 \
1154 crt_file=data_files/server5.crt key_file=data_files/server5.key \
1155 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \
1156 0 \
1157 -F "handshake_memory_get MEMORY_USAGE_MFL_16K"
1158
1159 SKIP_NEXT="$SKIP_THIS_TESTS"
1160 run_test_memory_after_hanshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
1161
1162 SKIP_NEXT="$SKIP_THIS_TESTS"
1163 run_test_memory_after_hanshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
1164
1165 SKIP_NEXT="$SKIP_THIS_TESTS"
1166 run_test_memory_after_hanshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
1167
1168 SKIP_NEXT="$SKIP_THIS_TESTS"
1169 run_test_memory_after_hanshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
1170}
1171
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1172cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1173 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Piotr Nowicki3de298f2020-04-16 14:35:19 +0200[diff] [blame]1174 rm -f context_srv.txt
1175 rm -f context_cli.txt
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1176 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
1177 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
1178 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
1179 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1180 exit 1
1181}
1182
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]1183#
1184# MAIN
1185#
1186
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]1187get_options "$@"
1188
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1189# Optimize filters: if $FILTER and $EXCLUDE can be expressed as shell
1190# patterns rather than regular expressions, use a case statement instead
1191# of calling grep. To keep the optimizer simple, it is incomplete and only
1192# detects simple cases: plain substring, everything, nothing.
1193#
1194# As an exception, the character '.' is treated as an ordinary character
1195# if it is the only special character in the string. This is because it's
1196# rare to need "any one character", but needing a literal '.' is common
1197# (e.g. '-f "DTLS 1.2"').
1198need_grep=
1199case "$FILTER" in
1200 '^$') simple_filter=;;
1201 '.*') simple_filter='*';;
Gilles Peskineb09e0012020-09-29 23:48:39 +0200[diff] [blame]1202 *[][$+*?\\^{\|}]*) # Regexp special characters (other than .), we need grep
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1203 need_grep=1;;
1204 *) # No regexp or shell-pattern special character
1205 simple_filter="*$FILTER*";;
1206esac
1207case "$EXCLUDE" in
1208 '^$') simple_exclude=;;
1209 '.*') simple_exclude='*';;
Gilles Peskineb09e0012020-09-29 23:48:39 +0200[diff] [blame]1210 *[][$+*?\\^{\|}]*) # Regexp special characters (other than .), we need grep
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1211 need_grep=1;;
1212 *) # No regexp or shell-pattern special character
1213 simple_exclude="*$EXCLUDE*";;
1214esac
1215if [ -n "$need_grep" ]; then
1216 is_excluded () {
1217 ! echo "$1" | grep "$FILTER" | grep -q -v "$EXCLUDE"
1218 }
1219else
1220 is_excluded () {
1221 case "$1" in
1222 $simple_exclude) true;;
1223 $simple_filter) false;;
1224 *) true;;
1225 esac
1226 }
1227fi
1228
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1229# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]1230P_SRV_BIN="${P_SRV%%[ ]*}"
1231P_CLI_BIN="${P_CLI%%[ ]*}"
1232P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1233if [ ! -x "$P_SRV_BIN" ]; then
1234 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1235 exit 1
1236fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1237if [ ! -x "$P_CLI_BIN" ]; then
1238 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1239 exit 1
1240fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1241if [ ! -x "$P_PXY_BIN" ]; then
1242 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1243 exit 1
1244fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]1245if [ "$MEMCHECK" -gt 0 ]; then
1246 if which valgrind >/dev/null 2>&1; then :; else
1247 echo "Memcheck not possible. Valgrind not found"
1248 exit 1
1249 fi
1250fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1251if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
1252 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1253 exit 1
1254fi
1255
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]1256# used by watchdog
1257MAIN_PID="$$"
1258
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1259# We use somewhat arbitrary delays for tests:
1260# - how long do we wait for the server to start (when lsof not available)?
1261# - how long do we allow for the client to finish?
1262# (not to check performance, just to avoid waiting indefinitely)
1263# Things are slower with valgrind, so give extra time here.
1264#
1265# Note: without lsof, there is a trade-off between the running time of this
1266# script and the risk of spurious errors because we didn't wait long enough.
1267# The watchdog delay on the other hand doesn't affect normal running time of
1268# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1269if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1270 START_DELAY=6
1271 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1272else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1273 START_DELAY=2
1274 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1275fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1276
1277# some particular tests need more time:
1278# - for the client, we multiply the usual watchdog limit by a factor
1279# - for the server, we sleep for a number of seconds after the client exits
1280# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]1281CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]1282SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1283
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1284# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]1285# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Paul Elliottccba1292021-10-12 16:10:37 +0100[diff] [blame]1286# Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many
1287# machines that will resolve to ::1, and we don't want ipv6 here.
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1288P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
1289P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]1290P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Gilles Peskine3aec89b2021-04-01 14:00:11 +0200[diff] [blame]1291O_SRV="$O_SRV -accept $SRV_PORT"
Paul Elliottccba1292021-10-12 16:10:37 +0100[diff] [blame]1292O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1293G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1294G_CLI="$G_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1295
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1296if [ -n "${OPENSSL_LEGACY:-}" ]; then
1297 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Paul Elliottccba1292021-10-12 16:10:37 +0100[diff] [blame]1298 O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1299fi
1300
Paul Elliott633a74e2021-10-13 18:31:07 +0100[diff] [blame]1301if [ -n "${OPENSSL_NEXT:-}" ]; then
1302 O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
Paul Elliottccba1292021-10-12 16:10:37 +0100[diff] [blame]1303 O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
Paul Elliott633a74e2021-10-13 18:31:07 +0100[diff] [blame]1304fi
1305
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1306if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1307 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
1308fi
1309
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1310if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1311 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1312fi
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1313
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]1314# Allow SHA-1, because many of our test certificates use it
1315P_SRV="$P_SRV allow_sha1=1"
1316P_CLI="$P_CLI allow_sha1=1"
1317
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1318# Also pick a unique name for intermediate files
1319SRV_OUT="srv_out.$$"
1320CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1321PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1322SESSION="session.$$"
1323
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]1324SKIP_NEXT="NO"
1325
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1326trap cleanup INT TERM HUP
1327
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1328# Basic test
1329
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1330# Checks that:
1331# - things work with all ciphersuites active (used with config-full in all.sh)
1332# - the expected (highest security) parameters are selected
1333# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1334run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1335 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1336 "$P_CLI" \
1337 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1338 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1339 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1340 -s "client hello v3, signature_algorithm ext: 6" \
1341 -s "ECDHE curve: secp521r1" \
1342 -S "error" \
1343 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1344
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1345run_test "Default, DTLS" \
1346 "$P_SRV dtls=1" \
1347 "$P_CLI dtls=1" \
1348 0 \
1349 -s "Protocol is DTLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1350 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1351
Hanno Becker721f7c12020-08-17 12:17:32 +0100[diff] [blame]1352run_test "TLS client auth: required" \
1353 "$P_SRV auth_mode=required" \
1354 "$P_CLI" \
1355 0 \
1356 -s "Verifying peer X.509 certificate... ok"
1357
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]1358requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1359requires_config_enabled MBEDTLS_ECDSA_C
1360requires_config_enabled MBEDTLS_SHA256_C
1361run_test "TLS: password protected client key" \
1362 "$P_SRV auth_mode=required" \
1363 "$P_CLI crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \
1364 0
1365
1366requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1367requires_config_enabled MBEDTLS_ECDSA_C
1368requires_config_enabled MBEDTLS_SHA256_C
1369run_test "TLS: password protected server key" \
1370 "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \
1371 "$P_CLI" \
1372 0
1373
1374requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1375requires_config_enabled MBEDTLS_ECDSA_C
1376requires_config_enabled MBEDTLS_RSA_C
1377requires_config_enabled MBEDTLS_SHA256_C
1378run_test "TLS: password protected server key, two certificates" \
1379 "$P_SRV \
1380 key_file=data_files/server5.key.enc key_pwd=PolarSSLTest crt_file=data_files/server5.crt \
1381 key_file2=data_files/server2.key.enc key_pwd2=PolarSSLTest crt_file2=data_files/server2.crt" \
1382 "$P_CLI" \
1383 0
1384
Manuel Pégourié-Gonnard342d2ca2020-01-02 11:58:00 +0100[diff] [blame]1385requires_config_enabled MBEDTLS_ZLIB_SUPPORT
1386run_test "Default (compression enabled)" \
1387 "$P_SRV debug_level=3" \
1388 "$P_CLI debug_level=3" \
1389 0 \
1390 -s "Allocating compression buffer" \
1391 -c "Allocating compression buffer" \
1392 -s "Record expansion is unknown (compression)" \
1393 -c "Record expansion is unknown (compression)" \
1394 -S "error" \
1395 -C "error"
1396
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]1397requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
1398run_test "CA callback on client" \
1399 "$P_SRV debug_level=3" \
1400 "$P_CLI ca_callback=1 debug_level=3 " \
1401 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]1402 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]1403 -S "error" \
1404 -C "error"
1405
1406requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
1407requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1408requires_config_enabled MBEDTLS_ECDSA_C
1409requires_config_enabled MBEDTLS_SHA256_C
1410run_test "CA callback on server" \
1411 "$P_SRV auth_mode=required" \
1412 "$P_CLI ca_callback=1 debug_level=3 crt_file=data_files/server5.crt \
1413 key_file=data_files/server5.key" \
1414 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]1415 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]1416 -s "Verifying peer X.509 certificate... ok" \
1417 -S "error" \
1418 -C "error"
1419
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame]1420# Test using an opaque private key for client authentication
1421requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
1422requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1423requires_config_enabled MBEDTLS_ECDSA_C
1424requires_config_enabled MBEDTLS_SHA256_C
1425run_test "Opaque key for client authentication" \
1426 "$P_SRV auth_mode=required" \
1427 "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
1428 key_file=data_files/server5.key" \
1429 0 \
1430 -c "key type: Opaque" \
1431 -s "Verifying peer X.509 certificate... ok" \
1432 -S "error" \
1433 -C "error"
1434
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1435# Test ciphersuites which we expect to be fully supported by PSA Crypto
1436# and check that we don't fall back to Mbed TLS' internal crypto primitives.
1437run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM
1438run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
1439run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM
1440run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8
1441run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
1442run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
1443run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
1444run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
1445run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
1446
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1447requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1448run_test_psa_force_curve "secp521r1"
1449requires_config_enabled MBEDTLS_ECP_DP_BP512R1_ENABLED
1450run_test_psa_force_curve "brainpoolP512r1"
1451requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
1452run_test_psa_force_curve "secp384r1"
1453requires_config_enabled MBEDTLS_ECP_DP_BP384R1_ENABLED
1454run_test_psa_force_curve "brainpoolP384r1"
1455requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
1456run_test_psa_force_curve "secp256r1"
1457requires_config_enabled MBEDTLS_ECP_DP_SECP256K1_ENABLED
1458run_test_psa_force_curve "secp256k1"
1459requires_config_enabled MBEDTLS_ECP_DP_BP256R1_ENABLED
1460run_test_psa_force_curve "brainpoolP256r1"
1461requires_config_enabled MBEDTLS_ECP_DP_SECP224R1_ENABLED
1462run_test_psa_force_curve "secp224r1"
Gilles Peskinedefdc3b2021-03-23 13:59:58 +0100[diff] [blame]1463## SECP224K1 is buggy via the PSA API
1464## (https://github.com/ARMmbed/mbedtls/issues/3541),
1465## so it is disabled in PSA even when it's enabled in Mbed TLS.
1466## The proper dependency would be on PSA_WANT_ECC_SECP_K1_224 but
1467## dependencies on PSA symbols in ssl-opt.sh are not implemented yet.
1468#requires_config_enabled MBEDTLS_ECP_DP_SECP224K1_ENABLED
1469#run_test_psa_force_curve "secp224k1"
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1470requires_config_enabled MBEDTLS_ECP_DP_SECP192R1_ENABLED
1471run_test_psa_force_curve "secp192r1"
1472requires_config_enabled MBEDTLS_ECP_DP_SECP192K1_ENABLED
1473run_test_psa_force_curve "secp192k1"
1474
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1475# Test current time in ServerHello
1476requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1477run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1478 "$P_SRV debug_level=3" \
1479 "$P_CLI debug_level=3" \
1480 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1481 -f "check_server_hello_time" \
1482 -F "check_server_hello_time"
1483
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1484# Test for uniqueness of IVs in AEAD ciphersuites
1485run_test "Unique IV in GCM" \
1486 "$P_SRV exchanges=20 debug_level=4" \
1487 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1488 0 \
1489 -u "IV used" \
1490 -U "IV used"
1491
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1492# Tests for certificate verification callback
1493run_test "Configuration-specific CRT verification callback" \
1494 "$P_SRV debug_level=3" \
1495 "$P_CLI context_crt_cb=0 debug_level=3" \
1496 0 \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1497 -S "error" \
1498 -c "Verify requested for " \
1499 -c "Use configuration-specific verification callback" \
1500 -C "Use context-specific verification callback" \
1501 -C "error"
1502
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1503run_test "Context-specific CRT verification callback" \
1504 "$P_SRV debug_level=3" \
1505 "$P_CLI context_crt_cb=1 debug_level=3" \
1506 0 \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1507 -S "error" \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1508 -c "Verify requested for " \
1509 -c "Use context-specific verification callback" \
1510 -C "Use configuration-specific verification callback" \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1511 -C "error"
1512
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1513# Tests for rc4 option
1514
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1515requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1516run_test "RC4: server disabled, client enabled" \
1517 "$P_SRV" \
1518 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1519 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1520 -s "SSL - The server has no ciphersuites in common"
1521
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1522requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1523run_test "RC4: server half, client enabled" \
1524 "$P_SRV arc4=1" \
1525 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1526 1 \
1527 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1528
1529run_test "RC4: server enabled, client disabled" \
1530 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1531 "$P_CLI" \
1532 1 \
1533 -s "SSL - The server has no ciphersuites in common"
1534
1535run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1536 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1537 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1538 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1539 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1540 -S "SSL - The server has no ciphersuites in common"
1541
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1542# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
1543
1544requires_gnutls
1545requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
1546run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
1547 "$G_SRV"\
1548 "$P_CLI force_version=tls1_1" \
1549 0
1550
1551requires_gnutls
1552requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
1553run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
1554 "$G_SRV"\
1555 "$P_CLI force_version=tls1" \
1556 0
1557
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1558# Tests for SHA-1 support
1559
1560run_test "SHA-1 forbidden by default in server certificate" \
1561 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1562 "$P_CLI debug_level=2 allow_sha1=0" \
1563 1 \
1564 -c "The certificate is signed with an unacceptable hash"
1565
1566run_test "SHA-1 explicitly allowed in server certificate" \
1567 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1568 "$P_CLI allow_sha1=1" \
1569 0
1570
1571run_test "SHA-256 allowed by default in server certificate" \
1572 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
1573 "$P_CLI allow_sha1=0" \
1574 0
1575
1576run_test "SHA-1 forbidden by default in client certificate" \
1577 "$P_SRV auth_mode=required allow_sha1=0" \
1578 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1579 1 \
1580 -s "The certificate is signed with an unacceptable hash"
1581
1582run_test "SHA-1 explicitly allowed in client certificate" \
1583 "$P_SRV auth_mode=required allow_sha1=1" \
1584 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1585 0
1586
1587run_test "SHA-256 allowed by default in client certificate" \
1588 "$P_SRV auth_mode=required allow_sha1=0" \
1589 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
1590 0
1591
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1592# Tests for datagram packing
1593run_test "DTLS: multiple records in same datagram, client and server" \
1594 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1595 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1596 0 \
1597 -c "next record in same datagram" \
1598 -s "next record in same datagram"
1599
1600run_test "DTLS: multiple records in same datagram, client only" \
1601 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1602 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1603 0 \
1604 -s "next record in same datagram" \
1605 -C "next record in same datagram"
1606
1607run_test "DTLS: multiple records in same datagram, server only" \
1608 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1609 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1610 0 \
1611 -S "next record in same datagram" \
1612 -c "next record in same datagram"
1613
1614run_test "DTLS: multiple records in same datagram, neither client nor server" \
1615 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1616 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1617 0 \
1618 -S "next record in same datagram" \
1619 -C "next record in same datagram"
1620
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1621# Tests for Truncated HMAC extension
1622
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1623run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1624 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1625 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1626 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1627 -s "dumping 'expected mac' (20 bytes)" \
1628 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1629
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1630requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1631run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1632 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1633 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1634 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1635 -s "dumping 'expected mac' (20 bytes)" \
1636 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1637
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1638requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1639run_test "Truncated HMAC: client enabled, server default" \
1640 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1641 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1642 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1643 -s "dumping 'expected mac' (20 bytes)" \
1644 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1645
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1646requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1647run_test "Truncated HMAC: client enabled, server disabled" \
1648 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1649 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1650 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1651 -s "dumping 'expected mac' (20 bytes)" \
1652 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1653
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1654requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1655run_test "Truncated HMAC: client disabled, server enabled" \
1656 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1657 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1658 0 \
1659 -s "dumping 'expected mac' (20 bytes)" \
1660 -S "dumping 'expected mac' (10 bytes)"
1661
1662requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1663run_test "Truncated HMAC: client enabled, server enabled" \
1664 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1665 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1666 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1667 -S "dumping 'expected mac' (20 bytes)" \
1668 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1669
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1670run_test "Truncated HMAC, DTLS: client default, server default" \
1671 "$P_SRV dtls=1 debug_level=4" \
1672 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1673 0 \
1674 -s "dumping 'expected mac' (20 bytes)" \
1675 -S "dumping 'expected mac' (10 bytes)"
1676
1677requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1678run_test "Truncated HMAC, DTLS: client disabled, server default" \
1679 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1680 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1681 0 \
1682 -s "dumping 'expected mac' (20 bytes)" \
1683 -S "dumping 'expected mac' (10 bytes)"
1684
1685requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1686run_test "Truncated HMAC, DTLS: client enabled, server default" \
1687 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1688 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1689 0 \
1690 -s "dumping 'expected mac' (20 bytes)" \
1691 -S "dumping 'expected mac' (10 bytes)"
1692
1693requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1694run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1695 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1696 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1697 0 \
1698 -s "dumping 'expected mac' (20 bytes)" \
1699 -S "dumping 'expected mac' (10 bytes)"
1700
1701requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1702run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1703 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1704 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1705 0 \
1706 -s "dumping 'expected mac' (20 bytes)" \
1707 -S "dumping 'expected mac' (10 bytes)"
1708
1709requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1710run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1711 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1712 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1713 0 \
1714 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1715 -s "dumping 'expected mac' (10 bytes)"
1716
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1717# Tests for Context serialization
1718
1719requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1720run_test "Context serialization, client serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1721 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1722 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1723 0 \
1724 -c "Deserializing connection..." \
1725 -S "Deserializing connection..."
1726
1727requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1728run_test "Context serialization, client serializes, ChaChaPoly" \
1729 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1730 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1731 0 \
1732 -c "Deserializing connection..." \
1733 -S "Deserializing connection..."
1734
1735requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1736run_test "Context serialization, client serializes, GCM" \
1737 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1738 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1739 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]1740 -c "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1741 -S "Deserializing connection..."
1742
1743requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1744requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1745run_test "Context serialization, client serializes, with CID" \
1746 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1747 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1748 0 \
1749 -c "Deserializing connection..." \
1750 -S "Deserializing connection..."
1751
1752requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1753run_test "Context serialization, server serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1754 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1755 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1756 0 \
1757 -C "Deserializing connection..." \
1758 -s "Deserializing connection..."
1759
1760requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1761run_test "Context serialization, server serializes, ChaChaPoly" \
1762 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1763 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1764 0 \
1765 -C "Deserializing connection..." \
1766 -s "Deserializing connection..."
1767
1768requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1769run_test "Context serialization, server serializes, GCM" \
1770 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1771 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1772 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]1773 -C "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1774 -s "Deserializing connection..."
1775
1776requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1777requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1778run_test "Context serialization, server serializes, with CID" \
1779 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1780 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1781 0 \
1782 -C "Deserializing connection..." \
1783 -s "Deserializing connection..."
1784
1785requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1786run_test "Context serialization, both serialize, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1787 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1788 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1789 0 \
1790 -c "Deserializing connection..." \
1791 -s "Deserializing connection..."
1792
1793requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1794run_test "Context serialization, both serialize, ChaChaPoly" \
1795 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1796 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1797 0 \
1798 -c "Deserializing connection..." \
1799 -s "Deserializing connection..."
1800
1801requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1802run_test "Context serialization, both serialize, GCM" \
1803 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1804 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1805 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]1806 -c "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1807 -s "Deserializing connection..."
1808
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1809requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1810requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1811run_test "Context serialization, both serialize, with CID" \
1812 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1813 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1814 0 \
1815 -c "Deserializing connection..." \
1816 -s "Deserializing connection..."
1817
1818requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1819run_test "Context serialization, re-init, client serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1820 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1821 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1822 0 \
1823 -c "Deserializing connection..." \
1824 -S "Deserializing connection..."
1825
1826requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1827run_test "Context serialization, re-init, client serializes, ChaChaPoly" \
1828 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1829 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1830 0 \
1831 -c "Deserializing connection..." \
1832 -S "Deserializing connection..."
1833
1834requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1835run_test "Context serialization, re-init, client serializes, GCM" \
1836 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1837 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1838 0 \
1839 -c "Deserializing connection..." \
1840 -S "Deserializing connection..."
1841
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1842requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1843requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1844run_test "Context serialization, re-init, client serializes, with CID" \
1845 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1846 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1847 0 \
1848 -c "Deserializing connection..." \
1849 -S "Deserializing connection..."
1850
1851requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1852run_test "Context serialization, re-init, server serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1853 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1854 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1855 0 \
1856 -C "Deserializing connection..." \
1857 -s "Deserializing connection..."
1858
1859requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1860run_test "Context serialization, re-init, server serializes, ChaChaPoly" \
1861 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1862 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1863 0 \
1864 -C "Deserializing connection..." \
1865 -s "Deserializing connection..."
1866
1867requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1868run_test "Context serialization, re-init, server serializes, GCM" \
1869 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1870 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1871 0 \
1872 -C "Deserializing connection..." \
1873 -s "Deserializing connection..."
1874
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1875requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1876requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1877run_test "Context serialization, re-init, server serializes, with CID" \
1878 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1879 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1880 0 \
1881 -C "Deserializing connection..." \
1882 -s "Deserializing connection..."
1883
1884requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1885run_test "Context serialization, re-init, both serialize, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1886 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1887 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1888 0 \
1889 -c "Deserializing connection..." \
1890 -s "Deserializing connection..."
1891
1892requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1893run_test "Context serialization, re-init, both serialize, ChaChaPoly" \
1894 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1895 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1896 0 \
1897 -c "Deserializing connection..." \
1898 -s "Deserializing connection..."
1899
1900requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1901run_test "Context serialization, re-init, both serialize, GCM" \
1902 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1903 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1904 0 \
1905 -c "Deserializing connection..." \
1906 -s "Deserializing connection..."
1907
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1908requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1909requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1910run_test "Context serialization, re-init, both serialize, with CID" \
1911 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1912 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1913 0 \
1914 -c "Deserializing connection..." \
1915 -s "Deserializing connection..."
1916
Piotr Nowicki3de298f2020-04-16 14:35:19 +0200[diff] [blame]1917requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1918run_test "Saving the serialized context to a file" \
1919 "$P_SRV dtls=1 serialize=1 context_file=context_srv.txt" \
1920 "$P_CLI dtls=1 serialize=1 context_file=context_cli.txt" \
1921 0 \
1922 -s "Save serialized context to a file... ok" \
1923 -c "Save serialized context to a file... ok"
1924rm -f context_srv.txt
1925rm -f context_cli.txt
1926
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1927# Tests for DTLS Connection ID extension
1928
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1929# So far, the CID API isn't implemented, so we can't
1930# grep for output witnessing its use. This needs to be
1931# changed once the CID extension is implemented.
1932
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1933requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1934run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1935 "$P_SRV debug_level=3 dtls=1 cid=0" \
1936 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1937 0 \
1938 -s "Disable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1939 -s "found CID extension" \
1940 -s "Client sent CID extension, but CID disabled" \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1941 -c "Enable use of CID extension." \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1942 -c "client hello, adding CID extension" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1943 -S "server hello, adding CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1944 -C "found CID extension" \
1945 -S "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1946 -C "Copy CIDs into SSL transform" \
1947 -c "Use of Connection ID was rejected by the server"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1948
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1949requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1950run_test "Connection ID: Cli disabled, Srv enabled" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1951 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1952 "$P_CLI debug_level=3 dtls=1 cid=0" \
1953 0 \
1954 -c "Disable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1955 -C "client hello, adding CID extension" \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1956 -S "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1957 -s "Enable use of CID extension." \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1958 -S "server hello, adding CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1959 -C "found CID extension" \
1960 -S "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1961 -C "Copy CIDs into SSL transform" \
Hanno Beckerb3e9dd52019-05-08 13:19:53 +0100[diff] [blame]1962 -s "Use of Connection ID was not offered by client"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1963
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1964requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1965run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1966 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1967 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
1968 0 \
1969 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1970 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1971 -c "client hello, adding CID extension" \
1972 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1973 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1974 -s "server hello, adding CID extension" \
1975 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1976 -c "Use of CID extension negotiated" \
1977 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1978 -c "Copy CIDs into SSL transform" \
1979 -c "Peer CID (length 2 Bytes): de ad" \
1980 -s "Peer CID (length 2 Bytes): be ef" \
1981 -s "Use of Connection ID has been negotiated" \
1982 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1983
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1984requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1985run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]1986 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1987 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
1988 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
1989 0 \
1990 -c "Enable use of CID extension." \
1991 -s "Enable use of CID extension." \
1992 -c "client hello, adding CID extension" \
1993 -s "found CID extension" \
1994 -s "Use of CID extension negotiated" \
1995 -s "server hello, adding CID extension" \
1996 -c "found CID extension" \
1997 -c "Use of CID extension negotiated" \
1998 -s "Copy CIDs into SSL transform" \
1999 -c "Copy CIDs into SSL transform" \
2000 -c "Peer CID (length 2 Bytes): de ad" \
2001 -s "Peer CID (length 2 Bytes): be ef" \
2002 -s "Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2003 -c "Use of Connection ID has been negotiated" \
2004 -c "ignoring unexpected CID" \
2005 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2006
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2007requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2008run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
2009 -p "$P_PXY mtu=800" \
2010 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
2011 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
2012 0 \
2013 -c "Enable use of CID extension." \
2014 -s "Enable use of CID extension." \
2015 -c "client hello, adding CID extension" \
2016 -s "found CID extension" \
2017 -s "Use of CID extension negotiated" \
2018 -s "server hello, adding CID extension" \
2019 -c "found CID extension" \
2020 -c "Use of CID extension negotiated" \
2021 -s "Copy CIDs into SSL transform" \
2022 -c "Copy CIDs into SSL transform" \
2023 -c "Peer CID (length 2 Bytes): de ad" \
2024 -s "Peer CID (length 2 Bytes): be ef" \
2025 -s "Use of Connection ID has been negotiated" \
2026 -c "Use of Connection ID has been negotiated"
2027
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2028requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2029run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2030 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2031 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
2032 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
2033 0 \
2034 -c "Enable use of CID extension." \
2035 -s "Enable use of CID extension." \
2036 -c "client hello, adding CID extension" \
2037 -s "found CID extension" \
2038 -s "Use of CID extension negotiated" \
2039 -s "server hello, adding CID extension" \
2040 -c "found CID extension" \
2041 -c "Use of CID extension negotiated" \
2042 -s "Copy CIDs into SSL transform" \
2043 -c "Copy CIDs into SSL transform" \
2044 -c "Peer CID (length 2 Bytes): de ad" \
2045 -s "Peer CID (length 2 Bytes): be ef" \
2046 -s "Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2047 -c "Use of Connection ID has been negotiated" \
2048 -c "ignoring unexpected CID" \
2049 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2050
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2051requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2052run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2053 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
2054 "$P_CLI debug_level=3 dtls=1 cid=1" \
2055 0 \
2056 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2057 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2058 -c "client hello, adding CID extension" \
2059 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2060 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2061 -s "server hello, adding CID extension" \
2062 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2063 -c "Use of CID extension negotiated" \
2064 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2065 -c "Copy CIDs into SSL transform" \
2066 -c "Peer CID (length 4 Bytes): de ad be ef" \
2067 -s "Peer CID (length 0 Bytes):" \
2068 -s "Use of Connection ID has been negotiated" \
2069 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2070
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2071requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2072run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2073 "$P_SRV debug_level=3 dtls=1 cid=1" \
2074 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
2075 0 \
2076 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2077 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2078 -c "client hello, adding CID extension" \
2079 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2080 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2081 -s "server hello, adding CID extension" \
2082 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2083 -c "Use of CID extension negotiated" \
2084 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2085 -c "Copy CIDs into SSL transform" \
2086 -s "Peer CID (length 4 Bytes): de ad be ef" \
2087 -c "Peer CID (length 0 Bytes):" \
2088 -s "Use of Connection ID has been negotiated" \
2089 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2090
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2091requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2092run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2093 "$P_SRV debug_level=3 dtls=1 cid=1" \
2094 "$P_CLI debug_level=3 dtls=1 cid=1" \
2095 0 \
2096 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2097 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2098 -c "client hello, adding CID extension" \
2099 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2100 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2101 -s "server hello, adding CID extension" \
2102 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2103 -c "Use of CID extension negotiated" \
2104 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]2105 -c "Copy CIDs into SSL transform" \
2106 -S "Use of Connection ID has been negotiated" \
2107 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2108
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2109requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2110run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2111 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
2112 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2113 0 \
2114 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2115 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2116 -c "client hello, adding CID extension" \
2117 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2118 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2119 -s "server hello, adding CID extension" \
2120 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2121 -c "Use of CID extension negotiated" \
2122 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2123 -c "Copy CIDs into SSL transform" \
2124 -c "Peer CID (length 2 Bytes): de ad" \
2125 -s "Peer CID (length 2 Bytes): be ef" \
2126 -s "Use of Connection ID has been negotiated" \
2127 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2128
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2129requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2130run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2131 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
2132 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2133 0 \
2134 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2135 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2136 -c "client hello, adding CID extension" \
2137 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2138 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2139 -s "server hello, adding CID extension" \
2140 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2141 -c "Use of CID extension negotiated" \
2142 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2143 -c "Copy CIDs into SSL transform" \
2144 -c "Peer CID (length 4 Bytes): de ad be ef" \
2145 -s "Peer CID (length 0 Bytes):" \
2146 -s "Use of Connection ID has been negotiated" \
2147 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2148
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2149requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2150run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2151 "$P_SRV debug_level=3 dtls=1 cid=1" \
2152 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2153 0 \
2154 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2155 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2156 -c "client hello, adding CID extension" \
2157 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2158 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2159 -s "server hello, adding CID extension" \
2160 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2161 -c "Use of CID extension negotiated" \
2162 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2163 -c "Copy CIDs into SSL transform" \
2164 -s "Peer CID (length 4 Bytes): de ad be ef" \
2165 -c "Peer CID (length 0 Bytes):" \
2166 -s "Use of Connection ID has been negotiated" \
2167 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2168
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2169requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2170run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2171 "$P_SRV debug_level=3 dtls=1 cid=1" \
2172 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2173 0 \
2174 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2175 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2176 -c "client hello, adding CID extension" \
2177 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2178 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2179 -s "server hello, adding CID extension" \
2180 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2181 -c "Use of CID extension negotiated" \
2182 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]2183 -c "Copy CIDs into SSL transform" \
2184 -S "Use of Connection ID has been negotiated" \
2185 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2186
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2187requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2188run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2189 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
2190 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2191 0 \
2192 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2193 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2194 -c "client hello, adding CID extension" \
2195 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2196 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2197 -s "server hello, adding CID extension" \
2198 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2199 -c "Use of CID extension negotiated" \
2200 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2201 -c "Copy CIDs into SSL transform" \
2202 -c "Peer CID (length 2 Bytes): de ad" \
2203 -s "Peer CID (length 2 Bytes): be ef" \
2204 -s "Use of Connection ID has been negotiated" \
2205 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2206
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2207requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2208run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2209 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
2210 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2211 0 \
2212 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2213 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2214 -c "client hello, adding CID extension" \
2215 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2216 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2217 -s "server hello, adding CID extension" \
2218 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2219 -c "Use of CID extension negotiated" \
2220 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2221 -c "Copy CIDs into SSL transform" \
2222 -c "Peer CID (length 4 Bytes): de ad be ef" \
2223 -s "Peer CID (length 0 Bytes):" \
2224 -s "Use of Connection ID has been negotiated" \
2225 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2226
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2227requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2228run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2229 "$P_SRV debug_level=3 dtls=1 cid=1" \
2230 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2231 0 \
2232 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2233 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2234 -c "client hello, adding CID extension" \
2235 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2236 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2237 -s "server hello, adding CID extension" \
2238 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2239 -c "Use of CID extension negotiated" \
2240 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2241 -c "Copy CIDs into SSL transform" \
2242 -s "Peer CID (length 4 Bytes): de ad be ef" \
2243 -c "Peer CID (length 0 Bytes):" \
2244 -s "Use of Connection ID has been negotiated" \
2245 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2246
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2247requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2248run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2249 "$P_SRV debug_level=3 dtls=1 cid=1" \
2250 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2251 0 \
2252 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2253 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2254 -c "client hello, adding CID extension" \
2255 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2256 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2257 -s "server hello, adding CID extension" \
2258 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2259 -c "Use of CID extension negotiated" \
2260 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]2261 -c "Copy CIDs into SSL transform" \
2262 -S "Use of Connection ID has been negotiated" \
2263 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2264
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2265requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker9bae30d2019-04-23 11:52:44 +0100[diff] [blame]2266requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2267run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2268 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2269 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2270 0 \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2271 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2272 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2273 -s "(initial handshake) Use of Connection ID has been negotiated" \
2274 -c "(initial handshake) Use of Connection ID has been negotiated" \
2275 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2276 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2277 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2278 -c "(after renegotiation) Use of Connection ID has been negotiated"
2279
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2280requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2281requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2282run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2283 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
2284 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2285 0 \
2286 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2287 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2288 -s "(initial handshake) Use of Connection ID has been negotiated" \
2289 -c "(initial handshake) Use of Connection ID has been negotiated" \
2290 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2291 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2292 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2293 -c "(after renegotiation) Use of Connection ID has been negotiated"
2294
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2295requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2296requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2297run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
2298 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
2299 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2300 0 \
2301 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2302 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2303 -s "(initial handshake) Use of Connection ID has been negotiated" \
2304 -c "(initial handshake) Use of Connection ID has been negotiated" \
2305 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2306 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2307 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2308 -c "(after renegotiation) Use of Connection ID has been negotiated"
2309
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2310requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2311requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2312run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2313 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2314 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
2315 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2316 0 \
2317 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2318 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2319 -s "(initial handshake) Use of Connection ID has been negotiated" \
2320 -c "(initial handshake) Use of Connection ID has been negotiated" \
2321 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2322 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2323 -s "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2324 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2325 -c "ignoring unexpected CID" \
2326 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2327
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2328requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2329requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2330run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2331 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2332 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2333 0 \
2334 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2335 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2336 -s "(initial handshake) Use of Connection ID has been negotiated" \
2337 -c "(initial handshake) Use of Connection ID has been negotiated" \
2338 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2339 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2340 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2341 -S "(after renegotiation) Use of Connection ID has been negotiated"
2342
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2343requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2344requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2345run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
2346 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2347 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2348 0 \
2349 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2350 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2351 -s "(initial handshake) Use of Connection ID has been negotiated" \
2352 -c "(initial handshake) Use of Connection ID has been negotiated" \
2353 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2354 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2355 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2356 -S "(after renegotiation) Use of Connection ID has been negotiated"
2357
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2358requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2359requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2360run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2361 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2362 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2363 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2364 0 \
2365 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2366 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2367 -s "(initial handshake) Use of Connection ID has been negotiated" \
2368 -c "(initial handshake) Use of Connection ID has been negotiated" \
2369 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2370 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2371 -C "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2372 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2373 -c "ignoring unexpected CID" \
2374 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2375
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2376requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2377requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2378run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2379 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2380 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2381 0 \
2382 -S "(initial handshake) Use of Connection ID has been negotiated" \
2383 -C "(initial handshake) Use of Connection ID has been negotiated" \
2384 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2385 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2386 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2387 -s "(after renegotiation) Use of Connection ID has been negotiated"
2388
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2389requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2390requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2391run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
2392 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2393 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2394 0 \
2395 -S "(initial handshake) Use of Connection ID has been negotiated" \
2396 -C "(initial handshake) Use of Connection ID has been negotiated" \
2397 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2398 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2399 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2400 -s "(after renegotiation) Use of Connection ID has been negotiated"
2401
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2402requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2403requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2404run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2405 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2406 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2407 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2408 0 \
2409 -S "(initial handshake) Use of Connection ID has been negotiated" \
2410 -C "(initial handshake) Use of Connection ID has been negotiated" \
2411 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2412 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2413 -c "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2414 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2415 -c "ignoring unexpected CID" \
2416 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2417
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2418requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2419requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2420run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2421 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2422 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2423 0 \
2424 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2425 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2426 -s "(initial handshake) Use of Connection ID has been negotiated" \
2427 -c "(initial handshake) Use of Connection ID has been negotiated" \
2428 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2429 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2430 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2431 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2432 -s "(after renegotiation) Use of Connection ID was not offered by client"
2433
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2434requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2435requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2436run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2437 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2438 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2439 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2440 0 \
2441 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2442 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2443 -s "(initial handshake) Use of Connection ID has been negotiated" \
2444 -c "(initial handshake) Use of Connection ID has been negotiated" \
2445 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2446 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2447 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2448 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2449 -s "(after renegotiation) Use of Connection ID was not offered by client" \
2450 -c "ignoring unexpected CID" \
2451 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2452
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2453requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2454requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2455run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
2456 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2457 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2458 0 \
2459 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2460 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2461 -s "(initial handshake) Use of Connection ID has been negotiated" \
2462 -c "(initial handshake) Use of Connection ID has been negotiated" \
2463 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2464 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2465 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2466 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2467 -c "(after renegotiation) Use of Connection ID was rejected by the server"
2468
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2469requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2470requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2471run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2472 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2473 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2474 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2475 0 \
2476 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2477 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2478 -s "(initial handshake) Use of Connection ID has been negotiated" \
2479 -c "(initial handshake) Use of Connection ID has been negotiated" \
2480 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2481 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2482 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2483 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2484 -c "(after renegotiation) Use of Connection ID was rejected by the server" \
2485 -c "ignoring unexpected CID" \
2486 -s "ignoring unexpected CID"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2487
Yuto Takano71879532021-07-09 11:32:38 +0100[diff] [blame]2488# This and the test below it require MAX_CONTENT_LEN to be at least MFL+1, because the
2489# tests check that the buffer contents are reallocated when the message is
2490# larger than the buffer.
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]2491requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2492requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
Yuto Takano71879532021-07-09 11:32:38 +0100[diff] [blame]2493requires_max_content_len 513
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]2494run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \
2495 "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
2496 "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \
2497 0 \
2498 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2499 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2500 -s "(initial handshake) Use of Connection ID has been negotiated" \
2501 -c "(initial handshake) Use of Connection ID has been negotiated" \
2502 -s "Reallocating in_buf" \
2503 -s "Reallocating out_buf"
2504
2505requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2506requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
Yuto Takano71879532021-07-09 11:32:38 +0100[diff] [blame]2507requires_max_content_len 1025
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]2508run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \
2509 "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
2510 "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \
2511 0 \
2512 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2513 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2514 -s "(initial handshake) Use of Connection ID has been negotiated" \
2515 -c "(initial handshake) Use of Connection ID has been negotiated" \
2516 -s "Reallocating in_buf" \
2517 -s "Reallocating out_buf"
2518
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2519# Tests for Encrypt-then-MAC extension
2520
2521run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2522 "$P_SRV debug_level=3 \
2523 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2524 "$P_CLI debug_level=3" \
2525 0 \
2526 -c "client hello, adding encrypt_then_mac extension" \
2527 -s "found encrypt then mac extension" \
2528 -s "server hello, adding encrypt then mac extension" \
2529 -c "found encrypt_then_mac extension" \
2530 -c "using encrypt then mac" \
2531 -s "using encrypt then mac"
2532
2533run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2534 "$P_SRV debug_level=3 etm=0 \
2535 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2536 "$P_CLI debug_level=3 etm=1" \
2537 0 \
2538 -c "client hello, adding encrypt_then_mac extension" \
2539 -s "found encrypt then mac extension" \
2540 -S "server hello, adding encrypt then mac extension" \
2541 -C "found encrypt_then_mac extension" \
2542 -C "using encrypt then mac" \
2543 -S "using encrypt then mac"
2544
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2545run_test "Encrypt then MAC: client enabled, aead cipher" \
2546 "$P_SRV debug_level=3 etm=1 \
2547 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
2548 "$P_CLI debug_level=3 etm=1" \
2549 0 \
2550 -c "client hello, adding encrypt_then_mac extension" \
2551 -s "found encrypt then mac extension" \
2552 -S "server hello, adding encrypt then mac extension" \
2553 -C "found encrypt_then_mac extension" \
2554 -C "using encrypt then mac" \
2555 -S "using encrypt then mac"
2556
2557run_test "Encrypt then MAC: client enabled, stream cipher" \
2558 "$P_SRV debug_level=3 etm=1 \
2559 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2560 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2561 0 \
2562 -c "client hello, adding encrypt_then_mac extension" \
2563 -s "found encrypt then mac extension" \
2564 -S "server hello, adding encrypt then mac extension" \
2565 -C "found encrypt_then_mac extension" \
2566 -C "using encrypt then mac" \
2567 -S "using encrypt then mac"
2568
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2569run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2570 "$P_SRV debug_level=3 etm=1 \
2571 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2572 "$P_CLI debug_level=3 etm=0" \
2573 0 \
2574 -C "client hello, adding encrypt_then_mac extension" \
2575 -S "found encrypt then mac extension" \
2576 -S "server hello, adding encrypt then mac extension" \
2577 -C "found encrypt_then_mac extension" \
2578 -C "using encrypt then mac" \
2579 -S "using encrypt then mac"
2580
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2581requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2582run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2583 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2584 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2585 "$P_CLI debug_level=3 force_version=ssl3" \
2586 0 \
2587 -C "client hello, adding encrypt_then_mac extension" \
2588 -S "found encrypt then mac extension" \
2589 -S "server hello, adding encrypt then mac extension" \
2590 -C "found encrypt_then_mac extension" \
2591 -C "using encrypt then mac" \
2592 -S "using encrypt then mac"
2593
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2594requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2595run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2596 "$P_SRV debug_level=3 force_version=ssl3 \
2597 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2598 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2599 0 \
2600 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2601 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2602 -S "server hello, adding encrypt then mac extension" \
2603 -C "found encrypt_then_mac extension" \
2604 -C "using encrypt then mac" \
2605 -S "using encrypt then mac"
2606
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2607# Tests for Extended Master Secret extension
2608
2609run_test "Extended Master Secret: default" \
2610 "$P_SRV debug_level=3" \
2611 "$P_CLI debug_level=3" \
2612 0 \
2613 -c "client hello, adding extended_master_secret extension" \
2614 -s "found extended master secret extension" \
2615 -s "server hello, adding extended master secret extension" \
2616 -c "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2617 -c "session hash for extended master secret" \
2618 -s "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2619
2620run_test "Extended Master Secret: client enabled, server disabled" \
2621 "$P_SRV debug_level=3 extended_ms=0" \
2622 "$P_CLI debug_level=3 extended_ms=1" \
2623 0 \
2624 -c "client hello, adding extended_master_secret extension" \
2625 -s "found extended master secret extension" \
2626 -S "server hello, adding extended master secret extension" \
2627 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2628 -C "session hash for extended master secret" \
2629 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2630
2631run_test "Extended Master Secret: client disabled, server enabled" \
2632 "$P_SRV debug_level=3 extended_ms=1" \
2633 "$P_CLI debug_level=3 extended_ms=0" \
2634 0 \
2635 -C "client hello, adding extended_master_secret extension" \
2636 -S "found extended master secret extension" \
2637 -S "server hello, adding extended master secret extension" \
2638 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2639 -C "session hash for extended master secret" \
2640 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2641
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2642requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2643run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2644 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2645 "$P_CLI debug_level=3 force_version=ssl3" \
2646 0 \
2647 -C "client hello, adding extended_master_secret extension" \
2648 -S "found extended master secret extension" \
2649 -S "server hello, adding extended master secret extension" \
2650 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2651 -C "session hash for extended master secret" \
2652 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2653
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2654requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2655run_test "Extended Master Secret: client enabled, server SSLv3" \
2656 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2657 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2658 0 \
2659 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2660 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2661 -S "server hello, adding extended master secret extension" \
2662 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2663 -C "session hash for extended master secret" \
2664 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2665
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2666# Tests for FALLBACK_SCSV
2667
2668run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2669 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2670 "$P_CLI debug_level=3 force_version=tls1_1" \
2671 0 \
2672 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2673 -S "received FALLBACK_SCSV" \
2674 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2675 -C "is a fatal alert message (msg 86)"
2676
2677run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2678 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2679 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2680 0 \
2681 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2682 -S "received FALLBACK_SCSV" \
2683 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2684 -C "is a fatal alert message (msg 86)"
2685
2686run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2687 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2688 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2689 1 \
2690 -c "adding FALLBACK_SCSV" \
2691 -s "received FALLBACK_SCSV" \
2692 -s "inapropriate fallback" \
2693 -c "is a fatal alert message (msg 86)"
2694
2695run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2696 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2697 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2698 0 \
2699 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2700 -s "received FALLBACK_SCSV" \
2701 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2702 -C "is a fatal alert message (msg 86)"
2703
2704requires_openssl_with_fallback_scsv
2705run_test "Fallback SCSV: default, openssl server" \
2706 "$O_SRV" \
2707 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2708 0 \
2709 -C "adding FALLBACK_SCSV" \
2710 -C "is a fatal alert message (msg 86)"
2711
2712requires_openssl_with_fallback_scsv
2713run_test "Fallback SCSV: enabled, openssl server" \
2714 "$O_SRV" \
2715 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
2716 1 \
2717 -c "adding FALLBACK_SCSV" \
2718 -c "is a fatal alert message (msg 86)"
2719
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2720requires_openssl_with_fallback_scsv
2721run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2722 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2723 "$O_CLI -tls1_1" \
2724 0 \
2725 -S "received FALLBACK_SCSV" \
2726 -S "inapropriate fallback"
2727
2728requires_openssl_with_fallback_scsv
2729run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2730 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2731 "$O_CLI -tls1_1 -fallback_scsv" \
2732 1 \
2733 -s "received FALLBACK_SCSV" \
2734 -s "inapropriate fallback"
2735
2736requires_openssl_with_fallback_scsv
2737run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2738 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2739 "$O_CLI -fallback_scsv" \
2740 0 \
2741 -s "received FALLBACK_SCSV" \
2742 -S "inapropriate fallback"
2743
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2744# Test sending and receiving empty application data records
2745
2746run_test "Encrypt then MAC: empty application data record" \
2747 "$P_SRV auth_mode=none debug_level=4 etm=1" \
2748 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
2749 0 \
2750 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2751 -s "dumping 'input payload after decrypt' (0 bytes)" \
2752 -c "0 bytes written in 1 fragments"
2753
Manuel Pégourié-Gonnard9e2c80f2020-03-24 10:53:39 +0100[diff] [blame]2754run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2755 "$P_SRV auth_mode=none debug_level=4 etm=0" \
2756 "$P_CLI auth_mode=none etm=0 request_size=0" \
2757 0 \
2758 -s "dumping 'input payload after decrypt' (0 bytes)" \
2759 -c "0 bytes written in 1 fragments"
2760
2761run_test "Encrypt then MAC, DTLS: empty application data record" \
2762 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
2763 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
2764 0 \
2765 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2766 -s "dumping 'input payload after decrypt' (0 bytes)" \
2767 -c "0 bytes written in 1 fragments"
2768
Manuel Pégourié-Gonnard9e2c80f2020-03-24 10:53:39 +0100[diff] [blame]2769run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2770 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
2771 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
2772 0 \
2773 -s "dumping 'input payload after decrypt' (0 bytes)" \
2774 -c "0 bytes written in 1 fragments"
2775
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2776## ClientHello generated with
2777## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
2778## then manually twiddling the ciphersuite list.
2779## The ClientHello content is spelled out below as a hex string as
2780## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
2781## The expected response is an inappropriate_fallback alert.
2782requires_openssl_with_fallback_scsv
2783run_test "Fallback SCSV: beginning of list" \
2784 "$P_SRV debug_level=2" \
2785 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
2786 0 \
2787 -s "received FALLBACK_SCSV" \
2788 -s "inapropriate fallback"
2789
2790requires_openssl_with_fallback_scsv
2791run_test "Fallback SCSV: end of list" \
2792 "$P_SRV debug_level=2" \
2793 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
2794 0 \
2795 -s "received FALLBACK_SCSV" \
2796 -s "inapropriate fallback"
2797
2798## Here the expected response is a valid ServerHello prefix, up to the random.
2799requires_openssl_with_fallback_scsv
2800run_test "Fallback SCSV: not in list" \
2801 "$P_SRV debug_level=2" \
2802 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
2803 0 \
2804 -S "received FALLBACK_SCSV" \
2805 -S "inapropriate fallback"
2806
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2807# Tests for CBC 1/n-1 record splitting
2808
2809run_test "CBC Record splitting: TLS 1.2, no splitting" \
2810 "$P_SRV" \
2811 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2812 request_size=123 force_version=tls1_2" \
2813 0 \
2814 -s "Read from client: 123 bytes read" \
2815 -S "Read from client: 1 bytes read" \
2816 -S "122 bytes read"
2817
2818run_test "CBC Record splitting: TLS 1.1, no splitting" \
2819 "$P_SRV" \
2820 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2821 request_size=123 force_version=tls1_1" \
2822 0 \
2823 -s "Read from client: 123 bytes read" \
2824 -S "Read from client: 1 bytes read" \
2825 -S "122 bytes read"
2826
2827run_test "CBC Record splitting: TLS 1.0, splitting" \
2828 "$P_SRV" \
2829 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2830 request_size=123 force_version=tls1" \
2831 0 \
2832 -S "Read from client: 123 bytes read" \
2833 -s "Read from client: 1 bytes read" \
2834 -s "122 bytes read"
2835
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2836requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2837run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2838 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2839 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2840 request_size=123 force_version=ssl3" \
2841 0 \
2842 -S "Read from client: 123 bytes read" \
2843 -s "Read from client: 1 bytes read" \
2844 -s "122 bytes read"
2845
2846run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2847 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2848 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2849 request_size=123 force_version=tls1" \
2850 0 \
2851 -s "Read from client: 123 bytes read" \
2852 -S "Read from client: 1 bytes read" \
2853 -S "122 bytes read"
2854
2855run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
2856 "$P_SRV" \
2857 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2858 request_size=123 force_version=tls1 recsplit=0" \
2859 0 \
2860 -s "Read from client: 123 bytes read" \
2861 -S "Read from client: 1 bytes read" \
2862 -S "122 bytes read"
2863
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]2864run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
2865 "$P_SRV nbio=2" \
2866 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2867 request_size=123 force_version=tls1" \
2868 0 \
2869 -S "Read from client: 123 bytes read" \
2870 -s "Read from client: 1 bytes read" \
2871 -s "122 bytes read"
2872
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2873# Tests for Session Tickets
2874
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2875run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2876 "$P_SRV debug_level=3 tickets=1" \
2877 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2878 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2879 -c "client hello, adding session ticket extension" \
2880 -s "found session ticket extension" \
2881 -s "server hello, adding session ticket extension" \
2882 -c "found session_ticket extension" \
2883 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2884 -S "session successfully restored from cache" \
2885 -s "session successfully restored from ticket" \
2886 -s "a session has been resumed" \
2887 -c "a session has been resumed"
2888
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2889run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2890 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2891 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2892 0 \
2893 -c "client hello, adding session ticket extension" \
2894 -s "found session ticket extension" \
2895 -s "server hello, adding session ticket extension" \
2896 -c "found session_ticket extension" \
2897 -c "parse new session ticket" \
2898 -S "session successfully restored from cache" \
2899 -s "session successfully restored from ticket" \
2900 -s "a session has been resumed" \
2901 -c "a session has been resumed"
2902
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2903run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2904 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
2905 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2906 0 \
2907 -c "client hello, adding session ticket extension" \
2908 -s "found session ticket extension" \
2909 -s "server hello, adding session ticket extension" \
2910 -c "found session_ticket extension" \
2911 -c "parse new session ticket" \
2912 -S "session successfully restored from cache" \
2913 -S "session successfully restored from ticket" \
2914 -S "a session has been resumed" \
2915 -C "a session has been resumed"
2916
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]2917run_test "Session resume using tickets: session copy" \
2918 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2919 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
2920 0 \
2921 -c "client hello, adding session ticket extension" \
2922 -s "found session ticket extension" \
2923 -s "server hello, adding session ticket extension" \
2924 -c "found session_ticket extension" \
2925 -c "parse new session ticket" \
2926 -S "session successfully restored from cache" \
2927 -s "session successfully restored from ticket" \
2928 -s "a session has been resumed" \
2929 -c "a session has been resumed"
2930
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2931run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2932 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2933 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2934 0 \
2935 -c "client hello, adding session ticket extension" \
2936 -c "found session_ticket extension" \
2937 -c "parse new session ticket" \
2938 -c "a session has been resumed"
2939
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2940run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2941 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2942 "( $O_CLI -sess_out $SESSION; \
2943 $O_CLI -sess_in $SESSION; \
2944 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2945 0 \
2946 -s "found session ticket extension" \
2947 -s "server hello, adding session ticket extension" \
2948 -S "session successfully restored from cache" \
2949 -s "session successfully restored from ticket" \
2950 -s "a session has been resumed"
2951
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2952# Tests for Session Tickets with DTLS
2953
2954run_test "Session resume using tickets, DTLS: basic" \
2955 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]2956 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2957 0 \
2958 -c "client hello, adding session ticket extension" \
2959 -s "found session ticket extension" \
2960 -s "server hello, adding session ticket extension" \
2961 -c "found session_ticket extension" \
2962 -c "parse new session ticket" \
2963 -S "session successfully restored from cache" \
2964 -s "session successfully restored from ticket" \
2965 -s "a session has been resumed" \
2966 -c "a session has been resumed"
2967
2968run_test "Session resume using tickets, DTLS: cache disabled" \
2969 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]2970 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2971 0 \
2972 -c "client hello, adding session ticket extension" \
2973 -s "found session ticket extension" \
2974 -s "server hello, adding session ticket extension" \
2975 -c "found session_ticket extension" \
2976 -c "parse new session ticket" \
2977 -S "session successfully restored from cache" \
2978 -s "session successfully restored from ticket" \
2979 -s "a session has been resumed" \
2980 -c "a session has been resumed"
2981
2982run_test "Session resume using tickets, DTLS: timeout" \
2983 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]2984 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2985 0 \
2986 -c "client hello, adding session ticket extension" \
2987 -s "found session ticket extension" \
2988 -s "server hello, adding session ticket extension" \
2989 -c "found session_ticket extension" \
2990 -c "parse new session ticket" \
2991 -S "session successfully restored from cache" \
2992 -S "session successfully restored from ticket" \
2993 -S "a session has been resumed" \
2994 -C "a session has been resumed"
2995
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]2996run_test "Session resume using tickets, DTLS: session copy" \
2997 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]2998 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_mode=0" \
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]2999 0 \
3000 -c "client hello, adding session ticket extension" \
3001 -s "found session ticket extension" \
3002 -s "server hello, adding session ticket extension" \
3003 -c "found session_ticket extension" \
3004 -c "parse new session ticket" \
3005 -S "session successfully restored from cache" \
3006 -s "session successfully restored from ticket" \
3007 -s "a session has been resumed" \
3008 -c "a session has been resumed"
3009
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3010run_test "Session resume using tickets, DTLS: openssl server" \
3011 "$O_SRV -dtls1" \
3012 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
3013 0 \
3014 -c "client hello, adding session ticket extension" \
3015 -c "found session_ticket extension" \
3016 -c "parse new session ticket" \
3017 -c "a session has been resumed"
3018
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3019# For reasons that aren't fully understood, this test randomly fails with high
Paul Elliott7ca2f392021-10-13 16:13:44 +0100[diff] [blame]3020# probability with OpenSSL 1.0.2g on the CI, see #5012.
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3021requires_openssl_next
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3022run_test "Session resume using tickets, DTLS: openssl client" \
3023 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3024 "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \
3025 $O_NEXT_CLI -dtls1 -sess_in $SESSION; \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3026 rm -f $SESSION )" \
3027 0 \
3028 -s "found session ticket extension" \
3029 -s "server hello, adding session ticket extension" \
3030 -S "session successfully restored from cache" \
3031 -s "session successfully restored from ticket" \
3032 -s "a session has been resumed"
3033
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3034# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3035
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3036run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3037 "$P_SRV debug_level=3 tickets=0" \
3038 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3039 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3040 -c "client hello, adding session ticket extension" \
3041 -s "found session ticket extension" \
3042 -S "server hello, adding session ticket extension" \
3043 -C "found session_ticket extension" \
3044 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3045 -s "session successfully restored from cache" \
3046 -S "session successfully restored from ticket" \
3047 -s "a session has been resumed" \
3048 -c "a session has been resumed"
3049
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3050run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3051 "$P_SRV debug_level=3 tickets=1" \
3052 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3053 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3054 -C "client hello, adding session ticket extension" \
3055 -S "found session ticket extension" \
3056 -S "server hello, adding session ticket extension" \
3057 -C "found session_ticket extension" \
3058 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3059 -s "session successfully restored from cache" \
3060 -S "session successfully restored from ticket" \
3061 -s "a session has been resumed" \
3062 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3063
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3064run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3065 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
3066 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]3067 0 \
3068 -S "session successfully restored from cache" \
3069 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3070 -S "a session has been resumed" \
3071 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]3072
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3073run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3074 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
3075 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3076 0 \
3077 -s "session successfully restored from cache" \
3078 -S "session successfully restored from ticket" \
3079 -s "a session has been resumed" \
3080 -c "a session has been resumed"
3081
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]3082run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3083 "$P_SRV debug_level=3 tickets=0" \
3084 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3085 0 \
3086 -s "session successfully restored from cache" \
3087 -S "session successfully restored from ticket" \
3088 -s "a session has been resumed" \
3089 -c "a session has been resumed"
3090
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3091run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3092 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
3093 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3094 0 \
3095 -S "session successfully restored from cache" \
3096 -S "session successfully restored from ticket" \
3097 -S "a session has been resumed" \
3098 -C "a session has been resumed"
3099
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3100run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3101 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
3102 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]3103 0 \
3104 -s "session successfully restored from cache" \
3105 -S "session successfully restored from ticket" \
3106 -s "a session has been resumed" \
3107 -c "a session has been resumed"
3108
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]3109run_test "Session resume using cache: session copy" \
3110 "$P_SRV debug_level=3 tickets=0" \
3111 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
3112 0 \
3113 -s "session successfully restored from cache" \
3114 -S "session successfully restored from ticket" \
3115 -s "a session has been resumed" \
3116 -c "a session has been resumed"
3117
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3118run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3119 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]3120 "( $O_CLI -sess_out $SESSION; \
3121 $O_CLI -sess_in $SESSION; \
3122 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]3123 0 \
3124 -s "found session ticket extension" \
3125 -S "server hello, adding session ticket extension" \
3126 -s "session successfully restored from cache" \
3127 -S "session successfully restored from ticket" \
3128 -s "a session has been resumed"
3129
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3130run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]3131 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3132 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]3133 0 \
3134 -C "found session_ticket extension" \
3135 -C "parse new session ticket" \
3136 -c "a session has been resumed"
3137
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3138# Tests for Session Resume based on session-ID and cache, DTLS
3139
3140run_test "Session resume using cache, DTLS: tickets enabled on client" \
3141 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3142 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3143 0 \
3144 -c "client hello, adding session ticket extension" \
3145 -s "found session ticket extension" \
3146 -S "server hello, adding session ticket extension" \
3147 -C "found session_ticket extension" \
3148 -C "parse new session ticket" \
3149 -s "session successfully restored from cache" \
3150 -S "session successfully restored from ticket" \
3151 -s "a session has been resumed" \
3152 -c "a session has been resumed"
3153
3154run_test "Session resume using cache, DTLS: tickets enabled on server" \
3155 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3156 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3157 0 \
3158 -C "client hello, adding session ticket extension" \
3159 -S "found session ticket extension" \
3160 -S "server hello, adding session ticket extension" \
3161 -C "found session_ticket extension" \
3162 -C "parse new session ticket" \
3163 -s "session successfully restored from cache" \
3164 -S "session successfully restored from ticket" \
3165 -s "a session has been resumed" \
3166 -c "a session has been resumed"
3167
3168run_test "Session resume using cache, DTLS: cache_max=0" \
3169 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3170 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3171 0 \
3172 -S "session successfully restored from cache" \
3173 -S "session successfully restored from ticket" \
3174 -S "a session has been resumed" \
3175 -C "a session has been resumed"
3176
3177run_test "Session resume using cache, DTLS: cache_max=1" \
3178 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3179 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3180 0 \
3181 -s "session successfully restored from cache" \
3182 -S "session successfully restored from ticket" \
3183 -s "a session has been resumed" \
3184 -c "a session has been resumed"
3185
3186run_test "Session resume using cache, DTLS: timeout > delay" \
3187 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3188 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3189 0 \
3190 -s "session successfully restored from cache" \
3191 -S "session successfully restored from ticket" \
3192 -s "a session has been resumed" \
3193 -c "a session has been resumed"
3194
3195run_test "Session resume using cache, DTLS: timeout < delay" \
3196 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3197 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3198 0 \
3199 -S "session successfully restored from cache" \
3200 -S "session successfully restored from ticket" \
3201 -S "a session has been resumed" \
3202 -C "a session has been resumed"
3203
3204run_test "Session resume using cache, DTLS: no timeout" \
3205 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3206 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3207 0 \
3208 -s "session successfully restored from cache" \
3209 -S "session successfully restored from ticket" \
3210 -s "a session has been resumed" \
3211 -c "a session has been resumed"
3212
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]3213run_test "Session resume using cache, DTLS: session copy" \
3214 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3215 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_mode=0" \
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]3216 0 \
3217 -s "session successfully restored from cache" \
3218 -S "session successfully restored from ticket" \
3219 -s "a session has been resumed" \
3220 -c "a session has been resumed"
3221
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3222# For reasons that aren't fully understood, this test randomly fails with high
Paul Elliott7ca2f392021-10-13 16:13:44 +0100[diff] [blame]3223# probability with OpenSSL 1.0.2g on the CI, see #5012.
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3224requires_openssl_next
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3225run_test "Session resume using cache, DTLS: openssl client" \
3226 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3227 "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \
3228 $O_NEXT_CLI -dtls1 -sess_in $SESSION; \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3229 rm -f $SESSION )" \
3230 0 \
3231 -s "found session ticket extension" \
3232 -S "server hello, adding session ticket extension" \
3233 -s "session successfully restored from cache" \
3234 -S "session successfully restored from ticket" \
3235 -s "a session has been resumed"
3236
3237run_test "Session resume using cache, DTLS: openssl server" \
3238 "$O_SRV -dtls1" \
3239 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
3240 0 \
3241 -C "found session_ticket extension" \
3242 -C "parse new session ticket" \
3243 -c "a session has been resumed"
3244
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3245# Tests for Max Fragment Length extension
3246
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3247requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3248run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3249 "$P_SRV debug_level=3" \
3250 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3251 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3252 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3253 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3254 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3255 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3256 -C "client hello, adding max_fragment_length extension" \
3257 -S "found max fragment length extension" \
3258 -S "server hello, max_fragment_length extension" \
3259 -C "found max_fragment_length extension"
3260
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3261requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3262run_test "Max fragment length: enabled, default, larger message" \
3263 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3264 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3265 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3266 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3267 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3268 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3269 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3270 -C "client hello, adding max_fragment_length extension" \
3271 -S "found max fragment length extension" \
3272 -S "server hello, max_fragment_length extension" \
3273 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3274 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3275 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3276 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3277
3278requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3279run_test "Max fragment length, DTLS: enabled, default, larger message" \
3280 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3281 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3282 1 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3283 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3284 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3285 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3286 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3287 -C "client hello, adding max_fragment_length extension" \
3288 -S "found max fragment length extension" \
3289 -S "server hello, max_fragment_length extension" \
3290 -C "found max_fragment_length extension" \
3291 -c "fragment larger than.*maximum "
3292
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3293# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
3294# (session fragment length will be 16384 regardless of mbedtls
3295# content length configuration.)
3296
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3297requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3298run_test "Max fragment length: disabled, larger message" \
3299 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3300 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3301 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3302 -C "Maximum input fragment length is 16384" \
3303 -C "Maximum output fragment length is 16384" \
3304 -S "Maximum input fragment length is 16384" \
3305 -S "Maximum output fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3306 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3307 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3308 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3309
3310requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takano18ddccc2021-06-21 19:43:33 +0100[diff] [blame]3311run_test "Max fragment length, DTLS: disabled, larger message" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3312 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3313 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3314 1 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3315 -C "Maximum input fragment length is 16384" \
3316 -C "Maximum output fragment length is 16384" \
3317 -S "Maximum input fragment length is 16384" \
3318 -S "Maximum output fragment length is 16384" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3319 -c "fragment larger than.*maximum "
3320
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3321requires_max_content_len 4096
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3322requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3323run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3324 "$P_SRV debug_level=3" \
3325 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3326 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3327 -c "Maximum input fragment length is 4096" \
3328 -c "Maximum output fragment length is 4096" \
3329 -s "Maximum input fragment length is 4096" \
3330 -s "Maximum output fragment length is 4096" \
3331 -c "client hello, adding max_fragment_length extension" \
3332 -s "found max fragment length extension" \
3333 -s "server hello, max_fragment_length extension" \
3334 -c "found max_fragment_length extension"
3335
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3336requires_max_content_len 1024
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3337requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3338run_test "Max fragment length: client 512, server 1024" \
3339 "$P_SRV debug_level=3 max_frag_len=1024" \
3340 "$P_CLI debug_level=3 max_frag_len=512" \
3341 0 \
3342 -c "Maximum input fragment length is 512" \
3343 -c "Maximum output fragment length is 512" \
3344 -s "Maximum input fragment length is 512" \
3345 -s "Maximum output fragment length is 512" \
3346 -c "client hello, adding max_fragment_length extension" \
3347 -s "found max fragment length extension" \
3348 -s "server hello, max_fragment_length extension" \
3349 -c "found max_fragment_length extension"
3350
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3351requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3352requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3353run_test "Max fragment length: client 512, server 2048" \
3354 "$P_SRV debug_level=3 max_frag_len=2048" \
3355 "$P_CLI debug_level=3 max_frag_len=512" \
3356 0 \
3357 -c "Maximum input fragment length is 512" \
3358 -c "Maximum output fragment length is 512" \
3359 -s "Maximum input fragment length is 512" \
3360 -s "Maximum output fragment length is 512" \
3361 -c "client hello, adding max_fragment_length extension" \
3362 -s "found max fragment length extension" \
3363 -s "server hello, max_fragment_length extension" \
3364 -c "found max_fragment_length extension"
3365
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3366requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3367requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3368run_test "Max fragment length: client 512, server 4096" \
3369 "$P_SRV debug_level=3 max_frag_len=4096" \
3370 "$P_CLI debug_level=3 max_frag_len=512" \
3371 0 \
3372 -c "Maximum input fragment length is 512" \
3373 -c "Maximum output fragment length is 512" \
3374 -s "Maximum input fragment length is 512" \
3375 -s "Maximum output fragment length is 512" \
3376 -c "client hello, adding max_fragment_length extension" \
3377 -s "found max fragment length extension" \
3378 -s "server hello, max_fragment_length extension" \
3379 -c "found max_fragment_length extension"
3380
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3381requires_max_content_len 1024
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3382requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3383run_test "Max fragment length: client 1024, server 512" \
3384 "$P_SRV debug_level=3 max_frag_len=512" \
3385 "$P_CLI debug_level=3 max_frag_len=1024" \
3386 0 \
3387 -c "Maximum input fragment length is 1024" \
3388 -c "Maximum output fragment length is 1024" \
3389 -s "Maximum input fragment length is 1024" \
3390 -s "Maximum output fragment length is 512" \
3391 -c "client hello, adding max_fragment_length extension" \
3392 -s "found max fragment length extension" \
3393 -s "server hello, max_fragment_length extension" \
3394 -c "found max_fragment_length extension"
3395
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3396requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3397requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3398run_test "Max fragment length: client 1024, server 2048" \
3399 "$P_SRV debug_level=3 max_frag_len=2048" \
3400 "$P_CLI debug_level=3 max_frag_len=1024" \
3401 0 \
3402 -c "Maximum input fragment length is 1024" \
3403 -c "Maximum output fragment length is 1024" \
3404 -s "Maximum input fragment length is 1024" \
3405 -s "Maximum output fragment length is 1024" \
3406 -c "client hello, adding max_fragment_length extension" \
3407 -s "found max fragment length extension" \
3408 -s "server hello, max_fragment_length extension" \
3409 -c "found max_fragment_length extension"
3410
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3411requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3412requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3413run_test "Max fragment length: client 1024, server 4096" \
3414 "$P_SRV debug_level=3 max_frag_len=4096" \
3415 "$P_CLI debug_level=3 max_frag_len=1024" \
3416 0 \
3417 -c "Maximum input fragment length is 1024" \
3418 -c "Maximum output fragment length is 1024" \
3419 -s "Maximum input fragment length is 1024" \
3420 -s "Maximum output fragment length is 1024" \
3421 -c "client hello, adding max_fragment_length extension" \
3422 -s "found max fragment length extension" \
3423 -s "server hello, max_fragment_length extension" \
3424 -c "found max_fragment_length extension"
3425
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3426requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3427requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3428run_test "Max fragment length: client 2048, server 512" \
3429 "$P_SRV debug_level=3 max_frag_len=512" \
3430 "$P_CLI debug_level=3 max_frag_len=2048" \
3431 0 \
3432 -c "Maximum input fragment length is 2048" \
3433 -c "Maximum output fragment length is 2048" \
3434 -s "Maximum input fragment length is 2048" \
3435 -s "Maximum output fragment length is 512" \
3436 -c "client hello, adding max_fragment_length extension" \
3437 -s "found max fragment length extension" \
3438 -s "server hello, max_fragment_length extension" \
3439 -c "found max_fragment_length extension"
3440
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3441requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3442requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3443run_test "Max fragment length: client 2048, server 1024" \
3444 "$P_SRV debug_level=3 max_frag_len=1024" \
3445 "$P_CLI debug_level=3 max_frag_len=2048" \
3446 0 \
3447 -c "Maximum input fragment length is 2048" \
3448 -c "Maximum output fragment length is 2048" \
3449 -s "Maximum input fragment length is 2048" \
3450 -s "Maximum output fragment length is 1024" \
3451 -c "client hello, adding max_fragment_length extension" \
3452 -s "found max fragment length extension" \
3453 -s "server hello, max_fragment_length extension" \
3454 -c "found max_fragment_length extension"
3455
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3456requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3457requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3458run_test "Max fragment length: client 2048, server 4096" \
3459 "$P_SRV debug_level=3 max_frag_len=4096" \
3460 "$P_CLI debug_level=3 max_frag_len=2048" \
3461 0 \
3462 -c "Maximum input fragment length is 2048" \
3463 -c "Maximum output fragment length is 2048" \
3464 -s "Maximum input fragment length is 2048" \
3465 -s "Maximum output fragment length is 2048" \
3466 -c "client hello, adding max_fragment_length extension" \
3467 -s "found max fragment length extension" \
3468 -s "server hello, max_fragment_length extension" \
3469 -c "found max_fragment_length extension"
3470
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3471requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3472requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3473run_test "Max fragment length: client 4096, server 512" \
3474 "$P_SRV debug_level=3 max_frag_len=512" \
3475 "$P_CLI debug_level=3 max_frag_len=4096" \
3476 0 \
3477 -c "Maximum input fragment length is 4096" \
3478 -c "Maximum output fragment length is 4096" \
3479 -s "Maximum input fragment length is 4096" \
3480 -s "Maximum output fragment length is 512" \
3481 -c "client hello, adding max_fragment_length extension" \
3482 -s "found max fragment length extension" \
3483 -s "server hello, max_fragment_length extension" \
3484 -c "found max_fragment_length extension"
3485
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3486requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3487requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3488run_test "Max fragment length: client 4096, server 1024" \
3489 "$P_SRV debug_level=3 max_frag_len=1024" \
3490 "$P_CLI debug_level=3 max_frag_len=4096" \
3491 0 \
3492 -c "Maximum input fragment length is 4096" \
3493 -c "Maximum output fragment length is 4096" \
3494 -s "Maximum input fragment length is 4096" \
3495 -s "Maximum output fragment length is 1024" \
3496 -c "client hello, adding max_fragment_length extension" \
3497 -s "found max fragment length extension" \
3498 -s "server hello, max_fragment_length extension" \
3499 -c "found max_fragment_length extension"
3500
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3501requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3502requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3503run_test "Max fragment length: client 4096, server 2048" \
3504 "$P_SRV debug_level=3 max_frag_len=2048" \
3505 "$P_CLI debug_level=3 max_frag_len=4096" \
3506 0 \
3507 -c "Maximum input fragment length is 4096" \
3508 -c "Maximum output fragment length is 4096" \
3509 -s "Maximum input fragment length is 4096" \
3510 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3511 -c "client hello, adding max_fragment_length extension" \
3512 -s "found max fragment length extension" \
3513 -s "server hello, max_fragment_length extension" \
3514 -c "found max_fragment_length extension"
3515
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3516requires_max_content_len 4096
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3517requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3518run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3519 "$P_SRV debug_level=3 max_frag_len=4096" \
3520 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3521 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3522 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3523 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3524 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3525 -s "Maximum output fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3526 -C "client hello, adding max_fragment_length extension" \
3527 -S "found max fragment length extension" \
3528 -S "server hello, max_fragment_length extension" \
3529 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3530
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3531requires_max_content_len 4096
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3532requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3533requires_gnutls
3534run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3535 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3536 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3537 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3538 -c "Maximum input fragment length is 4096" \
3539 -c "Maximum output fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3540 -c "client hello, adding max_fragment_length extension" \
3541 -c "found max_fragment_length extension"
3542
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3543requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3544requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3545run_test "Max fragment length: client, message just fits" \
3546 "$P_SRV debug_level=3" \
3547 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
3548 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3549 -c "Maximum input fragment length is 2048" \
3550 -c "Maximum output fragment length is 2048" \
3551 -s "Maximum input fragment length is 2048" \
3552 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3553 -c "client hello, adding max_fragment_length extension" \
3554 -s "found max fragment length extension" \
3555 -s "server hello, max_fragment_length extension" \
3556 -c "found max_fragment_length extension" \
3557 -c "2048 bytes written in 1 fragments" \
3558 -s "2048 bytes read"
3559
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3560requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3561requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3562run_test "Max fragment length: client, larger message" \
3563 "$P_SRV debug_level=3" \
3564 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
3565 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3566 -c "Maximum input fragment length is 2048" \
3567 -c "Maximum output fragment length is 2048" \
3568 -s "Maximum input fragment length is 2048" \
3569 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3570 -c "client hello, adding max_fragment_length extension" \
3571 -s "found max fragment length extension" \
3572 -s "server hello, max_fragment_length extension" \
3573 -c "found max_fragment_length extension" \
3574 -c "2345 bytes written in 2 fragments" \
3575 -s "2048 bytes read" \
3576 -s "297 bytes read"
3577
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3578requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3579requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]3580run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3581 "$P_SRV debug_level=3 dtls=1" \
3582 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
3583 1 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3584 -c "Maximum input fragment length is 2048" \
3585 -c "Maximum output fragment length is 2048" \
3586 -s "Maximum input fragment length is 2048" \
3587 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3588 -c "client hello, adding max_fragment_length extension" \
3589 -s "found max fragment length extension" \
3590 -s "server hello, max_fragment_length extension" \
3591 -c "found max_fragment_length extension" \
3592 -c "fragment larger than.*maximum"
3593
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3594# Tests for renegotiation
3595
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3596# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3597run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3598 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3599 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3600 0 \
3601 -C "client hello, adding renegotiation extension" \
3602 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3603 -S "found renegotiation extension" \
3604 -s "server hello, secure renegotiation extension" \
3605 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3606 -C "=> renegotiate" \
3607 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3608 -S "write hello request"
3609
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3610requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3611run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3612 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3613 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3614 0 \
3615 -c "client hello, adding renegotiation extension" \
3616 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3617 -s "found renegotiation extension" \
3618 -s "server hello, secure renegotiation extension" \
3619 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3620 -c "=> renegotiate" \
3621 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3622 -S "write hello request"
3623
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3624requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3625run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3626 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3627 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3628 0 \
3629 -c "client hello, adding renegotiation extension" \
3630 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3631 -s "found renegotiation extension" \
3632 -s "server hello, secure renegotiation extension" \
3633 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3634 -c "=> renegotiate" \
3635 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3636 -s "write hello request"
3637
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3638# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3639# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3640# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3641requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3642run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
3643 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
3644 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
3645 0 \
3646 -c "client hello, adding renegotiation extension" \
3647 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3648 -s "found renegotiation extension" \
3649 -s "server hello, secure renegotiation extension" \
3650 -c "found renegotiation extension" \
3651 -c "=> renegotiate" \
3652 -s "=> renegotiate" \
3653 -S "write hello request" \
3654 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3655
3656# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3657# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3658# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3659requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3660run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
3661 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
3662 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3663 0 \
3664 -c "client hello, adding renegotiation extension" \
3665 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3666 -s "found renegotiation extension" \
3667 -s "server hello, secure renegotiation extension" \
3668 -c "found renegotiation extension" \
3669 -c "=> renegotiate" \
3670 -s "=> renegotiate" \
3671 -s "write hello request" \
3672 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3673
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3674requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3675run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3676 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3677 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3678 0 \
3679 -c "client hello, adding renegotiation extension" \
3680 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3681 -s "found renegotiation extension" \
3682 -s "server hello, secure renegotiation extension" \
3683 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3684 -c "=> renegotiate" \
3685 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3686 -s "write hello request"
3687
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3688requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400[diff] [blame]3689requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3690requires_max_content_len 2048
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400[diff] [blame]3691run_test "Renegotiation with max fragment length: client 2048, server 512" \
3692 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \
3693 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 max_frag_len=2048 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
3694 0 \
3695 -c "Maximum input fragment length is 2048" \
3696 -c "Maximum output fragment length is 2048" \
3697 -s "Maximum input fragment length is 2048" \
3698 -s "Maximum output fragment length is 512" \
3699 -c "client hello, adding max_fragment_length extension" \
3700 -s "found max fragment length extension" \
3701 -s "server hello, max_fragment_length extension" \
3702 -c "found max_fragment_length extension" \
3703 -c "client hello, adding renegotiation extension" \
3704 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3705 -s "found renegotiation extension" \
3706 -s "server hello, secure renegotiation extension" \
3707 -c "found renegotiation extension" \
3708 -c "=> renegotiate" \
3709 -s "=> renegotiate" \
3710 -s "write hello request"
3711
3712requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3713run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3714 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3715 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3716 1 \
3717 -c "client hello, adding renegotiation extension" \
3718 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3719 -S "found renegotiation extension" \
3720 -s "server hello, secure renegotiation extension" \
3721 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3722 -c "=> renegotiate" \
3723 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3724 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]3725 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3726 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3727
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3728requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3729run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3730 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3731 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3732 0 \
3733 -C "client hello, adding renegotiation extension" \
3734 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3735 -S "found renegotiation extension" \
3736 -s "server hello, secure renegotiation extension" \
3737 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3738 -C "=> renegotiate" \
3739 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3740 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]3741 -S "SSL - An unexpected message was received from our peer" \
3742 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3743
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3744requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3745run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3746 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3747 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3748 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3749 0 \
3750 -C "client hello, adding renegotiation extension" \
3751 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3752 -S "found renegotiation extension" \
3753 -s "server hello, secure renegotiation extension" \
3754 -c "found renegotiation extension" \
3755 -C "=> renegotiate" \
3756 -S "=> renegotiate" \
3757 -s "write hello request" \
3758 -S "SSL - An unexpected message was received from our peer" \
3759 -S "failed"
3760
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3761# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3762requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3763run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3764 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3765 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3766 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3767 0 \
3768 -C "client hello, adding renegotiation extension" \
3769 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3770 -S "found renegotiation extension" \
3771 -s "server hello, secure renegotiation extension" \
3772 -c "found renegotiation extension" \
3773 -C "=> renegotiate" \
3774 -S "=> renegotiate" \
3775 -s "write hello request" \
3776 -S "SSL - An unexpected message was received from our peer" \
3777 -S "failed"
3778
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3779requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3780run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3781 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3782 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3783 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3784 0 \
3785 -C "client hello, adding renegotiation extension" \
3786 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3787 -S "found renegotiation extension" \
3788 -s "server hello, secure renegotiation extension" \
3789 -c "found renegotiation extension" \
3790 -C "=> renegotiate" \
3791 -S "=> renegotiate" \
3792 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3793 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3794
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3795requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3796run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3797 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3798 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3799 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3800 0 \
3801 -c "client hello, adding renegotiation extension" \
3802 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3803 -s "found renegotiation extension" \
3804 -s "server hello, secure renegotiation extension" \
3805 -c "found renegotiation extension" \
3806 -c "=> renegotiate" \
3807 -s "=> renegotiate" \
3808 -s "write hello request" \
3809 -S "SSL - An unexpected message was received from our peer" \
3810 -S "failed"
3811
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3812requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3813run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3814 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3815 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3816 0 \
3817 -C "client hello, adding renegotiation extension" \
3818 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3819 -S "found renegotiation extension" \
3820 -s "server hello, secure renegotiation extension" \
3821 -c "found renegotiation extension" \
3822 -S "record counter limit reached: renegotiate" \
3823 -C "=> renegotiate" \
3824 -S "=> renegotiate" \
3825 -S "write hello request" \
3826 -S "SSL - An unexpected message was received from our peer" \
3827 -S "failed"
3828
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3829# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3830requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3831run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3832 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3833 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3834 0 \
3835 -c "client hello, adding renegotiation extension" \
3836 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3837 -s "found renegotiation extension" \
3838 -s "server hello, secure renegotiation extension" \
3839 -c "found renegotiation extension" \
3840 -s "record counter limit reached: renegotiate" \
3841 -c "=> renegotiate" \
3842 -s "=> renegotiate" \
3843 -s "write hello request" \
3844 -S "SSL - An unexpected message was received from our peer" \
3845 -S "failed"
3846
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3847requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3848run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3849 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3850 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3851 0 \
3852 -c "client hello, adding renegotiation extension" \
3853 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3854 -s "found renegotiation extension" \
3855 -s "server hello, secure renegotiation extension" \
3856 -c "found renegotiation extension" \
3857 -s "record counter limit reached: renegotiate" \
3858 -c "=> renegotiate" \
3859 -s "=> renegotiate" \
3860 -s "write hello request" \
3861 -S "SSL - An unexpected message was received from our peer" \
3862 -S "failed"
3863
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3864requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3865run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3866 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3867 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
3868 0 \
3869 -C "client hello, adding renegotiation extension" \
3870 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3871 -S "found renegotiation extension" \
3872 -s "server hello, secure renegotiation extension" \
3873 -c "found renegotiation extension" \
3874 -S "record counter limit reached: renegotiate" \
3875 -C "=> renegotiate" \
3876 -S "=> renegotiate" \
3877 -S "write hello request" \
3878 -S "SSL - An unexpected message was received from our peer" \
3879 -S "failed"
3880
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3881requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3882run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3883 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3884 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3885 0 \
3886 -c "client hello, adding renegotiation extension" \
3887 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3888 -s "found renegotiation extension" \
3889 -s "server hello, secure renegotiation extension" \
3890 -c "found renegotiation extension" \
3891 -c "=> renegotiate" \
3892 -s "=> renegotiate" \
3893 -S "write hello request"
3894
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3895requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3896run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3897 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3898 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3899 0 \
3900 -c "client hello, adding renegotiation extension" \
3901 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3902 -s "found renegotiation extension" \
3903 -s "server hello, secure renegotiation extension" \
3904 -c "found renegotiation extension" \
3905 -c "=> renegotiate" \
3906 -s "=> renegotiate" \
3907 -s "write hello request"
3908
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3909requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3910run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3911 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3912 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3913 0 \
3914 -c "client hello, adding renegotiation extension" \
3915 -c "found renegotiation extension" \
3916 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3917 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3918 -C "error" \
3919 -c "HTTP/1.0 200 [Oo][Kk]"
3920
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3921requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3922requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3923run_test "Renegotiation: gnutls server strict, client-initiated" \
3924 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3925 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3926 0 \
3927 -c "client hello, adding renegotiation extension" \
3928 -c "found renegotiation extension" \
3929 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3930 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3931 -C "error" \
3932 -c "HTTP/1.0 200 [Oo][Kk]"
3933
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3934requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3935requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3936run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
3937 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3938 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
3939 1 \
3940 -c "client hello, adding renegotiation extension" \
3941 -C "found renegotiation extension" \
3942 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3943 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3944 -c "error" \
3945 -C "HTTP/1.0 200 [Oo][Kk]"
3946
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3947requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3948requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3949run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
3950 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3951 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
3952 allow_legacy=0" \
3953 1 \
3954 -c "client hello, adding renegotiation extension" \
3955 -C "found renegotiation extension" \
3956 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3957 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3958 -c "error" \
3959 -C "HTTP/1.0 200 [Oo][Kk]"
3960
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3961requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3962requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3963run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
3964 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3965 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
3966 allow_legacy=1" \
3967 0 \
3968 -c "client hello, adding renegotiation extension" \
3969 -C "found renegotiation extension" \
3970 -c "=> renegotiate" \
3971 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3972 -C "error" \
3973 -c "HTTP/1.0 200 [Oo][Kk]"
3974
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3975requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]3976run_test "Renegotiation: DTLS, client-initiated" \
3977 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
3978 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
3979 0 \
3980 -c "client hello, adding renegotiation extension" \
3981 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3982 -s "found renegotiation extension" \
3983 -s "server hello, secure renegotiation extension" \
3984 -c "found renegotiation extension" \
3985 -c "=> renegotiate" \
3986 -s "=> renegotiate" \
3987 -S "write hello request"
3988
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3989requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3990run_test "Renegotiation: DTLS, server-initiated" \
3991 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]3992 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
3993 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3994 0 \
3995 -c "client hello, adding renegotiation extension" \
3996 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3997 -s "found renegotiation extension" \
3998 -s "server hello, secure renegotiation extension" \
3999 -c "found renegotiation extension" \
4000 -c "=> renegotiate" \
4001 -s "=> renegotiate" \
4002 -s "write hello request"
4003
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4004requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]4005run_test "Renegotiation: DTLS, renego_period overflow" \
4006 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
4007 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
4008 0 \
4009 -c "client hello, adding renegotiation extension" \
4010 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
4011 -s "found renegotiation extension" \
4012 -s "server hello, secure renegotiation extension" \
4013 -s "record counter limit reached: renegotiate" \
4014 -c "=> renegotiate" \
4015 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4016 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]4017
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4018requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4019requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]4020run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
4021 "$G_SRV -u --mtu 4096" \
4022 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
4023 0 \
4024 -c "client hello, adding renegotiation extension" \
4025 -c "found renegotiation extension" \
4026 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4027 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]4028 -C "error" \
4029 -s "Extra-header:"
4030
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4031# Test for the "secure renegotation" extension only (no actual renegotiation)
4032
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4033requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4034run_test "Renego ext: gnutls server strict, client default" \
4035 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
4036 "$P_CLI debug_level=3" \
4037 0 \
4038 -c "found renegotiation extension" \
4039 -C "error" \
4040 -c "HTTP/1.0 200 [Oo][Kk]"
4041
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4042requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4043run_test "Renego ext: gnutls server unsafe, client default" \
4044 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
4045 "$P_CLI debug_level=3" \
4046 0 \
4047 -C "found renegotiation extension" \
4048 -C "error" \
4049 -c "HTTP/1.0 200 [Oo][Kk]"
4050
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4051requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4052run_test "Renego ext: gnutls server unsafe, client break legacy" \
4053 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
4054 "$P_CLI debug_level=3 allow_legacy=-1" \
4055 1 \
4056 -C "found renegotiation extension" \
4057 -c "error" \
4058 -C "HTTP/1.0 200 [Oo][Kk]"
4059
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4060requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4061run_test "Renego ext: gnutls client strict, server default" \
4062 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4063 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4064 0 \
4065 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
4066 -s "server hello, secure renegotiation extension"
4067
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4068requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4069run_test "Renego ext: gnutls client unsafe, server default" \
4070 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4071 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4072 0 \
4073 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
4074 -S "server hello, secure renegotiation extension"
4075
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4076requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4077run_test "Renego ext: gnutls client unsafe, server break legacy" \
4078 "$P_SRV debug_level=3 allow_legacy=-1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4079 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4080 1 \
4081 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
4082 -S "server hello, secure renegotiation extension"
4083
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4084# Tests for silently dropping trailing extra bytes in .der certificates
4085
4086requires_gnutls
4087run_test "DER format: no trailing bytes" \
4088 "$P_SRV crt_file=data_files/server5-der0.crt \
4089 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4090 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4091 0 \
4092 -c "Handshake was completed" \
4093
4094requires_gnutls
4095run_test "DER format: with a trailing zero byte" \
4096 "$P_SRV crt_file=data_files/server5-der1a.crt \
4097 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4098 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4099 0 \
4100 -c "Handshake was completed" \
4101
4102requires_gnutls
4103run_test "DER format: with a trailing random byte" \
4104 "$P_SRV crt_file=data_files/server5-der1b.crt \
4105 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4106 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4107 0 \
4108 -c "Handshake was completed" \
4109
4110requires_gnutls
4111run_test "DER format: with 2 trailing random bytes" \
4112 "$P_SRV crt_file=data_files/server5-der2.crt \
4113 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4114 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4115 0 \
4116 -c "Handshake was completed" \
4117
4118requires_gnutls
4119run_test "DER format: with 4 trailing random bytes" \
4120 "$P_SRV crt_file=data_files/server5-der4.crt \
4121 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4122 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4123 0 \
4124 -c "Handshake was completed" \
4125
4126requires_gnutls
4127run_test "DER format: with 8 trailing random bytes" \
4128 "$P_SRV crt_file=data_files/server5-der8.crt \
4129 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4130 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4131 0 \
4132 -c "Handshake was completed" \
4133
4134requires_gnutls
4135run_test "DER format: with 9 trailing random bytes" \
4136 "$P_SRV crt_file=data_files/server5-der9.crt \
4137 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4138 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4139 0 \
4140 -c "Handshake was completed" \
4141
Jarno Lamsaf7a7f9e2019-04-01 15:11:54 +0300[diff] [blame]4142# Tests for auth_mode, there are duplicated tests using ca callback for authentication
4143# When updating these tests, modify the matching authentication tests accordingly
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4144
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4145run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4146 "$P_SRV crt_file=data_files/server5-badsign.crt \
4147 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4148 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4149 1 \
4150 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4151 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4152 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4153 -c "X509 - Certificate verification failed"
4154
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4155run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4156 "$P_SRV crt_file=data_files/server5-badsign.crt \
4157 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4158 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4159 0 \
4160 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4161 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4162 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4163 -C "X509 - Certificate verification failed"
4164
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]4165run_test "Authentication: server goodcert, client optional, no trusted CA" \
4166 "$P_SRV" \
4167 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
4168 0 \
4169 -c "x509_verify_cert() returned" \
4170 -c "! The certificate is not correctly signed by the trusted CA" \
4171 -c "! Certificate verification flags"\
4172 -C "! mbedtls_ssl_handshake returned" \
4173 -C "X509 - Certificate verification failed" \
4174 -C "SSL - No CA Chain is set, but required to operate"
4175
4176run_test "Authentication: server goodcert, client required, no trusted CA" \
4177 "$P_SRV" \
4178 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
4179 1 \
4180 -c "x509_verify_cert() returned" \
4181 -c "! The certificate is not correctly signed by the trusted CA" \
4182 -c "! Certificate verification flags"\
4183 -c "! mbedtls_ssl_handshake returned" \
4184 -c "SSL - No CA Chain is set, but required to operate"
4185
4186# The purpose of the next two tests is to test the client's behaviour when receiving a server
4187# certificate with an unsupported elliptic curve. This should usually not happen because
4188# the client informs the server about the supported curves - it does, though, in the
4189# corner case of a static ECDH suite, because the server doesn't check the curve on that
4190# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
4191# different means to have the server ignoring the client's supported curve list.
4192
4193requires_config_enabled MBEDTLS_ECP_C
4194run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
4195 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4196 crt_file=data_files/server5.ku-ka.crt" \
4197 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
4198 1 \
4199 -c "bad certificate (EC key curve)"\
4200 -c "! Certificate verification flags"\
4201 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
4202
4203requires_config_enabled MBEDTLS_ECP_C
4204run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
4205 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4206 crt_file=data_files/server5.ku-ka.crt" \
4207 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
4208 1 \
4209 -c "bad certificate (EC key curve)"\
4210 -c "! Certificate verification flags"\
4211 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
4212
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4213run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]4214 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4215 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4216 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4217 0 \
4218 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4219 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4220 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4221 -C "X509 - Certificate verification failed"
4222
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4223run_test "Authentication: client SHA256, server required" \
4224 "$P_SRV auth_mode=required" \
4225 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4226 key_file=data_files/server6.key \
4227 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
4228 0 \
4229 -c "Supported Signature Algorithm found: 4," \
4230 -c "Supported Signature Algorithm found: 5,"
4231
4232run_test "Authentication: client SHA384, server required" \
4233 "$P_SRV auth_mode=required" \
4234 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4235 key_file=data_files/server6.key \
4236 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
4237 0 \
4238 -c "Supported Signature Algorithm found: 4," \
4239 -c "Supported Signature Algorithm found: 5,"
4240
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]4241requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4242run_test "Authentication: client has no cert, server required (SSLv3)" \
4243 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
4244 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
4245 key_file=data_files/server5.key" \
4246 1 \
4247 -S "skip write certificate request" \
4248 -C "skip parse certificate request" \
4249 -c "got a certificate request" \
4250 -c "got no certificate to send" \
4251 -S "x509_verify_cert() returned" \
4252 -s "client has no certificate" \
4253 -s "! mbedtls_ssl_handshake returned" \
4254 -c "! mbedtls_ssl_handshake returned" \
4255 -s "No client certification received from the client, but required by the authentication mode"
4256
4257run_test "Authentication: client has no cert, server required (TLS)" \
4258 "$P_SRV debug_level=3 auth_mode=required" \
4259 "$P_CLI debug_level=3 crt_file=none \
4260 key_file=data_files/server5.key" \
4261 1 \
4262 -S "skip write certificate request" \
4263 -C "skip parse certificate request" \
4264 -c "got a certificate request" \
4265 -c "= write certificate$" \
4266 -C "skip write certificate$" \
4267 -S "x509_verify_cert() returned" \
4268 -s "client has no certificate" \
4269 -s "! mbedtls_ssl_handshake returned" \
4270 -c "! mbedtls_ssl_handshake returned" \
4271 -s "No client certification received from the client, but required by the authentication mode"
4272
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4273run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4274 "$P_SRV debug_level=3 auth_mode=required" \
4275 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4276 key_file=data_files/server5.key" \
4277 1 \
4278 -S "skip write certificate request" \
4279 -C "skip parse certificate request" \
4280 -c "got a certificate request" \
4281 -C "skip write certificate" \
4282 -C "skip write certificate verify" \
4283 -S "skip parse certificate verify" \
4284 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4285 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4286 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4287 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4288 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4289 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4290# We don't check that the client receives the alert because it might
4291# detect that its write end of the connection is closed and abort
4292# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4293
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4294run_test "Authentication: client cert not trusted, server required" \
4295 "$P_SRV debug_level=3 auth_mode=required" \
4296 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4297 key_file=data_files/server5.key" \
4298 1 \
4299 -S "skip write certificate request" \
4300 -C "skip parse certificate request" \
4301 -c "got a certificate request" \
4302 -C "skip write certificate" \
4303 -C "skip write certificate verify" \
4304 -S "skip parse certificate verify" \
4305 -s "x509_verify_cert() returned" \
4306 -s "! The certificate is not correctly signed by the trusted CA" \
4307 -s "! mbedtls_ssl_handshake returned" \
4308 -c "! mbedtls_ssl_handshake returned" \
4309 -s "X509 - Certificate verification failed"
4310
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4311run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4312 "$P_SRV debug_level=3 auth_mode=optional" \
4313 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4314 key_file=data_files/server5.key" \
4315 0 \
4316 -S "skip write certificate request" \
4317 -C "skip parse certificate request" \
4318 -c "got a certificate request" \
4319 -C "skip write certificate" \
4320 -C "skip write certificate verify" \
4321 -S "skip parse certificate verify" \
4322 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4323 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4324 -S "! mbedtls_ssl_handshake returned" \
4325 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4326 -S "X509 - Certificate verification failed"
4327
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4328run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4329 "$P_SRV debug_level=3 auth_mode=none" \
4330 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4331 key_file=data_files/server5.key" \
4332 0 \
4333 -s "skip write certificate request" \
4334 -C "skip parse certificate request" \
4335 -c "got no certificate request" \
4336 -c "skip write certificate" \
4337 -c "skip write certificate verify" \
4338 -s "skip parse certificate verify" \
4339 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4340 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4341 -S "! mbedtls_ssl_handshake returned" \
4342 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4343 -S "X509 - Certificate verification failed"
4344
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4345run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4346 "$P_SRV debug_level=3 auth_mode=optional" \
4347 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4348 0 \
4349 -S "skip write certificate request" \
4350 -C "skip parse certificate request" \
4351 -c "got a certificate request" \
4352 -C "skip write certificate$" \
4353 -C "got no certificate to send" \
4354 -S "SSLv3 client has no certificate" \
4355 -c "skip write certificate verify" \
4356 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4357 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4358 -S "! mbedtls_ssl_handshake returned" \
4359 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4360 -S "X509 - Certificate verification failed"
4361
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4362run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4363 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4364 "$O_CLI" \
4365 0 \
4366 -S "skip write certificate request" \
4367 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4368 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4369 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4370 -S "X509 - Certificate verification failed"
4371
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4372run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4373 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4374 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4375 0 \
4376 -C "skip parse certificate request" \
4377 -c "got a certificate request" \
4378 -C "skip write certificate$" \
4379 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4380 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4381
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]4382run_test "Authentication: client no cert, openssl server required" \
4383 "$O_SRV -Verify 10" \
4384 "$P_CLI debug_level=3 crt_file=none key_file=none" \
4385 1 \
4386 -C "skip parse certificate request" \
4387 -c "got a certificate request" \
4388 -C "skip write certificate$" \
4389 -c "skip write certificate verify" \
4390 -c "! mbedtls_ssl_handshake returned"
4391
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4392requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4393run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4394 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4395 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4396 0 \
4397 -S "skip write certificate request" \
4398 -C "skip parse certificate request" \
4399 -c "got a certificate request" \
4400 -C "skip write certificate$" \
4401 -c "skip write certificate verify" \
4402 -c "got no certificate to send" \
4403 -s "SSLv3 client has no certificate" \
4404 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4405 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4406 -S "! mbedtls_ssl_handshake returned" \
4407 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4408 -S "X509 - Certificate verification failed"
4409
Yuto Takanoccdd25c2021-07-02 13:05:15 +0100[diff] [blame]4410# This script assumes that MBEDTLS_X509_MAX_INTERMEDIATE_CA has its default
4411# value, defined here as MAX_IM_CA. Some test cases will be skipped if the
4412# library is configured with a different value.
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]4413
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]4414MAX_IM_CA='8'
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]4415
Yuto Takanoccdd25c2021-07-02 13:05:15 +0100[diff] [blame]4416# The tests for the max_int tests can pass with any number higher than MAX_IM_CA
4417# because only a chain of MAX_IM_CA length is tested. Equally, the max_int+1
4418# tests can pass with any number less than MAX_IM_CA. However, stricter preconditions
4419# are in place so that the semantics are consistent with the test description.
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4420requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4421requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4422run_test "Authentication: server max_int chain, client default" \
4423 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
4424 key_file=data_files/dir-maxpath/09.key" \
4425 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
4426 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4427 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4428
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4429requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4430requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4431run_test "Authentication: server max_int+1 chain, client default" \
4432 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4433 key_file=data_files/dir-maxpath/10.key" \
4434 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
4435 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4436 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4437
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4438requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4439requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4440run_test "Authentication: server max_int+1 chain, client optional" \
4441 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4442 key_file=data_files/dir-maxpath/10.key" \
4443 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4444 auth_mode=optional" \
4445 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4446 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4447
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4448requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4449requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4450run_test "Authentication: server max_int+1 chain, client none" \
4451 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4452 key_file=data_files/dir-maxpath/10.key" \
4453 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4454 auth_mode=none" \
4455 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4456 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4457
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4458requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4459requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4460run_test "Authentication: client max_int+1 chain, server default" \
4461 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
4462 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4463 key_file=data_files/dir-maxpath/10.key" \
4464 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4465 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4466
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4467requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4468requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4469run_test "Authentication: client max_int+1 chain, server optional" \
4470 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4471 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4472 key_file=data_files/dir-maxpath/10.key" \
4473 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4474 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4475
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4476requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4477requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4478run_test "Authentication: client max_int+1 chain, server required" \
4479 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4480 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4481 key_file=data_files/dir-maxpath/10.key" \
4482 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4483 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4484
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4485requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4486requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4487run_test "Authentication: client max_int chain, server required" \
4488 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4489 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4490 key_file=data_files/dir-maxpath/09.key" \
4491 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4492 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4493
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4494# Tests for CA list in CertificateRequest messages
4495
4496run_test "Authentication: send CA list in CertificateRequest (default)" \
4497 "$P_SRV debug_level=3 auth_mode=required" \
4498 "$P_CLI crt_file=data_files/server6.crt \
4499 key_file=data_files/server6.key" \
4500 0 \
4501 -s "requested DN"
4502
4503run_test "Authentication: do not send CA list in CertificateRequest" \
4504 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4505 "$P_CLI crt_file=data_files/server6.crt \
4506 key_file=data_files/server6.key" \
4507 0 \
4508 -S "requested DN"
4509
4510run_test "Authentication: send CA list in CertificateRequest, client self signed" \
4511 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4512 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4513 key_file=data_files/server5.key" \
4514 1 \
4515 -S "requested DN" \
4516 -s "x509_verify_cert() returned" \
4517 -s "! The certificate is not correctly signed by the trusted CA" \
4518 -s "! mbedtls_ssl_handshake returned" \
4519 -c "! mbedtls_ssl_handshake returned" \
4520 -s "X509 - Certificate verification failed"
4521
Jarno Lamsaf7a7f9e2019-04-01 15:11:54 +0300[diff] [blame]4522# Tests for auth_mode, using CA callback, these are duplicated from the authentication tests
4523# When updating these tests, modify the matching authentication tests accordingly
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4524
4525requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4526run_test "Authentication, CA callback: server badcert, client required" \
4527 "$P_SRV crt_file=data_files/server5-badsign.crt \
4528 key_file=data_files/server5.key" \
4529 "$P_CLI ca_callback=1 debug_level=3 auth_mode=required" \
4530 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4531 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4532 -c "x509_verify_cert() returned" \
4533 -c "! The certificate is not correctly signed by the trusted CA" \
4534 -c "! mbedtls_ssl_handshake returned" \
4535 -c "X509 - Certificate verification failed"
4536
4537requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4538run_test "Authentication, CA callback: server badcert, client optional" \
4539 "$P_SRV crt_file=data_files/server5-badsign.crt \
4540 key_file=data_files/server5.key" \
4541 "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional" \
4542 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4543 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4544 -c "x509_verify_cert() returned" \
4545 -c "! The certificate is not correctly signed by the trusted CA" \
4546 -C "! mbedtls_ssl_handshake returned" \
4547 -C "X509 - Certificate verification failed"
4548
4549# The purpose of the next two tests is to test the client's behaviour when receiving a server
4550# certificate with an unsupported elliptic curve. This should usually not happen because
4551# the client informs the server about the supported curves - it does, though, in the
4552# corner case of a static ECDH suite, because the server doesn't check the curve on that
4553# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
4554# different means to have the server ignoring the client's supported curve list.
4555
4556requires_config_enabled MBEDTLS_ECP_C
4557requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4558run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
4559 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4560 crt_file=data_files/server5.ku-ka.crt" \
4561 "$P_CLI ca_callback=1 debug_level=3 auth_mode=required curves=secp521r1" \
4562 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4563 -c "use CA callback for X.509 CRT verification" \
4564 -c "bad certificate (EC key curve)" \
4565 -c "! Certificate verification flags" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4566 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
4567
4568requires_config_enabled MBEDTLS_ECP_C
4569requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4570run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
4571 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4572 crt_file=data_files/server5.ku-ka.crt" \
4573 "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional curves=secp521r1" \
4574 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4575 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4576 -c "bad certificate (EC key curve)"\
4577 -c "! Certificate verification flags"\
4578 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
4579
4580requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4581run_test "Authentication, CA callback: client SHA256, server required" \
4582 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
4583 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4584 key_file=data_files/server6.key \
4585 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
4586 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4587 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4588 -c "Supported Signature Algorithm found: 4," \
4589 -c "Supported Signature Algorithm found: 5,"
4590
4591requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4592run_test "Authentication, CA callback: client SHA384, server required" \
4593 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
4594 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4595 key_file=data_files/server6.key \
4596 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
4597 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4598 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4599 -c "Supported Signature Algorithm found: 4," \
4600 -c "Supported Signature Algorithm found: 5,"
4601
4602requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4603run_test "Authentication, CA callback: client badcert, server required" \
4604 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
4605 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
4606 key_file=data_files/server5.key" \
4607 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4608 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4609 -S "skip write certificate request" \
4610 -C "skip parse certificate request" \
4611 -c "got a certificate request" \
4612 -C "skip write certificate" \
4613 -C "skip write certificate verify" \
4614 -S "skip parse certificate verify" \
4615 -s "x509_verify_cert() returned" \
4616 -s "! The certificate is not correctly signed by the trusted CA" \
4617 -s "! mbedtls_ssl_handshake returned" \
4618 -s "send alert level=2 message=48" \
4619 -c "! mbedtls_ssl_handshake returned" \
4620 -s "X509 - Certificate verification failed"
4621# We don't check that the client receives the alert because it might
4622# detect that its write end of the connection is closed and abort
4623# before reading the alert message.
4624
4625requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4626run_test "Authentication, CA callback: client cert not trusted, server required" \
4627 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
4628 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4629 key_file=data_files/server5.key" \
4630 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4631 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4632 -S "skip write certificate request" \
4633 -C "skip parse certificate request" \
4634 -c "got a certificate request" \
4635 -C "skip write certificate" \
4636 -C "skip write certificate verify" \
4637 -S "skip parse certificate verify" \
4638 -s "x509_verify_cert() returned" \
4639 -s "! The certificate is not correctly signed by the trusted CA" \
4640 -s "! mbedtls_ssl_handshake returned" \
4641 -c "! mbedtls_ssl_handshake returned" \
4642 -s "X509 - Certificate verification failed"
4643
4644requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4645run_test "Authentication, CA callback: client badcert, server optional" \
4646 "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
4647 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
4648 key_file=data_files/server5.key" \
4649 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4650 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4651 -S "skip write certificate request" \
4652 -C "skip parse certificate request" \
4653 -c "got a certificate request" \
4654 -C "skip write certificate" \
4655 -C "skip write certificate verify" \
4656 -S "skip parse certificate verify" \
4657 -s "x509_verify_cert() returned" \
4658 -s "! The certificate is not correctly signed by the trusted CA" \
4659 -S "! mbedtls_ssl_handshake returned" \
4660 -C "! mbedtls_ssl_handshake returned" \
4661 -S "X509 - Certificate verification failed"
4662
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4663requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4664requires_full_size_output_buffer
4665requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4666run_test "Authentication, CA callback: server max_int chain, client default" \
4667 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
4668 key_file=data_files/dir-maxpath/09.key" \
4669 "$P_CLI ca_callback=1 debug_level=3 server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
4670 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4671 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4672 -C "X509 - A fatal error occurred"
4673
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4674requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4675requires_full_size_output_buffer
4676requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4677run_test "Authentication, CA callback: server max_int+1 chain, client default" \
4678 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4679 key_file=data_files/dir-maxpath/10.key" \
4680 "$P_CLI debug_level=3 ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
4681 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4682 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4683 -c "X509 - A fatal error occurred"
4684
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4685requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4686requires_full_size_output_buffer
4687requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4688run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
4689 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4690 key_file=data_files/dir-maxpath/10.key" \
4691 "$P_CLI ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4692 debug_level=3 auth_mode=optional" \
4693 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4694 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4695 -c "X509 - A fatal error occurred"
4696
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4697requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4698requires_full_size_output_buffer
4699requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4700run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
4701 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4702 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4703 key_file=data_files/dir-maxpath/10.key" \
4704 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4705 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4706 -s "X509 - A fatal error occurred"
4707
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4708requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4709requires_full_size_output_buffer
4710requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4711run_test "Authentication, CA callback: client max_int+1 chain, server required" \
4712 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4713 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4714 key_file=data_files/dir-maxpath/10.key" \
4715 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4716 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4717 -s "X509 - A fatal error occurred"
4718
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4719requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4720requires_full_size_output_buffer
4721requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4722run_test "Authentication, CA callback: client max_int chain, server required" \
4723 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4724 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4725 key_file=data_files/dir-maxpath/09.key" \
4726 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4727 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4728 -S "X509 - A fatal error occurred"
4729
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4730# Tests for certificate selection based on SHA verson
4731
4732run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
4733 "$P_SRV crt_file=data_files/server5.crt \
4734 key_file=data_files/server5.key \
4735 crt_file2=data_files/server5-sha1.crt \
4736 key_file2=data_files/server5.key" \
4737 "$P_CLI force_version=tls1_2" \
4738 0 \
4739 -c "signed using.*ECDSA with SHA256" \
4740 -C "signed using.*ECDSA with SHA1"
4741
4742run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
4743 "$P_SRV crt_file=data_files/server5.crt \
4744 key_file=data_files/server5.key \
4745 crt_file2=data_files/server5-sha1.crt \
4746 key_file2=data_files/server5.key" \
4747 "$P_CLI force_version=tls1_1" \
4748 0 \
4749 -C "signed using.*ECDSA with SHA256" \
4750 -c "signed using.*ECDSA with SHA1"
4751
4752run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
4753 "$P_SRV crt_file=data_files/server5.crt \
4754 key_file=data_files/server5.key \
4755 crt_file2=data_files/server5-sha1.crt \
4756 key_file2=data_files/server5.key" \
4757 "$P_CLI force_version=tls1" \
4758 0 \
4759 -C "signed using.*ECDSA with SHA256" \
4760 -c "signed using.*ECDSA with SHA1"
4761
4762run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
4763 "$P_SRV crt_file=data_files/server5.crt \
4764 key_file=data_files/server5.key \
4765 crt_file2=data_files/server6.crt \
4766 key_file2=data_files/server6.key" \
4767 "$P_CLI force_version=tls1_1" \
4768 0 \
4769 -c "serial number.*09" \
4770 -c "signed using.*ECDSA with SHA256" \
4771 -C "signed using.*ECDSA with SHA1"
4772
4773run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
4774 "$P_SRV crt_file=data_files/server6.crt \
4775 key_file=data_files/server6.key \
4776 crt_file2=data_files/server5.crt \
4777 key_file2=data_files/server5.key" \
4778 "$P_CLI force_version=tls1_1" \
4779 0 \
4780 -c "serial number.*0A" \
4781 -c "signed using.*ECDSA with SHA256" \
4782 -C "signed using.*ECDSA with SHA1"
4783
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4784# tests for SNI
4785
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4786run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4787 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4788 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4789 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4790 0 \
4791 -S "parse ServerName extension" \
4792 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4793 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4794
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4795run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4796 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4797 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4798 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4799 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4800 0 \
4801 -s "parse ServerName extension" \
4802 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4803 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4804
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4805run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4806 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4807 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4808 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4809 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4810 0 \
4811 -s "parse ServerName extension" \
4812 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4813 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4814
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4815run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4816 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4817 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4818 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4819 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4820 1 \
4821 -s "parse ServerName extension" \
4822 -s "ssl_sni_wrapper() returned" \
4823 -s "mbedtls_ssl_handshake returned" \
4824 -c "mbedtls_ssl_handshake returned" \
4825 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4826
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4827run_test "SNI: client auth no override: optional" \
4828 "$P_SRV debug_level=3 auth_mode=optional \
4829 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4830 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4831 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4832 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4833 -S "skip write certificate request" \
4834 -C "skip parse certificate request" \
4835 -c "got a certificate request" \
4836 -C "skip write certificate" \
4837 -C "skip write certificate verify" \
4838 -S "skip parse certificate verify"
4839
4840run_test "SNI: client auth override: none -> optional" \
4841 "$P_SRV debug_level=3 auth_mode=none \
4842 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4843 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4844 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4845 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4846 -S "skip write certificate request" \
4847 -C "skip parse certificate request" \
4848 -c "got a certificate request" \
4849 -C "skip write certificate" \
4850 -C "skip write certificate verify" \
4851 -S "skip parse certificate verify"
4852
4853run_test "SNI: client auth override: optional -> none" \
4854 "$P_SRV debug_level=3 auth_mode=optional \
4855 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4856 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4857 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4858 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4859 -s "skip write certificate request" \
4860 -C "skip parse certificate request" \
4861 -c "got no certificate request" \
4862 -c "skip write certificate" \
4863 -c "skip write certificate verify" \
4864 -s "skip parse certificate verify"
4865
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4866run_test "SNI: CA no override" \
4867 "$P_SRV debug_level=3 auth_mode=optional \
4868 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4869 ca_file=data_files/test-ca.crt \
4870 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4871 "$P_CLI debug_level=3 server_name=localhost \
4872 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4873 1 \
4874 -S "skip write certificate request" \
4875 -C "skip parse certificate request" \
4876 -c "got a certificate request" \
4877 -C "skip write certificate" \
4878 -C "skip write certificate verify" \
4879 -S "skip parse certificate verify" \
4880 -s "x509_verify_cert() returned" \
4881 -s "! The certificate is not correctly signed by the trusted CA" \
4882 -S "The certificate has been revoked (is on a CRL)"
4883
4884run_test "SNI: CA override" \
4885 "$P_SRV debug_level=3 auth_mode=optional \
4886 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4887 ca_file=data_files/test-ca.crt \
4888 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4889 "$P_CLI debug_level=3 server_name=localhost \
4890 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4891 0 \
4892 -S "skip write certificate request" \
4893 -C "skip parse certificate request" \
4894 -c "got a certificate request" \
4895 -C "skip write certificate" \
4896 -C "skip write certificate verify" \
4897 -S "skip parse certificate verify" \
4898 -S "x509_verify_cert() returned" \
4899 -S "! The certificate is not correctly signed by the trusted CA" \
4900 -S "The certificate has been revoked (is on a CRL)"
4901
4902run_test "SNI: CA override with CRL" \
4903 "$P_SRV debug_level=3 auth_mode=optional \
4904 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4905 ca_file=data_files/test-ca.crt \
4906 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4907 "$P_CLI debug_level=3 server_name=localhost \
4908 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4909 1 \
4910 -S "skip write certificate request" \
4911 -C "skip parse certificate request" \
4912 -c "got a certificate request" \
4913 -C "skip write certificate" \
4914 -C "skip write certificate verify" \
4915 -S "skip parse certificate verify" \
4916 -s "x509_verify_cert() returned" \
4917 -S "! The certificate is not correctly signed by the trusted CA" \
4918 -s "The certificate has been revoked (is on a CRL)"
4919
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4920# Tests for SNI and DTLS
4921
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4922run_test "SNI: DTLS, no SNI callback" \
4923 "$P_SRV debug_level=3 dtls=1 \
4924 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
4925 "$P_CLI server_name=localhost dtls=1" \
4926 0 \
4927 -S "parse ServerName extension" \
4928 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4929 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4930
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4931run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4932 "$P_SRV debug_level=3 dtls=1 \
4933 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4934 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4935 "$P_CLI server_name=localhost dtls=1" \
4936 0 \
4937 -s "parse ServerName extension" \
4938 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4939 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4940
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4941run_test "SNI: DTLS, matching cert 2" \
4942 "$P_SRV debug_level=3 dtls=1 \
4943 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4944 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4945 "$P_CLI server_name=polarssl.example dtls=1" \
4946 0 \
4947 -s "parse ServerName extension" \
4948 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4949 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4950
4951run_test "SNI: DTLS, no matching cert" \
4952 "$P_SRV debug_level=3 dtls=1 \
4953 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4954 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4955 "$P_CLI server_name=nonesuch.example dtls=1" \
4956 1 \
4957 -s "parse ServerName extension" \
4958 -s "ssl_sni_wrapper() returned" \
4959 -s "mbedtls_ssl_handshake returned" \
4960 -c "mbedtls_ssl_handshake returned" \
4961 -c "SSL - A fatal alert message was received from our peer"
4962
4963run_test "SNI: DTLS, client auth no override: optional" \
4964 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4965 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4966 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4967 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4968 0 \
4969 -S "skip write certificate request" \
4970 -C "skip parse certificate request" \
4971 -c "got a certificate request" \
4972 -C "skip write certificate" \
4973 -C "skip write certificate verify" \
4974 -S "skip parse certificate verify"
4975
4976run_test "SNI: DTLS, client auth override: none -> optional" \
4977 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
4978 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4979 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4980 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4981 0 \
4982 -S "skip write certificate request" \
4983 -C "skip parse certificate request" \
4984 -c "got a certificate request" \
4985 -C "skip write certificate" \
4986 -C "skip write certificate verify" \
4987 -S "skip parse certificate verify"
4988
4989run_test "SNI: DTLS, client auth override: optional -> none" \
4990 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4991 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4992 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4993 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4994 0 \
4995 -s "skip write certificate request" \
4996 -C "skip parse certificate request" \
4997 -c "got no certificate request" \
4998 -c "skip write certificate" \
4999 -c "skip write certificate verify" \
5000 -s "skip parse certificate verify"
5001
5002run_test "SNI: DTLS, CA no override" \
5003 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
5004 crt_file=data_files/server5.crt key_file=data_files/server5.key \
5005 ca_file=data_files/test-ca.crt \
5006 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
5007 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
5008 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
5009 1 \
5010 -S "skip write certificate request" \
5011 -C "skip parse certificate request" \
5012 -c "got a certificate request" \
5013 -C "skip write certificate" \
5014 -C "skip write certificate verify" \
5015 -S "skip parse certificate verify" \
5016 -s "x509_verify_cert() returned" \
5017 -s "! The certificate is not correctly signed by the trusted CA" \
5018 -S "The certificate has been revoked (is on a CRL)"
5019
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]5020run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]5021 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
5022 crt_file=data_files/server5.crt key_file=data_files/server5.key \
5023 ca_file=data_files/test-ca.crt \
5024 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
5025 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
5026 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
5027 0 \
5028 -S "skip write certificate request" \
5029 -C "skip parse certificate request" \
5030 -c "got a certificate request" \
5031 -C "skip write certificate" \
5032 -C "skip write certificate verify" \
5033 -S "skip parse certificate verify" \
5034 -S "x509_verify_cert() returned" \
5035 -S "! The certificate is not correctly signed by the trusted CA" \
5036 -S "The certificate has been revoked (is on a CRL)"
5037
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]5038run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]5039 "$P_SRV debug_level=3 auth_mode=optional \
5040 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
5041 ca_file=data_files/test-ca.crt \
5042 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
5043 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
5044 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
5045 1 \
5046 -S "skip write certificate request" \
5047 -C "skip parse certificate request" \
5048 -c "got a certificate request" \
5049 -C "skip write certificate" \
5050 -C "skip write certificate verify" \
5051 -S "skip parse certificate verify" \
5052 -s "x509_verify_cert() returned" \
5053 -S "! The certificate is not correctly signed by the trusted CA" \
5054 -s "The certificate has been revoked (is on a CRL)"
5055
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5056# Tests for non-blocking I/O: exercise a variety of handshake flows
5057
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5058run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5059 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
5060 "$P_CLI nbio=2 tickets=0" \
5061 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5062 -S "mbedtls_ssl_handshake returned" \
5063 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5064 -c "Read from server: .* bytes read"
5065
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5066run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5067 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
5068 "$P_CLI nbio=2 tickets=0" \
5069 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5070 -S "mbedtls_ssl_handshake returned" \
5071 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5072 -c "Read from server: .* bytes read"
5073
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5074run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5075 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
5076 "$P_CLI nbio=2 tickets=1" \
5077 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5078 -S "mbedtls_ssl_handshake returned" \
5079 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5080 -c "Read from server: .* bytes read"
5081
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5082run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5083 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
5084 "$P_CLI nbio=2 tickets=1" \
5085 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5086 -S "mbedtls_ssl_handshake returned" \
5087 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5088 -c "Read from server: .* bytes read"
5089
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5090run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5091 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
5092 "$P_CLI nbio=2 tickets=1 reconnect=1" \
5093 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5094 -S "mbedtls_ssl_handshake returned" \
5095 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5096 -c "Read from server: .* bytes read"
5097
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5098run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5099 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
5100 "$P_CLI nbio=2 tickets=1 reconnect=1" \
5101 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5102 -S "mbedtls_ssl_handshake returned" \
5103 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5104 -c "Read from server: .* bytes read"
5105
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5106run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5107 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
5108 "$P_CLI nbio=2 tickets=0 reconnect=1" \
5109 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5110 -S "mbedtls_ssl_handshake returned" \
5111 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5112 -c "Read from server: .* bytes read"
5113
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]5114# Tests for event-driven I/O: exercise a variety of handshake flows
5115
5116run_test "Event-driven I/O: basic handshake" \
5117 "$P_SRV event=1 tickets=0 auth_mode=none" \
5118 "$P_CLI event=1 tickets=0" \
5119 0 \
5120 -S "mbedtls_ssl_handshake returned" \
5121 -C "mbedtls_ssl_handshake returned" \
5122 -c "Read from server: .* bytes read"
5123
5124run_test "Event-driven I/O: client auth" \
5125 "$P_SRV event=1 tickets=0 auth_mode=required" \
5126 "$P_CLI event=1 tickets=0" \
5127 0 \
5128 -S "mbedtls_ssl_handshake returned" \
5129 -C "mbedtls_ssl_handshake returned" \
5130 -c "Read from server: .* bytes read"
5131
5132run_test "Event-driven I/O: ticket" \
5133 "$P_SRV event=1 tickets=1 auth_mode=none" \
5134 "$P_CLI event=1 tickets=1" \
5135 0 \
5136 -S "mbedtls_ssl_handshake returned" \
5137 -C "mbedtls_ssl_handshake returned" \
5138 -c "Read from server: .* bytes read"
5139
5140run_test "Event-driven I/O: ticket + client auth" \
5141 "$P_SRV event=1 tickets=1 auth_mode=required" \
5142 "$P_CLI event=1 tickets=1" \
5143 0 \
5144 -S "mbedtls_ssl_handshake returned" \
5145 -C "mbedtls_ssl_handshake returned" \
5146 -c "Read from server: .* bytes read"
5147
5148run_test "Event-driven I/O: ticket + client auth + resume" \
5149 "$P_SRV event=1 tickets=1 auth_mode=required" \
5150 "$P_CLI event=1 tickets=1 reconnect=1" \
5151 0 \
5152 -S "mbedtls_ssl_handshake returned" \
5153 -C "mbedtls_ssl_handshake returned" \
5154 -c "Read from server: .* bytes read"
5155
5156run_test "Event-driven I/O: ticket + resume" \
5157 "$P_SRV event=1 tickets=1 auth_mode=none" \
5158 "$P_CLI event=1 tickets=1 reconnect=1" \
5159 0 \
5160 -S "mbedtls_ssl_handshake returned" \
5161 -C "mbedtls_ssl_handshake returned" \
5162 -c "Read from server: .* bytes read"
5163
5164run_test "Event-driven I/O: session-id resume" \
5165 "$P_SRV event=1 tickets=0 auth_mode=none" \
5166 "$P_CLI event=1 tickets=0 reconnect=1" \
5167 0 \
5168 -S "mbedtls_ssl_handshake returned" \
5169 -C "mbedtls_ssl_handshake returned" \
5170 -c "Read from server: .* bytes read"
5171
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]5172run_test "Event-driven I/O, DTLS: basic handshake" \
5173 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
5174 "$P_CLI dtls=1 event=1 tickets=0" \
5175 0 \
5176 -c "Read from server: .* bytes read"
5177
5178run_test "Event-driven I/O, DTLS: client auth" \
5179 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
5180 "$P_CLI dtls=1 event=1 tickets=0" \
5181 0 \
5182 -c "Read from server: .* bytes read"
5183
5184run_test "Event-driven I/O, DTLS: ticket" \
5185 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
5186 "$P_CLI dtls=1 event=1 tickets=1" \
5187 0 \
5188 -c "Read from server: .* bytes read"
5189
5190run_test "Event-driven I/O, DTLS: ticket + client auth" \
5191 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
5192 "$P_CLI dtls=1 event=1 tickets=1" \
5193 0 \
5194 -c "Read from server: .* bytes read"
5195
5196run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
5197 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]5198 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]5199 0 \
5200 -c "Read from server: .* bytes read"
5201
5202run_test "Event-driven I/O, DTLS: ticket + resume" \
5203 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]5204 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]5205 0 \
5206 -c "Read from server: .* bytes read"
5207
5208run_test "Event-driven I/O, DTLS: session-id resume" \
5209 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]5210 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]5211 0 \
5212 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]5213
5214# This test demonstrates the need for the mbedtls_ssl_check_pending function.
5215# During session resumption, the client will send its ApplicationData record
5216# within the same datagram as the Finished messages. In this situation, the
5217# server MUST NOT idle on the underlying transport after handshake completion,
5218# because the ApplicationData request has already been queued internally.
5219run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]5220 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]5221 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]5222 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]5223 0 \
5224 -c "Read from server: .* bytes read"
5225
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5226# Tests for version negotiation
5227
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5228run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5229 "$P_SRV" \
5230 "$P_CLI" \
5231 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5232 -S "mbedtls_ssl_handshake returned" \
5233 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5234 -s "Protocol is TLSv1.2" \
5235 -c "Protocol is TLSv1.2"
5236
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5237run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5238 "$P_SRV" \
5239 "$P_CLI max_version=tls1_1" \
5240 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5241 -S "mbedtls_ssl_handshake returned" \
5242 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5243 -s "Protocol is TLSv1.1" \
5244 -c "Protocol is TLSv1.1"
5245
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5246run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5247 "$P_SRV max_version=tls1_1" \
5248 "$P_CLI" \
5249 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5250 -S "mbedtls_ssl_handshake returned" \
5251 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5252 -s "Protocol is TLSv1.1" \
5253 -c "Protocol is TLSv1.1"
5254
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5255run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5256 "$P_SRV max_version=tls1_1" \
5257 "$P_CLI max_version=tls1_1" \
5258 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5259 -S "mbedtls_ssl_handshake returned" \
5260 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5261 -s "Protocol is TLSv1.1" \
5262 -c "Protocol is TLSv1.1"
5263
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5264run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5265 "$P_SRV min_version=tls1_1" \
5266 "$P_CLI max_version=tls1_1" \
5267 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5268 -S "mbedtls_ssl_handshake returned" \
5269 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5270 -s "Protocol is TLSv1.1" \
5271 -c "Protocol is TLSv1.1"
5272
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5273run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5274 "$P_SRV max_version=tls1_1" \
5275 "$P_CLI min_version=tls1_1" \
5276 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5277 -S "mbedtls_ssl_handshake returned" \
5278 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5279 -s "Protocol is TLSv1.1" \
5280 -c "Protocol is TLSv1.1"
5281
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5282run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5283 "$P_SRV max_version=tls1_1" \
5284 "$P_CLI min_version=tls1_2" \
5285 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5286 -s "mbedtls_ssl_handshake returned" \
5287 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5288 -c "SSL - Handshake protocol not within min/max boundaries"
5289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5290run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5291 "$P_SRV min_version=tls1_2" \
5292 "$P_CLI max_version=tls1_1" \
5293 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5294 -s "mbedtls_ssl_handshake returned" \
5295 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5296 -s "SSL - Handshake protocol not within min/max boundaries"
5297
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5298# Tests for ALPN extension
5299
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5300run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5301 "$P_SRV debug_level=3" \
5302 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5303 0 \
5304 -C "client hello, adding alpn extension" \
5305 -S "found alpn extension" \
5306 -C "got an alert message, type: \\[2:120]" \
5307 -S "server hello, adding alpn extension" \
5308 -C "found alpn extension " \
5309 -C "Application Layer Protocol is" \
5310 -S "Application Layer Protocol is"
5311
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5312run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5313 "$P_SRV debug_level=3" \
5314 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5315 0 \
5316 -c "client hello, adding alpn extension" \
5317 -s "found alpn extension" \
5318 -C "got an alert message, type: \\[2:120]" \
5319 -S "server hello, adding alpn extension" \
5320 -C "found alpn extension " \
5321 -c "Application Layer Protocol is (none)" \
5322 -S "Application Layer Protocol is"
5323
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5324run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5325 "$P_SRV debug_level=3 alpn=abc,1234" \
5326 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5327 0 \
5328 -C "client hello, adding alpn extension" \
5329 -S "found alpn extension" \
5330 -C "got an alert message, type: \\[2:120]" \
5331 -S "server hello, adding alpn extension" \
5332 -C "found alpn extension " \
5333 -C "Application Layer Protocol is" \
5334 -s "Application Layer Protocol is (none)"
5335
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5336run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5337 "$P_SRV debug_level=3 alpn=abc,1234" \
5338 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5339 0 \
5340 -c "client hello, adding alpn extension" \
5341 -s "found alpn extension" \
5342 -C "got an alert message, type: \\[2:120]" \
5343 -s "server hello, adding alpn extension" \
5344 -c "found alpn extension" \
5345 -c "Application Layer Protocol is abc" \
5346 -s "Application Layer Protocol is abc"
5347
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5348run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5349 "$P_SRV debug_level=3 alpn=abc,1234" \
5350 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5351 0 \
5352 -c "client hello, adding alpn extension" \
5353 -s "found alpn extension" \
5354 -C "got an alert message, type: \\[2:120]" \
5355 -s "server hello, adding alpn extension" \
5356 -c "found alpn extension" \
5357 -c "Application Layer Protocol is abc" \
5358 -s "Application Layer Protocol is abc"
5359
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5360run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5361 "$P_SRV debug_level=3 alpn=abc,1234" \
5362 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5363 0 \
5364 -c "client hello, adding alpn extension" \
5365 -s "found alpn extension" \
5366 -C "got an alert message, type: \\[2:120]" \
5367 -s "server hello, adding alpn extension" \
5368 -c "found alpn extension" \
5369 -c "Application Layer Protocol is 1234" \
5370 -s "Application Layer Protocol is 1234"
5371
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5372run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5373 "$P_SRV debug_level=3 alpn=abc,123" \
5374 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5375 1 \
5376 -c "client hello, adding alpn extension" \
5377 -s "found alpn extension" \
5378 -c "got an alert message, type: \\[2:120]" \
5379 -S "server hello, adding alpn extension" \
5380 -C "found alpn extension" \
5381 -C "Application Layer Protocol is 1234" \
5382 -S "Application Layer Protocol is 1234"
5383
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]5384
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5385# Tests for keyUsage in leaf certificates, part 1:
5386# server-side certificate/suite selection
5387
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5388run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5389 "$P_SRV key_file=data_files/server2.key \
5390 crt_file=data_files/server2.ku-ds.crt" \
5391 "$P_CLI" \
5392 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]5393 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5394
5395
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5396run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5397 "$P_SRV key_file=data_files/server2.key \
5398 crt_file=data_files/server2.ku-ke.crt" \
5399 "$P_CLI" \
5400 0 \
5401 -c "Ciphersuite is TLS-RSA-WITH-"
5402
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5403run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5404 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5405 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5406 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5407 1 \
5408 -C "Ciphersuite is "
5409
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5410run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5411 "$P_SRV key_file=data_files/server5.key \
5412 crt_file=data_files/server5.ku-ds.crt" \
5413 "$P_CLI" \
5414 0 \
5415 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
5416
5417
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5418run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5419 "$P_SRV key_file=data_files/server5.key \
5420 crt_file=data_files/server5.ku-ka.crt" \
5421 "$P_CLI" \
5422 0 \
5423 -c "Ciphersuite is TLS-ECDH-"
5424
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5425run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5426 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5427 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5428 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5429 1 \
5430 -C "Ciphersuite is "
5431
5432# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5433# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5434
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5435run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5436 "$O_SRV -key data_files/server2.key \
5437 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5438 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5439 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5440 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5441 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5442 -C "Processing of the Certificate handshake message failed" \
5443 -c "Ciphersuite is TLS-"
5444
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5445run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5446 "$O_SRV -key data_files/server2.key \
5447 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5448 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5449 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5450 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5451 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5452 -C "Processing of the Certificate handshake message failed" \
5453 -c "Ciphersuite is TLS-"
5454
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5455run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5456 "$O_SRV -key data_files/server2.key \
5457 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5458 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5459 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5460 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5461 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5462 -C "Processing of the Certificate handshake message failed" \
5463 -c "Ciphersuite is TLS-"
5464
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5465run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5466 "$O_SRV -key data_files/server2.key \
5467 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5468 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5469 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5470 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5471 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5472 -c "Processing of the Certificate handshake message failed" \
5473 -C "Ciphersuite is TLS-"
5474
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]5475run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
5476 "$O_SRV -key data_files/server2.key \
5477 -cert data_files/server2.ku-ke.crt" \
5478 "$P_CLI debug_level=1 auth_mode=optional \
5479 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5480 0 \
5481 -c "bad certificate (usage extensions)" \
5482 -C "Processing of the Certificate handshake message failed" \
5483 -c "Ciphersuite is TLS-" \
5484 -c "! Usage does not match the keyUsage extension"
5485
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5486run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5487 "$O_SRV -key data_files/server2.key \
5488 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5489 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5490 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5491 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5492 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5493 -C "Processing of the Certificate handshake message failed" \
5494 -c "Ciphersuite is TLS-"
5495
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5496run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5497 "$O_SRV -key data_files/server2.key \
5498 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5499 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5500 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5501 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5502 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5503 -c "Processing of the Certificate handshake message failed" \
5504 -C "Ciphersuite is TLS-"
5505
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]5506run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
5507 "$O_SRV -key data_files/server2.key \
5508 -cert data_files/server2.ku-ds.crt" \
5509 "$P_CLI debug_level=1 auth_mode=optional \
5510 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5511 0 \
5512 -c "bad certificate (usage extensions)" \
5513 -C "Processing of the Certificate handshake message failed" \
5514 -c "Ciphersuite is TLS-" \
5515 -c "! Usage does not match the keyUsage extension"
5516
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5517# Tests for keyUsage in leaf certificates, part 3:
5518# server-side checking of client cert
5519
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5520run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5521 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5522 "$O_CLI -key data_files/server2.key \
5523 -cert data_files/server2.ku-ds.crt" \
5524 0 \
5525 -S "bad certificate (usage extensions)" \
5526 -S "Processing of the Certificate handshake message failed"
5527
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5528run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5529 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5530 "$O_CLI -key data_files/server2.key \
5531 -cert data_files/server2.ku-ke.crt" \
5532 0 \
5533 -s "bad certificate (usage extensions)" \
5534 -S "Processing of the Certificate handshake message failed"
5535
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5536run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5537 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5538 "$O_CLI -key data_files/server2.key \
5539 -cert data_files/server2.ku-ke.crt" \
5540 1 \
5541 -s "bad certificate (usage extensions)" \
5542 -s "Processing of the Certificate handshake message failed"
5543
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5544run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5545 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5546 "$O_CLI -key data_files/server5.key \
5547 -cert data_files/server5.ku-ds.crt" \
5548 0 \
5549 -S "bad certificate (usage extensions)" \
5550 -S "Processing of the Certificate handshake message failed"
5551
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5552run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5553 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5554 "$O_CLI -key data_files/server5.key \
5555 -cert data_files/server5.ku-ka.crt" \
5556 0 \
5557 -s "bad certificate (usage extensions)" \
5558 -S "Processing of the Certificate handshake message failed"
5559
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5560# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
5561
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5562run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5563 "$P_SRV key_file=data_files/server5.key \
5564 crt_file=data_files/server5.eku-srv.crt" \
5565 "$P_CLI" \
5566 0
5567
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5568run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5569 "$P_SRV key_file=data_files/server5.key \
5570 crt_file=data_files/server5.eku-srv.crt" \
5571 "$P_CLI" \
5572 0
5573
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5574run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5575 "$P_SRV key_file=data_files/server5.key \
5576 crt_file=data_files/server5.eku-cs_any.crt" \
5577 "$P_CLI" \
5578 0
5579
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5580run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]5581 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5582 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]5583 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5584 1
5585
5586# Tests for extendedKeyUsage, part 2: client-side checking of server cert
5587
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5588run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5589 "$O_SRV -key data_files/server5.key \
5590 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5591 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5592 0 \
5593 -C "bad certificate (usage extensions)" \
5594 -C "Processing of the Certificate handshake message failed" \
5595 -c "Ciphersuite is TLS-"
5596
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5597run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5598 "$O_SRV -key data_files/server5.key \
5599 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5600 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5601 0 \
5602 -C "bad certificate (usage extensions)" \
5603 -C "Processing of the Certificate handshake message failed" \
5604 -c "Ciphersuite is TLS-"
5605
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5606run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5607 "$O_SRV -key data_files/server5.key \
5608 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5609 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5610 0 \
5611 -C "bad certificate (usage extensions)" \
5612 -C "Processing of the Certificate handshake message failed" \
5613 -c "Ciphersuite is TLS-"
5614
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5615run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5616 "$O_SRV -key data_files/server5.key \
5617 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5618 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5619 1 \
5620 -c "bad certificate (usage extensions)" \
5621 -c "Processing of the Certificate handshake message failed" \
5622 -C "Ciphersuite is TLS-"
5623
5624# Tests for extendedKeyUsage, part 3: server-side checking of client cert
5625
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5626run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5627 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5628 "$O_CLI -key data_files/server5.key \
5629 -cert data_files/server5.eku-cli.crt" \
5630 0 \
5631 -S "bad certificate (usage extensions)" \
5632 -S "Processing of the Certificate handshake message failed"
5633
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5634run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5635 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5636 "$O_CLI -key data_files/server5.key \
5637 -cert data_files/server5.eku-srv_cli.crt" \
5638 0 \
5639 -S "bad certificate (usage extensions)" \
5640 -S "Processing of the Certificate handshake message failed"
5641
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5642run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5643 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5644 "$O_CLI -key data_files/server5.key \
5645 -cert data_files/server5.eku-cs_any.crt" \
5646 0 \
5647 -S "bad certificate (usage extensions)" \
5648 -S "Processing of the Certificate handshake message failed"
5649
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5650run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5651 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5652 "$O_CLI -key data_files/server5.key \
5653 -cert data_files/server5.eku-cs.crt" \
5654 0 \
5655 -s "bad certificate (usage extensions)" \
5656 -S "Processing of the Certificate handshake message failed"
5657
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5658run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5659 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5660 "$O_CLI -key data_files/server5.key \
5661 -cert data_files/server5.eku-cs.crt" \
5662 1 \
5663 -s "bad certificate (usage extensions)" \
5664 -s "Processing of the Certificate handshake message failed"
5665
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5666# Tests for DHM parameters loading
5667
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5668run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5669 "$P_SRV" \
5670 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5671 debug_level=3" \
5672 0 \
5673 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]5674 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5675
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5676run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5677 "$P_SRV dhm_file=data_files/dhparams.pem" \
5678 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5679 debug_level=3" \
5680 0 \
5681 -c "value of 'DHM: P ' (1024 bits)" \
5682 -c "value of 'DHM: G ' (2 bits)"
5683
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5684# Tests for DHM client-side size checking
5685
5686run_test "DHM size: server default, client default, OK" \
5687 "$P_SRV" \
5688 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5689 debug_level=1" \
5690 0 \
5691 -C "DHM prime too short:"
5692
5693run_test "DHM size: server default, client 2048, OK" \
5694 "$P_SRV" \
5695 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5696 debug_level=1 dhmlen=2048" \
5697 0 \
5698 -C "DHM prime too short:"
5699
5700run_test "DHM size: server 1024, client default, OK" \
5701 "$P_SRV dhm_file=data_files/dhparams.pem" \
5702 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5703 debug_level=1" \
5704 0 \
5705 -C "DHM prime too short:"
5706
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]5707run_test "DHM size: server 999, client 999, OK" \
5708 "$P_SRV dhm_file=data_files/dh.999.pem" \
5709 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5710 debug_level=1 dhmlen=999" \
5711 0 \
5712 -C "DHM prime too short:"
5713
5714run_test "DHM size: server 1000, client 1000, OK" \
5715 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5716 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5717 debug_level=1 dhmlen=1000" \
5718 0 \
5719 -C "DHM prime too short:"
5720
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5721run_test "DHM size: server 1000, client default, rejected" \
5722 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5723 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5724 debug_level=1" \
5725 1 \
5726 -c "DHM prime too short:"
5727
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]5728run_test "DHM size: server 1000, client 1001, rejected" \
5729 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5730 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5731 debug_level=1 dhmlen=1001" \
5732 1 \
5733 -c "DHM prime too short:"
5734
5735run_test "DHM size: server 999, client 1000, rejected" \
5736 "$P_SRV dhm_file=data_files/dh.999.pem" \
5737 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5738 debug_level=1 dhmlen=1000" \
5739 1 \
5740 -c "DHM prime too short:"
5741
5742run_test "DHM size: server 998, client 999, rejected" \
5743 "$P_SRV dhm_file=data_files/dh.998.pem" \
5744 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5745 debug_level=1 dhmlen=999" \
5746 1 \
5747 -c "DHM prime too short:"
5748
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5749run_test "DHM size: server default, client 2049, rejected" \
5750 "$P_SRV" \
5751 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5752 debug_level=1 dhmlen=2049" \
5753 1 \
5754 -c "DHM prime too short:"
5755
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5756# Tests for PSK callback
5757
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5758run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5759 "$P_SRV psk=abc123 psk_identity=foo" \
5760 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5761 psk_identity=foo psk=abc123" \
5762 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5763 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5764 -S "SSL - Unknown identity received" \
5765 -S "SSL - Verification of the message MAC failed"
5766
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5767requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5768run_test "PSK callback: opaque psk on client, no callback" \
5769 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
5770 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5771 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5772 0 \
5773 -c "skip PMS generation for opaque PSK"\
5774 -S "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5775 -C "session hash for extended master secret"\
5776 -S "session hash for extended master secret"\
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5777 -S "SSL - None of the common ciphersuites is usable" \
5778 -S "SSL - Unknown identity received" \
5779 -S "SSL - Verification of the message MAC failed"
5780
5781requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5782run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
5783 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
5784 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5785 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5786 0 \
5787 -c "skip PMS generation for opaque PSK"\
5788 -S "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5789 -C "session hash for extended master secret"\
5790 -S "session hash for extended master secret"\
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5791 -S "SSL - None of the common ciphersuites is usable" \
5792 -S "SSL - Unknown identity received" \
5793 -S "SSL - Verification of the message MAC failed"
5794
5795requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5796run_test "PSK callback: opaque psk on client, no callback, EMS" \
5797 "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
5798 "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5799 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5800 0 \
5801 -c "skip PMS generation for opaque PSK"\
5802 -S "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5803 -c "session hash for extended master secret"\
5804 -s "session hash for extended master secret"\
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5805 -S "SSL - None of the common ciphersuites is usable" \
5806 -S "SSL - Unknown identity received" \
5807 -S "SSL - Verification of the message MAC failed"
5808
5809requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5810run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
5811 "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
5812 "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5813 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5814 0 \
5815 -c "skip PMS generation for opaque PSK"\
5816 -S "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5817 -c "session hash for extended master secret"\
5818 -s "session hash for extended master secret"\
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5819 -S "SSL - None of the common ciphersuites is usable" \
5820 -S "SSL - Unknown identity received" \
5821 -S "SSL - Verification of the message MAC failed"
5822
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5823requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5824run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5825 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5826 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5827 psk_identity=foo psk=abc123" \
5828 0 \
5829 -C "skip PMS generation for opaque PSK"\
5830 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5831 -C "session hash for extended master secret"\
5832 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5833 -S "SSL - None of the common ciphersuites is usable" \
5834 -S "SSL - Unknown identity received" \
5835 -S "SSL - Verification of the message MAC failed"
5836
5837requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5838run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5839 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5840 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
5841 psk_identity=foo psk=abc123" \
5842 0 \
5843 -C "skip PMS generation for opaque PSK"\
5844 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5845 -C "session hash for extended master secret"\
5846 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5847 -S "SSL - None of the common ciphersuites is usable" \
5848 -S "SSL - Unknown identity received" \
5849 -S "SSL - Verification of the message MAC failed"
5850
5851requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5852run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5853 "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5854 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
5855 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5856 psk_identity=foo psk=abc123 extended_ms=1" \
5857 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5858 -c "session hash for extended master secret"\
5859 -s "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5860 -C "skip PMS generation for opaque PSK"\
5861 -s "skip PMS generation for opaque PSK"\
5862 -S "SSL - None of the common ciphersuites is usable" \
5863 -S "SSL - Unknown identity received" \
5864 -S "SSL - Verification of the message MAC failed"
5865
5866requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5867run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5868 "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5869 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
5870 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
5871 psk_identity=foo psk=abc123 extended_ms=1" \
5872 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5873 -c "session hash for extended master secret"\
5874 -s "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5875 -C "skip PMS generation for opaque PSK"\
5876 -s "skip PMS generation for opaque PSK"\
5877 -S "SSL - None of the common ciphersuites is usable" \
5878 -S "SSL - Unknown identity received" \
5879 -S "SSL - Verification of the message MAC failed"
5880
5881requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5882run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5883 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5884 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5885 psk_identity=def psk=beef" \
5886 0 \
5887 -C "skip PMS generation for opaque PSK"\
5888 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5889 -C "session hash for extended master secret"\
5890 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5891 -S "SSL - None of the common ciphersuites is usable" \
5892 -S "SSL - Unknown identity received" \
5893 -S "SSL - Verification of the message MAC failed"
5894
5895requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5896run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5897 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5898 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
5899 psk_identity=def psk=beef" \
5900 0 \
5901 -C "skip PMS generation for opaque PSK"\
5902 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5903 -C "session hash for extended master secret"\
5904 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5905 -S "SSL - None of the common ciphersuites is usable" \
5906 -S "SSL - Unknown identity received" \
5907 -S "SSL - Verification of the message MAC failed"
5908
5909requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5910run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5911 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5912 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
5913 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5914 psk_identity=abc psk=dead extended_ms=1" \
5915 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5916 -c "session hash for extended master secret"\
5917 -s "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5918 -C "skip PMS generation for opaque PSK"\
5919 -s "skip PMS generation for opaque PSK"\
5920 -S "SSL - None of the common ciphersuites is usable" \
5921 -S "SSL - Unknown identity received" \
5922 -S "SSL - Verification of the message MAC failed"
5923
5924requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5925run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5926 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5927 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
5928 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
5929 psk_identity=abc psk=dead extended_ms=1" \
5930 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5931 -c "session hash for extended master secret"\
5932 -s "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5933 -C "skip PMS generation for opaque PSK"\
5934 -s "skip PMS generation for opaque PSK"\
5935 -S "SSL - None of the common ciphersuites is usable" \
5936 -S "SSL - Unknown identity received" \
5937 -S "SSL - Verification of the message MAC failed"
5938
5939requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5940run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5941 "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5942 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5943 psk_identity=def psk=beef" \
5944 0 \
5945 -C "skip PMS generation for opaque PSK"\
5946 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5947 -C "session hash for extended master secret"\
5948 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5949 -S "SSL - None of the common ciphersuites is usable" \
5950 -S "SSL - Unknown identity received" \
5951 -S "SSL - Verification of the message MAC failed"
5952
5953requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5954run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5955 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5956 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5957 psk_identity=def psk=beef" \
5958 0 \
5959 -C "skip PMS generation for opaque PSK"\
5960 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5961 -C "session hash for extended master secret"\
5962 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5963 -S "SSL - None of the common ciphersuites is usable" \
5964 -S "SSL - Unknown identity received" \
5965 -S "SSL - Verification of the message MAC failed"
5966
5967requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5968run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5969 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5970 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5971 psk_identity=def psk=beef" \
5972 0 \
5973 -C "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5974 -C "session hash for extended master secret"\
5975 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5976 -S "SSL - None of the common ciphersuites is usable" \
5977 -S "SSL - Unknown identity received" \
5978 -S "SSL - Verification of the message MAC failed"
5979
5980requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5981run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5982 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5983 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5984 psk_identity=def psk=beef" \
5985 0 \
5986 -C "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5987 -C "session hash for extended master secret"\
5988 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5989 -S "SSL - None of the common ciphersuites is usable" \
5990 -S "SSL - Unknown identity received" \
5991 -S "SSL - Verification of the message MAC failed"
5992
5993requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5994run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5995 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5996 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5997 psk_identity=def psk=beef" \
5998 1 \
5999 -s "SSL - Verification of the message MAC failed"
6000
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6001run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]6002 "$P_SRV" \
6003 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6004 psk_identity=foo psk=abc123" \
6005 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6006 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6007 -S "SSL - Unknown identity received" \
6008 -S "SSL - Verification of the message MAC failed"
6009
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6010run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6011 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
6012 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6013 psk_identity=foo psk=abc123" \
6014 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6015 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6016 -s "SSL - Unknown identity received" \
6017 -S "SSL - Verification of the message MAC failed"
6018
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6019run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6020 "$P_SRV psk_list=abc,dead,def,beef" \
6021 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6022 psk_identity=abc psk=dead" \
6023 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6024 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6025 -S "SSL - Unknown identity received" \
6026 -S "SSL - Verification of the message MAC failed"
6027
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6028run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6029 "$P_SRV psk_list=abc,dead,def,beef" \
6030 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6031 psk_identity=def psk=beef" \
6032 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6033 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6034 -S "SSL - Unknown identity received" \
6035 -S "SSL - Verification of the message MAC failed"
6036
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6037run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6038 "$P_SRV psk_list=abc,dead,def,beef" \
6039 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6040 psk_identity=ghi psk=beef" \
6041 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6042 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6043 -s "SSL - Unknown identity received" \
6044 -S "SSL - Verification of the message MAC failed"
6045
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6046run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6047 "$P_SRV psk_list=abc,dead,def,beef" \
6048 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6049 psk_identity=abc psk=beef" \
6050 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6051 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6052 -S "SSL - Unknown identity received" \
6053 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]6054
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6055# Tests for EC J-PAKE
6056
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]6057requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6058run_test "ECJPAKE: client not configured" \
6059 "$P_SRV debug_level=3" \
6060 "$P_CLI debug_level=3" \
6061 0 \
Hanno Beckeree63af62020-08-14 15:41:23 +0100[diff] [blame]6062 -C "add ciphersuite: 0xc0ff" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6063 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6064 -S "found ecjpake kkpp extension" \
6065 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6066 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]6067 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]6068 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6069 -S "None of the common ciphersuites is usable"
6070
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]6071requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6072run_test "ECJPAKE: server not configured" \
6073 "$P_SRV debug_level=3" \
6074 "$P_CLI debug_level=3 ecjpake_pw=bla \
6075 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6076 1 \
Hanno Beckeree63af62020-08-14 15:41:23 +0100[diff] [blame]6077 -c "add ciphersuite: 0xc0ff" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6078 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6079 -s "found ecjpake kkpp extension" \
6080 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6081 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]6082 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]6083 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6084 -s "None of the common ciphersuites is usable"
6085
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]6086requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6087run_test "ECJPAKE: working, TLS" \
6088 "$P_SRV debug_level=3 ecjpake_pw=bla" \
6089 "$P_CLI debug_level=3 ecjpake_pw=bla \
6090 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]6091 0 \
Hanno Beckeree63af62020-08-14 15:41:23 +0100[diff] [blame]6092 -c "add ciphersuite: 0xc0ff" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6093 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6094 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6095 -s "found ecjpake kkpp extension" \
6096 -S "skip ecjpake kkpp extension" \
6097 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]6098 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]6099 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6100 -S "None of the common ciphersuites is usable" \
6101 -S "SSL - Verification of the message MAC failed"
6102
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]6103server_needs_more_time 1
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6104requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6105run_test "ECJPAKE: password mismatch, TLS" \
6106 "$P_SRV debug_level=3 ecjpake_pw=bla" \
6107 "$P_CLI debug_level=3 ecjpake_pw=bad \
6108 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6109 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6110 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6111 -s "SSL - Verification of the message MAC failed"
6112
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6113requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6114run_test "ECJPAKE: working, DTLS" \
6115 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
6116 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
6117 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6118 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6119 -c "re-using cached ecjpake parameters" \
6120 -S "SSL - Verification of the message MAC failed"
6121
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6122requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6123run_test "ECJPAKE: working, DTLS, no cookie" \
6124 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
6125 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
6126 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6127 0 \
6128 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6129 -S "SSL - Verification of the message MAC failed"
6130
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]6131server_needs_more_time 1
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6132requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6133run_test "ECJPAKE: password mismatch, DTLS" \
6134 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
6135 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
6136 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6137 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6138 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6139 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6140
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]6141# for tests with configs/config-thread.h
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6142requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]6143run_test "ECJPAKE: working, DTLS, nolog" \
6144 "$P_SRV dtls=1 ecjpake_pw=bla" \
6145 "$P_CLI dtls=1 ecjpake_pw=bla \
6146 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6147 0
6148
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6149# Tests for ciphersuites per version
6150
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6151requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6152requires_config_enabled MBEDTLS_CAMELLIA_C
6153requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6154run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6155 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6156 "$P_CLI force_version=ssl3" \
6157 0 \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6158 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6159
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6160requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
6161requires_config_enabled MBEDTLS_CAMELLIA_C
6162requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6163run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6164 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]6165 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6166 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6167 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6168
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6169requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6170requires_config_enabled MBEDTLS_CAMELLIA_C
6171requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6172run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6173 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6174 "$P_CLI force_version=tls1_1" \
6175 0 \
6176 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
6177
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6178requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
6179requires_config_enabled MBEDTLS_CAMELLIA_C
6180requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6181run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6182 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6183 "$P_CLI force_version=tls1_2" \
6184 0 \
6185 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
6186
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]6187# Test for ClientHello without extensions
6188
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]6189requires_gnutls
Manuel Pégourié-Gonnardbc4da292020-01-30 12:45:14 +0100[diff] [blame]6190run_test "ClientHello without extensions" \
Manuel Pégourié-Gonnard77cbeff2020-01-30 10:58:57 +0100[diff] [blame]6191 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]6192 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]6193 0 \
6194 -s "dumping 'client hello extensions' (0 bytes)"
6195
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6196# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]6197
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6198run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]6199 "$P_SRV" \
6200 "$P_CLI request_size=100" \
6201 0 \
6202 -s "Read from client: 100 bytes read$"
6203
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6204run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]6205 "$P_SRV" \
6206 "$P_CLI request_size=500" \
6207 0 \
6208 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6209
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6210# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6211
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6212requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6213run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]6214 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6215 "$P_CLI request_size=1 force_version=ssl3 \
6216 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6217 0 \
6218 -s "Read from client: 1 bytes read"
6219
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6220requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6221run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6222 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6223 "$P_CLI request_size=1 force_version=ssl3 \
6224 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6225 0 \
6226 -s "Read from client: 1 bytes read"
6227
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6228run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6229 "$P_SRV" \
6230 "$P_CLI request_size=1 force_version=tls1 \
6231 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6232 0 \
6233 -s "Read from client: 1 bytes read"
6234
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6235run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6236 "$P_SRV" \
6237 "$P_CLI request_size=1 force_version=tls1 etm=0 \
6238 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6239 0 \
6240 -s "Read from client: 1 bytes read"
6241
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6242requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6243run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6244 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6245 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6246 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6247 0 \
6248 -s "Read from client: 1 bytes read"
6249
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6250requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6251run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6252 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6253 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6254 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6255 0 \
6256 -s "Read from client: 1 bytes read"
6257
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6258run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6259 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6260 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6261 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6262 0 \
6263 -s "Read from client: 1 bytes read"
6264
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6265run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6266 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6267 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6268 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6269 0 \
6270 -s "Read from client: 1 bytes read"
6271
6272requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6273run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6274 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6275 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6276 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6277 0 \
6278 -s "Read from client: 1 bytes read"
6279
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6280requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6281run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6282 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6283 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6284 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6285 0 \
6286 -s "Read from client: 1 bytes read"
6287
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6288run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6289 "$P_SRV" \
6290 "$P_CLI request_size=1 force_version=tls1_1 \
6291 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6292 0 \
6293 -s "Read from client: 1 bytes read"
6294
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6295run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6296 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6297 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6298 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6299 0 \
6300 -s "Read from client: 1 bytes read"
6301
6302requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6303run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6304 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6305 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6306 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6307 0 \
6308 -s "Read from client: 1 bytes read"
6309
6310requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6311run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6312 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6313 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6314 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6315 0 \
6316 -s "Read from client: 1 bytes read"
6317
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6318run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6319 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6320 "$P_CLI request_size=1 force_version=tls1_1 \
6321 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6322 0 \
6323 -s "Read from client: 1 bytes read"
6324
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6325run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6326 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6327 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6328 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6329 0 \
6330 -s "Read from client: 1 bytes read"
6331
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6332requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6333run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6334 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6335 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6336 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6337 0 \
6338 -s "Read from client: 1 bytes read"
6339
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6340requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6341run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6342 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6343 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6344 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6345 0 \
6346 -s "Read from client: 1 bytes read"
6347
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6348run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6349 "$P_SRV" \
6350 "$P_CLI request_size=1 force_version=tls1_2 \
6351 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6352 0 \
6353 -s "Read from client: 1 bytes read"
6354
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6355run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6356 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6357 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6358 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6359 0 \
6360 -s "Read from client: 1 bytes read"
6361
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6362run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6363 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6364 "$P_CLI request_size=1 force_version=tls1_2 \
6365 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6366 0 \
6367 -s "Read from client: 1 bytes read"
6368
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6369requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6370run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6371 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6372 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6373 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6374 0 \
6375 -s "Read from client: 1 bytes read"
6376
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6377requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6378run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6379 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6380 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6381 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6382 0 \
6383 -s "Read from client: 1 bytes read"
6384
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6385run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6386 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6387 "$P_CLI request_size=1 force_version=tls1_2 \
6388 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6389 0 \
6390 -s "Read from client: 1 bytes read"
6391
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6392run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6393 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6394 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6395 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6396 0 \
6397 -s "Read from client: 1 bytes read"
6398
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6399requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6400run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6401 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6402 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6403 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6404 0 \
6405 -s "Read from client: 1 bytes read"
6406
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6407requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6408run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6409 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6410 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6411 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6412 0 \
6413 -s "Read from client: 1 bytes read"
6414
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6415run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6416 "$P_SRV" \
6417 "$P_CLI request_size=1 force_version=tls1_2 \
6418 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6419 0 \
6420 -s "Read from client: 1 bytes read"
6421
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6422run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6423 "$P_SRV" \
6424 "$P_CLI request_size=1 force_version=tls1_2 \
6425 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6426 0 \
6427 -s "Read from client: 1 bytes read"
6428
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6429# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6430
6431requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6432run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6433 "$P_SRV dtls=1 force_version=dtls1" \
6434 "$P_CLI dtls=1 request_size=1 \
6435 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6436 0 \
6437 -s "Read from client: 1 bytes read"
6438
6439requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6440run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6441 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
6442 "$P_CLI dtls=1 request_size=1 \
6443 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6444 0 \
6445 -s "Read from client: 1 bytes read"
6446
6447requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6448requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6449run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6450 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
6451 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6452 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6453 0 \
6454 -s "Read from client: 1 bytes read"
6455
6456requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6457requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6458run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6459 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6460 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6461 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6462 0 \
6463 -s "Read from client: 1 bytes read"
6464
6465requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6466run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6467 "$P_SRV dtls=1 force_version=dtls1_2" \
6468 "$P_CLI dtls=1 request_size=1 \
6469 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6470 0 \
6471 -s "Read from client: 1 bytes read"
6472
6473requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6474run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6475 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6476 "$P_CLI dtls=1 request_size=1 \
6477 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6478 0 \
6479 -s "Read from client: 1 bytes read"
6480
6481requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6482requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6483run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6484 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6485 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6486 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6487 0 \
6488 -s "Read from client: 1 bytes read"
6489
6490requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6491requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6492run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6493 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6494 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6495 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6496 0 \
6497 -s "Read from client: 1 bytes read"
6498
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6499# Tests for small server packets
6500
6501requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6502run_test "Small server packet SSLv3 BlockCipher" \
6503 "$P_SRV response_size=1 min_version=ssl3" \
6504 "$P_CLI force_version=ssl3 \
6505 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6506 0 \
6507 -c "Read from server: 1 bytes read"
6508
6509requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6510run_test "Small server packet SSLv3 StreamCipher" \
6511 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6512 "$P_CLI force_version=ssl3 \
6513 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6514 0 \
6515 -c "Read from server: 1 bytes read"
6516
6517run_test "Small server packet TLS 1.0 BlockCipher" \
6518 "$P_SRV response_size=1" \
6519 "$P_CLI force_version=tls1 \
6520 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6521 0 \
6522 -c "Read from server: 1 bytes read"
6523
6524run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
6525 "$P_SRV response_size=1" \
6526 "$P_CLI force_version=tls1 etm=0 \
6527 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6528 0 \
6529 -c "Read from server: 1 bytes read"
6530
6531requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6532run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
6533 "$P_SRV response_size=1 trunc_hmac=1" \
6534 "$P_CLI force_version=tls1 \
6535 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6536 0 \
6537 -c "Read from server: 1 bytes read"
6538
6539requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6540run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
6541 "$P_SRV response_size=1 trunc_hmac=1" \
6542 "$P_CLI force_version=tls1 \
6543 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6544 0 \
6545 -c "Read from server: 1 bytes read"
6546
6547run_test "Small server packet TLS 1.0 StreamCipher" \
6548 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6549 "$P_CLI force_version=tls1 \
6550 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6551 0 \
6552 -c "Read from server: 1 bytes read"
6553
6554run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
6555 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6556 "$P_CLI force_version=tls1 \
6557 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6558 0 \
6559 -c "Read from server: 1 bytes read"
6560
6561requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6562run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
6563 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6564 "$P_CLI force_version=tls1 \
6565 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6566 0 \
6567 -c "Read from server: 1 bytes read"
6568
6569requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6570run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6571 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6572 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6573 trunc_hmac=1 etm=0" \
6574 0 \
6575 -c "Read from server: 1 bytes read"
6576
6577run_test "Small server packet TLS 1.1 BlockCipher" \
6578 "$P_SRV response_size=1" \
6579 "$P_CLI force_version=tls1_1 \
6580 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6581 0 \
6582 -c "Read from server: 1 bytes read"
6583
6584run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
6585 "$P_SRV response_size=1" \
6586 "$P_CLI force_version=tls1_1 \
6587 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
6588 0 \
6589 -c "Read from server: 1 bytes read"
6590
6591requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6592run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
6593 "$P_SRV response_size=1 trunc_hmac=1" \
6594 "$P_CLI force_version=tls1_1 \
6595 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6596 0 \
6597 -c "Read from server: 1 bytes read"
6598
6599requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6600run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6601 "$P_SRV response_size=1 trunc_hmac=1" \
6602 "$P_CLI force_version=tls1_1 \
6603 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6604 0 \
6605 -c "Read from server: 1 bytes read"
6606
6607run_test "Small server packet TLS 1.1 StreamCipher" \
6608 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6609 "$P_CLI force_version=tls1_1 \
6610 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6611 0 \
6612 -c "Read from server: 1 bytes read"
6613
6614run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
6615 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6616 "$P_CLI force_version=tls1_1 \
6617 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6618 0 \
6619 -c "Read from server: 1 bytes read"
6620
6621requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6622run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
6623 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6624 "$P_CLI force_version=tls1_1 \
6625 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6626 0 \
6627 -c "Read from server: 1 bytes read"
6628
6629requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6630run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6631 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6632 "$P_CLI force_version=tls1_1 \
6633 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6634 0 \
6635 -c "Read from server: 1 bytes read"
6636
6637run_test "Small server packet TLS 1.2 BlockCipher" \
6638 "$P_SRV response_size=1" \
6639 "$P_CLI force_version=tls1_2 \
6640 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6641 0 \
6642 -c "Read from server: 1 bytes read"
6643
6644run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
6645 "$P_SRV response_size=1" \
6646 "$P_CLI force_version=tls1_2 \
6647 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
6648 0 \
6649 -c "Read from server: 1 bytes read"
6650
6651run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
6652 "$P_SRV response_size=1" \
6653 "$P_CLI force_version=tls1_2 \
6654 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6655 0 \
6656 -c "Read from server: 1 bytes read"
6657
6658requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6659run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
6660 "$P_SRV response_size=1 trunc_hmac=1" \
6661 "$P_CLI force_version=tls1_2 \
6662 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6663 0 \
6664 -c "Read from server: 1 bytes read"
6665
6666requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6667run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6668 "$P_SRV response_size=1 trunc_hmac=1" \
6669 "$P_CLI force_version=tls1_2 \
6670 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6671 0 \
6672 -c "Read from server: 1 bytes read"
6673
6674run_test "Small server packet TLS 1.2 StreamCipher" \
6675 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6676 "$P_CLI force_version=tls1_2 \
6677 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6678 0 \
6679 -c "Read from server: 1 bytes read"
6680
6681run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
6682 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6683 "$P_CLI force_version=tls1_2 \
6684 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6685 0 \
6686 -c "Read from server: 1 bytes read"
6687
6688requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6689run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
6690 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6691 "$P_CLI force_version=tls1_2 \
6692 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6693 0 \
6694 -c "Read from server: 1 bytes read"
6695
6696requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6697run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6698 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6699 "$P_CLI force_version=tls1_2 \
6700 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6701 0 \
6702 -c "Read from server: 1 bytes read"
6703
6704run_test "Small server packet TLS 1.2 AEAD" \
6705 "$P_SRV response_size=1" \
6706 "$P_CLI force_version=tls1_2 \
6707 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6708 0 \
6709 -c "Read from server: 1 bytes read"
6710
6711run_test "Small server packet TLS 1.2 AEAD shorter tag" \
6712 "$P_SRV response_size=1" \
6713 "$P_CLI force_version=tls1_2 \
6714 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6715 0 \
6716 -c "Read from server: 1 bytes read"
6717
6718# Tests for small server packets in DTLS
6719
6720requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6721run_test "Small server packet DTLS 1.0" \
6722 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
6723 "$P_CLI dtls=1 \
6724 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6725 0 \
6726 -c "Read from server: 1 bytes read"
6727
6728requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6729run_test "Small server packet DTLS 1.0, without EtM" \
6730 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
6731 "$P_CLI dtls=1 \
6732 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6733 0 \
6734 -c "Read from server: 1 bytes read"
6735
6736requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6737requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6738run_test "Small server packet DTLS 1.0, truncated hmac" \
6739 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
6740 "$P_CLI dtls=1 trunc_hmac=1 \
6741 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6742 0 \
6743 -c "Read from server: 1 bytes read"
6744
6745requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6746requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6747run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
6748 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
6749 "$P_CLI dtls=1 \
6750 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
6751 0 \
6752 -c "Read from server: 1 bytes read"
6753
6754requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6755run_test "Small server packet DTLS 1.2" \
6756 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
6757 "$P_CLI dtls=1 \
6758 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6759 0 \
6760 -c "Read from server: 1 bytes read"
6761
6762requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6763run_test "Small server packet DTLS 1.2, without EtM" \
6764 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
6765 "$P_CLI dtls=1 \
6766 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6767 0 \
6768 -c "Read from server: 1 bytes read"
6769
6770requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6771requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6772run_test "Small server packet DTLS 1.2, truncated hmac" \
6773 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
6774 "$P_CLI dtls=1 \
6775 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6776 0 \
6777 -c "Read from server: 1 bytes read"
6778
6779requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6780requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6781run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
6782 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
6783 "$P_CLI dtls=1 \
6784 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
6785 0 \
6786 -c "Read from server: 1 bytes read"
6787
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]6788# A test for extensions in SSLv3
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]6789requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]6790requires_max_content_len 4096
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]6791run_test "SSLv3 with extensions, server side" \
6792 "$P_SRV min_version=ssl3 debug_level=3" \
6793 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
6794 0 \
6795 -S "dumping 'client hello extensions'" \
6796 -S "server hello, total extension length:"
6797
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6798# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6799
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6800# How many fragments do we expect to write $1 bytes?
6801fragments_for_write() {
6802 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
6803}
6804
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6805requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6806run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]6807 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6808 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6809 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6810 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6811 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6812 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6813
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6814requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6815run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6816 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6817 "$P_CLI request_size=16384 force_version=ssl3 \
6818 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6819 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6820 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6821 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6822
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6823run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6824 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6825 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6826 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6827 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6828 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6829 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6830
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6831run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6832 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6833 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
6834 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6835 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6836 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6837
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6838requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6839run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6840 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6841 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6842 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6843 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6844 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6845 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6846
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6847requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6848run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6849 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6850 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6851 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6852 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6853 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6854
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6855run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6856 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6857 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6858 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6859 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6860 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6861
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6862run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6863 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6864 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6865 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6866 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6867 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6868
6869requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6870run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6871 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6872 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6873 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6874 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6875 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6876
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6877requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6878run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6879 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6880 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6881 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6882 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6883 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6884 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6885
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6886run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6887 "$P_SRV" \
6888 "$P_CLI request_size=16384 force_version=tls1_1 \
6889 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6890 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6891 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6892 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6893
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6894run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6895 "$P_SRV" \
6896 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
6897 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6898 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6899 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6900
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6901requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6902run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6903 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6904 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6905 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6906 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6907 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6908
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6909requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6910run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6911 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6912 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6913 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6914 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6915 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6916
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6917run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6918 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6919 "$P_CLI request_size=16384 force_version=tls1_1 \
6920 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6921 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6922 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6923 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6924
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6925run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6926 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6927 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6928 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6929 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6930 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6931 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6932
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6933requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6934run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6935 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6936 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6937 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6938 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6939 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6940
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6941requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6942run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6943 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6944 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6945 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6946 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6947 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6948 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6949
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6950run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6951 "$P_SRV" \
6952 "$P_CLI request_size=16384 force_version=tls1_2 \
6953 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6954 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6955 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6956 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6957
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6958run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6959 "$P_SRV" \
6960 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
6961 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6962 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6963 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6964
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6965run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6966 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6967 "$P_CLI request_size=16384 force_version=tls1_2 \
6968 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6969 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6970 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6971 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6972
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6973requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6974run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6975 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6976 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6977 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6978 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6979 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6980
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6981requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6982run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6983 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6984 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6985 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6986 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6987 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6988 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6989
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6990run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6991 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6992 "$P_CLI request_size=16384 force_version=tls1_2 \
6993 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6994 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6995 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6996 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6997
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6998run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6999 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7000 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]7001 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
7002 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]7003 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]7004
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]7005requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7006run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]7007 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7008 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]7009 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7010 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]7011 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7012
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]7013requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7014run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]7015 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]7016 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]7017 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7018 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]7019 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
7020 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7021
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7022run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7023 "$P_SRV" \
7024 "$P_CLI request_size=16384 force_version=tls1_2 \
7025 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
7026 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]7027 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
7028 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7029
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7030run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7031 "$P_SRV" \
7032 "$P_CLI request_size=16384 force_version=tls1_2 \
7033 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
7034 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]7035 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
7036 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7037
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7038# Test for large server packets
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]7039# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7040requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
7041run_test "Large server packet SSLv3 StreamCipher" \
7042 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7043 "$P_CLI force_version=ssl3 \
7044 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7045 0 \
7046 -c "Read from server: 16384 bytes read"
7047
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]7048# Checking next 4 tests logs for 1n-1 split against BEAST too
7049requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
7050run_test "Large server packet SSLv3 BlockCipher" \
7051 "$P_SRV response_size=16384 min_version=ssl3" \
7052 "$P_CLI force_version=ssl3 recsplit=0 \
7053 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7054 0 \
7055 -c "Read from server: 1 bytes read"\
7056 -c "16383 bytes read"\
7057 -C "Read from server: 16384 bytes read"
7058
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7059run_test "Large server packet TLS 1.0 BlockCipher" \
7060 "$P_SRV response_size=16384" \
7061 "$P_CLI force_version=tls1 recsplit=0 \
7062 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7063 0 \
7064 -c "Read from server: 1 bytes read"\
7065 -c "16383 bytes read"\
7066 -C "Read from server: 16384 bytes read"
7067
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7068run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
7069 "$P_SRV response_size=16384" \
7070 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
7071 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7072 0 \
7073 -c "Read from server: 1 bytes read"\
7074 -c "16383 bytes read"\
7075 -C "Read from server: 16384 bytes read"
7076
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7077requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7078run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
7079 "$P_SRV response_size=16384" \
7080 "$P_CLI force_version=tls1 recsplit=0 \
7081 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
7082 trunc_hmac=1" \
7083 0 \
7084 -c "Read from server: 1 bytes read"\
7085 -c "16383 bytes read"\
7086 -C "Read from server: 16384 bytes read"
7087
7088requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7089run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
7090 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7091 "$P_CLI force_version=tls1 \
7092 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
7093 trunc_hmac=1" \
7094 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7095 -s "16384 bytes written in 1 fragments" \
7096 -c "Read from server: 16384 bytes read"
7097
7098run_test "Large server packet TLS 1.0 StreamCipher" \
7099 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7100 "$P_CLI force_version=tls1 \
7101 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7102 0 \
7103 -s "16384 bytes written in 1 fragments" \
7104 -c "Read from server: 16384 bytes read"
7105
7106run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
7107 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7108 "$P_CLI force_version=tls1 \
7109 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
7110 0 \
7111 -s "16384 bytes written in 1 fragments" \
7112 -c "Read from server: 16384 bytes read"
7113
7114requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7115run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
7116 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7117 "$P_CLI force_version=tls1 \
7118 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7119 0 \
7120 -s "16384 bytes written in 1 fragments" \
7121 -c "Read from server: 16384 bytes read"
7122
7123requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7124run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
7125 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7126 "$P_CLI force_version=tls1 \
7127 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
7128 0 \
7129 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7130 -c "Read from server: 16384 bytes read"
7131
7132run_test "Large server packet TLS 1.1 BlockCipher" \
7133 "$P_SRV response_size=16384" \
7134 "$P_CLI force_version=tls1_1 \
7135 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7136 0 \
7137 -c "Read from server: 16384 bytes read"
7138
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7139run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
7140 "$P_SRV response_size=16384" \
7141 "$P_CLI force_version=tls1_1 etm=0 \
7142 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7143 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7144 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7145 -c "Read from server: 16384 bytes read"
7146
7147requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7148run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
7149 "$P_SRV response_size=16384" \
7150 "$P_CLI force_version=tls1_1 \
7151 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
7152 trunc_hmac=1" \
7153 0 \
7154 -c "Read from server: 16384 bytes read"
7155
7156requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7157run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
7158 "$P_SRV response_size=16384 trunc_hmac=1" \
7159 "$P_CLI force_version=tls1_1 \
7160 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
7161 0 \
7162 -s "16384 bytes written in 1 fragments" \
7163 -c "Read from server: 16384 bytes read"
7164
7165run_test "Large server packet TLS 1.1 StreamCipher" \
7166 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7167 "$P_CLI force_version=tls1_1 \
7168 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7169 0 \
7170 -c "Read from server: 16384 bytes read"
7171
7172run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
7173 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7174 "$P_CLI force_version=tls1_1 \
7175 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
7176 0 \
7177 -s "16384 bytes written in 1 fragments" \
7178 -c "Read from server: 16384 bytes read"
7179
7180requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7181run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
7182 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7183 "$P_CLI force_version=tls1_1 \
7184 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
7185 trunc_hmac=1" \
7186 0 \
7187 -c "Read from server: 16384 bytes read"
7188
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7189run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
7190 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7191 "$P_CLI force_version=tls1_1 \
7192 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
7193 0 \
7194 -s "16384 bytes written in 1 fragments" \
7195 -c "Read from server: 16384 bytes read"
7196
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7197run_test "Large server packet TLS 1.2 BlockCipher" \
7198 "$P_SRV response_size=16384" \
7199 "$P_CLI force_version=tls1_2 \
7200 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7201 0 \
7202 -c "Read from server: 16384 bytes read"
7203
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7204run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
7205 "$P_SRV response_size=16384" \
7206 "$P_CLI force_version=tls1_2 etm=0 \
7207 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7208 0 \
7209 -s "16384 bytes written in 1 fragments" \
7210 -c "Read from server: 16384 bytes read"
7211
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7212run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
7213 "$P_SRV response_size=16384" \
7214 "$P_CLI force_version=tls1_2 \
7215 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
7216 0 \
7217 -c "Read from server: 16384 bytes read"
7218
7219requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7220run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
7221 "$P_SRV response_size=16384" \
7222 "$P_CLI force_version=tls1_2 \
7223 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
7224 trunc_hmac=1" \
7225 0 \
7226 -c "Read from server: 16384 bytes read"
7227
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7228run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
7229 "$P_SRV response_size=16384 trunc_hmac=1" \
7230 "$P_CLI force_version=tls1_2 \
7231 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
7232 0 \
7233 -s "16384 bytes written in 1 fragments" \
7234 -c "Read from server: 16384 bytes read"
7235
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7236run_test "Large server packet TLS 1.2 StreamCipher" \
7237 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7238 "$P_CLI force_version=tls1_2 \
7239 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7240 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7241 -s "16384 bytes written in 1 fragments" \
7242 -c "Read from server: 16384 bytes read"
7243
7244run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
7245 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7246 "$P_CLI force_version=tls1_2 \
7247 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
7248 0 \
7249 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7250 -c "Read from server: 16384 bytes read"
7251
7252requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7253run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
7254 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7255 "$P_CLI force_version=tls1_2 \
7256 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
7257 trunc_hmac=1" \
7258 0 \
7259 -c "Read from server: 16384 bytes read"
7260
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7261requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7262run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
7263 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7264 "$P_CLI force_version=tls1_2 \
7265 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
7266 0 \
7267 -s "16384 bytes written in 1 fragments" \
7268 -c "Read from server: 16384 bytes read"
7269
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7270run_test "Large server packet TLS 1.2 AEAD" \
7271 "$P_SRV response_size=16384" \
7272 "$P_CLI force_version=tls1_2 \
7273 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
7274 0 \
7275 -c "Read from server: 16384 bytes read"
7276
7277run_test "Large server packet TLS 1.2 AEAD shorter tag" \
7278 "$P_SRV response_size=16384" \
7279 "$P_CLI force_version=tls1_2 \
7280 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
7281 0 \
7282 -c "Read from server: 16384 bytes read"
7283
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7284# Tests for restartable ECC
7285
7286requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7287run_test "EC restart: TLS, default" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7288 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7289 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7290 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7291 debug_level=1" \
7292 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7293 -C "x509_verify_cert.*4b00" \
7294 -C "mbedtls_pk_verify.*4b00" \
7295 -C "mbedtls_ecdh_make_public.*4b00" \
7296 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7297
7298requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7299run_test "EC restart: TLS, max_ops=0" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7300 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7301 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7302 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7303 debug_level=1 ec_max_ops=0" \
7304 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7305 -C "x509_verify_cert.*4b00" \
7306 -C "mbedtls_pk_verify.*4b00" \
7307 -C "mbedtls_ecdh_make_public.*4b00" \
7308 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7309
7310requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7311run_test "EC restart: TLS, max_ops=65535" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7312 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7313 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7314 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7315 debug_level=1 ec_max_ops=65535" \
7316 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7317 -C "x509_verify_cert.*4b00" \
7318 -C "mbedtls_pk_verify.*4b00" \
7319 -C "mbedtls_ecdh_make_public.*4b00" \
7320 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7321
7322requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7323run_test "EC restart: TLS, max_ops=1000" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7324 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7325 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7326 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7327 debug_level=1 ec_max_ops=1000" \
7328 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7329 -c "x509_verify_cert.*4b00" \
7330 -c "mbedtls_pk_verify.*4b00" \
7331 -c "mbedtls_ecdh_make_public.*4b00" \
7332 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7333
7334requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]7335run_test "EC restart: TLS, max_ops=1000, badsign" \
7336 "$P_SRV auth_mode=required \
7337 crt_file=data_files/server5-badsign.crt \
7338 key_file=data_files/server5.key" \
7339 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7340 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7341 debug_level=1 ec_max_ops=1000" \
7342 1 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7343 -c "x509_verify_cert.*4b00" \
7344 -C "mbedtls_pk_verify.*4b00" \
7345 -C "mbedtls_ecdh_make_public.*4b00" \
7346 -C "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]7347 -c "! The certificate is not correctly signed by the trusted CA" \
7348 -c "! mbedtls_ssl_handshake returned" \
7349 -c "X509 - Certificate verification failed"
7350
7351requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7352run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
7353 "$P_SRV auth_mode=required \
7354 crt_file=data_files/server5-badsign.crt \
7355 key_file=data_files/server5.key" \
7356 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7357 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7358 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
7359 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7360 -c "x509_verify_cert.*4b00" \
7361 -c "mbedtls_pk_verify.*4b00" \
7362 -c "mbedtls_ecdh_make_public.*4b00" \
7363 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]7364 -c "! The certificate is not correctly signed by the trusted CA" \
7365 -C "! mbedtls_ssl_handshake returned" \
7366 -C "X509 - Certificate verification failed"
7367
7368requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7369run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
7370 "$P_SRV auth_mode=required \
7371 crt_file=data_files/server5-badsign.crt \
7372 key_file=data_files/server5.key" \
7373 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7374 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7375 debug_level=1 ec_max_ops=1000 auth_mode=none" \
7376 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7377 -C "x509_verify_cert.*4b00" \
7378 -c "mbedtls_pk_verify.*4b00" \
7379 -c "mbedtls_ecdh_make_public.*4b00" \
7380 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]7381 -C "! The certificate is not correctly signed by the trusted CA" \
7382 -C "! mbedtls_ssl_handshake returned" \
7383 -C "X509 - Certificate verification failed"
7384
7385requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7386run_test "EC restart: DTLS, max_ops=1000" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7387 "$P_SRV auth_mode=required dtls=1" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7388 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7389 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7390 dtls=1 debug_level=1 ec_max_ops=1000" \
7391 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7392 -c "x509_verify_cert.*4b00" \
7393 -c "mbedtls_pk_verify.*4b00" \
7394 -c "mbedtls_ecdh_make_public.*4b00" \
7395 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7396
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]7397requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7398run_test "EC restart: TLS, max_ops=1000 no client auth" \
7399 "$P_SRV" \
7400 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7401 debug_level=1 ec_max_ops=1000" \
7402 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7403 -c "x509_verify_cert.*4b00" \
7404 -c "mbedtls_pk_verify.*4b00" \
7405 -c "mbedtls_ecdh_make_public.*4b00" \
7406 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]7407
7408requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7409run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
7410 "$P_SRV psk=abc123" \
7411 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
7412 psk=abc123 debug_level=1 ec_max_ops=1000" \
7413 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7414 -C "x509_verify_cert.*4b00" \
7415 -C "mbedtls_pk_verify.*4b00" \
7416 -C "mbedtls_ecdh_make_public.*4b00" \
7417 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]7418
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7419# Tests of asynchronous private key support in SSL
7420
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7421requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7422run_test "SSL async private: sign, delay=0" \
7423 "$P_SRV \
7424 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7425 "$P_CLI" \
7426 0 \
7427 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7428 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7429
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7430requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7431run_test "SSL async private: sign, delay=1" \
7432 "$P_SRV \
7433 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7434 "$P_CLI" \
7435 0 \
7436 -s "Async sign callback: using key slot " \
7437 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7438 -s "Async resume (slot [0-9]): sign done, status=0"
7439
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]7440requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7441run_test "SSL async private: sign, delay=2" \
7442 "$P_SRV \
7443 async_operations=s async_private_delay1=2 async_private_delay2=2" \
7444 "$P_CLI" \
7445 0 \
7446 -s "Async sign callback: using key slot " \
7447 -U "Async sign callback: using key slot " \
7448 -s "Async resume (slot [0-9]): call 1 more times." \
7449 -s "Async resume (slot [0-9]): call 0 more times." \
7450 -s "Async resume (slot [0-9]): sign done, status=0"
7451
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]7452# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
7453# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
7454requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7455requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7456run_test "SSL async private: sign, RSA, TLS 1.1" \
7457 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
7458 async_operations=s async_private_delay1=0 async_private_delay2=0" \
7459 "$P_CLI force_version=tls1_1" \
7460 0 \
7461 -s "Async sign callback: using key slot " \
7462 -s "Async resume (slot [0-9]): sign done, status=0"
7463
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7464requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]7465run_test "SSL async private: sign, SNI" \
7466 "$P_SRV debug_level=3 \
7467 async_operations=s async_private_delay1=0 async_private_delay2=0 \
7468 crt_file=data_files/server5.crt key_file=data_files/server5.key \
7469 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
7470 "$P_CLI server_name=polarssl.example" \
7471 0 \
7472 -s "Async sign callback: using key slot " \
7473 -s "Async resume (slot [0-9]): sign done, status=0" \
7474 -s "parse ServerName extension" \
7475 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
7476 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
7477
7478requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7479run_test "SSL async private: decrypt, delay=0" \
7480 "$P_SRV \
7481 async_operations=d async_private_delay1=0 async_private_delay2=0" \
7482 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7483 0 \
7484 -s "Async decrypt callback: using key slot " \
7485 -s "Async resume (slot [0-9]): decrypt done, status=0"
7486
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7487requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7488run_test "SSL async private: decrypt, delay=1" \
7489 "$P_SRV \
7490 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7491 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7492 0 \
7493 -s "Async decrypt callback: using key slot " \
7494 -s "Async resume (slot [0-9]): call 0 more times." \
7495 -s "Async resume (slot [0-9]): decrypt done, status=0"
7496
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7497requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7498run_test "SSL async private: decrypt RSA-PSK, delay=0" \
7499 "$P_SRV psk=abc123 \
7500 async_operations=d async_private_delay1=0 async_private_delay2=0" \
7501 "$P_CLI psk=abc123 \
7502 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
7503 0 \
7504 -s "Async decrypt callback: using key slot " \
7505 -s "Async resume (slot [0-9]): decrypt done, status=0"
7506
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7507requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7508run_test "SSL async private: decrypt RSA-PSK, delay=1" \
7509 "$P_SRV psk=abc123 \
7510 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7511 "$P_CLI psk=abc123 \
7512 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
7513 0 \
7514 -s "Async decrypt callback: using key slot " \
7515 -s "Async resume (slot [0-9]): call 0 more times." \
7516 -s "Async resume (slot [0-9]): decrypt done, status=0"
7517
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7518requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7519run_test "SSL async private: sign callback not present" \
7520 "$P_SRV \
7521 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7522 "$P_CLI; [ \$? -eq 1 ] &&
7523 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7524 0 \
7525 -S "Async sign callback" \
7526 -s "! mbedtls_ssl_handshake returned" \
7527 -s "The own private key or pre-shared key is not set, but needed" \
7528 -s "Async resume (slot [0-9]): decrypt done, status=0" \
7529 -s "Successful connection"
7530
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7531requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7532run_test "SSL async private: decrypt callback not present" \
7533 "$P_SRV debug_level=1 \
7534 async_operations=s async_private_delay1=1 async_private_delay2=1" \
7535 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
7536 [ \$? -eq 1 ] && $P_CLI" \
7537 0 \
7538 -S "Async decrypt callback" \
7539 -s "! mbedtls_ssl_handshake returned" \
7540 -s "got no RSA private key" \
7541 -s "Async resume (slot [0-9]): sign done, status=0" \
7542 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7543
7544# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7545requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7546run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7547 "$P_SRV \
7548 async_operations=s async_private_delay1=1 \
7549 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7550 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7551 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
7552 0 \
7553 -s "Async sign callback: using key slot 0," \
7554 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7555 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7556
7557# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7558requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7559run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7560 "$P_SRV \
7561 async_operations=s async_private_delay2=1 \
7562 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7563 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7564 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7565 0 \
7566 -s "Async sign callback: using key slot 0," \
7567 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7568 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7569
7570# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7571requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]7572run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7573 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]7574 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7575 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7576 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7577 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7578 0 \
7579 -s "Async sign callback: using key slot 1," \
7580 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7581 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7582
7583# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7584requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7585run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7586 "$P_SRV \
7587 async_operations=s async_private_delay1=1 \
7588 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7589 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7590 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7591 0 \
7592 -s "Async sign callback: no key matches this certificate."
7593
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7594requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7595run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7596 "$P_SRV \
7597 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7598 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7599 "$P_CLI" \
7600 1 \
7601 -s "Async sign callback: injected error" \
7602 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]7603 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7604 -s "! mbedtls_ssl_handshake returned"
7605
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7606requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7607run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7608 "$P_SRV \
7609 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7610 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7611 "$P_CLI" \
7612 1 \
7613 -s "Async sign callback: using key slot " \
7614 -S "Async resume" \
7615 -s "Async cancel"
7616
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7617requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7618run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7619 "$P_SRV \
7620 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7621 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7622 "$P_CLI" \
7623 1 \
7624 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7625 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]7626 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7627 -s "! mbedtls_ssl_handshake returned"
7628
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7629requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7630run_test "SSL async private: decrypt, error in start" \
7631 "$P_SRV \
7632 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7633 async_private_error=1" \
7634 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7635 1 \
7636 -s "Async decrypt callback: injected error" \
7637 -S "Async resume" \
7638 -S "Async cancel" \
7639 -s "! mbedtls_ssl_handshake returned"
7640
7641requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7642run_test "SSL async private: decrypt, cancel after start" \
7643 "$P_SRV \
7644 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7645 async_private_error=2" \
7646 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7647 1 \
7648 -s "Async decrypt callback: using key slot " \
7649 -S "Async resume" \
7650 -s "Async cancel"
7651
7652requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7653run_test "SSL async private: decrypt, error in resume" \
7654 "$P_SRV \
7655 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7656 async_private_error=3" \
7657 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7658 1 \
7659 -s "Async decrypt callback: using key slot " \
7660 -s "Async resume callback: decrypt done but injected error" \
7661 -S "Async cancel" \
7662 -s "! mbedtls_ssl_handshake returned"
7663
7664requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7665run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7666 "$P_SRV \
7667 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7668 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7669 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
7670 0 \
7671 -s "Async cancel" \
7672 -s "! mbedtls_ssl_handshake returned" \
7673 -s "Async resume" \
7674 -s "Successful connection"
7675
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7676requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7677run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7678 "$P_SRV \
7679 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7680 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7681 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
7682 0 \
7683 -s "! mbedtls_ssl_handshake returned" \
7684 -s "Async resume" \
7685 -s "Successful connection"
7686
7687# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7688requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7689run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7690 "$P_SRV \
7691 async_operations=s async_private_delay1=1 async_private_error=-2 \
7692 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7693 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7694 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
7695 [ \$? -eq 1 ] &&
7696 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7697 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]7698 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7699 -S "Async resume" \
7700 -s "Async cancel" \
7701 -s "! mbedtls_ssl_handshake returned" \
7702 -s "Async sign callback: no key matches this certificate." \
7703 -s "Successful connection"
7704
7705# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7706requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7707run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7708 "$P_SRV \
7709 async_operations=s async_private_delay1=1 async_private_error=-3 \
7710 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7711 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7712 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
7713 [ \$? -eq 1 ] &&
7714 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7715 0 \
7716 -s "Async resume" \
7717 -s "! mbedtls_ssl_handshake returned" \
7718 -s "Async sign callback: no key matches this certificate." \
7719 -s "Successful connection"
7720
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7721requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7722requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]7723run_test "SSL async private: renegotiation: client-initiated, sign" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7724 "$P_SRV \
7725 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7726 exchanges=2 renegotiation=1" \
7727 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
7728 0 \
7729 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7730 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7731
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7732requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7733requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]7734run_test "SSL async private: renegotiation: server-initiated, sign" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7735 "$P_SRV \
7736 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7737 exchanges=2 renegotiation=1 renegotiate=1" \
7738 "$P_CLI exchanges=2 renegotiation=1" \
7739 0 \
7740 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7741 -s "Async resume (slot [0-9]): sign done, status=0"
7742
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7743requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7744requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]7745run_test "SSL async private: renegotiation: client-initiated, decrypt" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7746 "$P_SRV \
7747 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7748 exchanges=2 renegotiation=1" \
7749 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
7750 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7751 0 \
7752 -s "Async decrypt callback: using key slot " \
7753 -s "Async resume (slot [0-9]): decrypt done, status=0"
7754
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7755requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7756requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]7757run_test "SSL async private: renegotiation: server-initiated, decrypt" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7758 "$P_SRV \
7759 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7760 exchanges=2 renegotiation=1 renegotiate=1" \
7761 "$P_CLI exchanges=2 renegotiation=1 \
7762 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7763 0 \
7764 -s "Async decrypt callback: using key slot " \
7765 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7766
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7767# Tests for ECC extensions (rfc 4492)
7768
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7769requires_config_enabled MBEDTLS_AES_C
7770requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7771requires_config_enabled MBEDTLS_SHA256_C
7772requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7773run_test "Force a non ECC ciphersuite in the client side" \
7774 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7775 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7776 0 \
7777 -C "client hello, adding supported_elliptic_curves extension" \
7778 -C "client hello, adding supported_point_formats extension" \
7779 -S "found supported elliptic curves extension" \
7780 -S "found supported point formats extension"
7781
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7782requires_config_enabled MBEDTLS_AES_C
7783requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7784requires_config_enabled MBEDTLS_SHA256_C
7785requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7786run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7787 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7788 "$P_CLI debug_level=3" \
7789 0 \
7790 -C "found supported_point_formats extension" \
7791 -S "server hello, supported_point_formats extension"
7792
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7793requires_config_enabled MBEDTLS_AES_C
7794requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7795requires_config_enabled MBEDTLS_SHA256_C
7796requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7797run_test "Force an ECC ciphersuite in the client side" \
7798 "$P_SRV debug_level=3" \
7799 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
7800 0 \
7801 -c "client hello, adding supported_elliptic_curves extension" \
7802 -c "client hello, adding supported_point_formats extension" \
7803 -s "found supported elliptic curves extension" \
7804 -s "found supported point formats extension"
7805
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7806requires_config_enabled MBEDTLS_AES_C
7807requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7808requires_config_enabled MBEDTLS_SHA256_C
7809requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7810run_test "Force an ECC ciphersuite in the server side" \
7811 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
7812 "$P_CLI debug_level=3" \
7813 0 \
7814 -c "found supported_point_formats extension" \
7815 -s "server hello, supported_point_formats extension"
7816
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7817# Tests for DTLS HelloVerifyRequest
7818
7819run_test "DTLS cookie: enabled" \
7820 "$P_SRV dtls=1 debug_level=2" \
7821 "$P_CLI dtls=1 debug_level=2" \
7822 0 \
7823 -s "cookie verification failed" \
7824 -s "cookie verification passed" \
7825 -S "cookie verification skipped" \
7826 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7827 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7828 -S "SSL - The requested feature is not available"
7829
7830run_test "DTLS cookie: disabled" \
7831 "$P_SRV dtls=1 debug_level=2 cookies=0" \
7832 "$P_CLI dtls=1 debug_level=2" \
7833 0 \
7834 -S "cookie verification failed" \
7835 -S "cookie verification passed" \
7836 -s "cookie verification skipped" \
7837 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7838 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7839 -S "SSL - The requested feature is not available"
7840
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7841run_test "DTLS cookie: default (failing)" \
7842 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
7843 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
7844 1 \
7845 -s "cookie verification failed" \
7846 -S "cookie verification passed" \
7847 -S "cookie verification skipped" \
7848 -C "received hello verify request" \
7849 -S "hello verification requested" \
7850 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7851
7852requires_ipv6
7853run_test "DTLS cookie: enabled, IPv6" \
7854 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
7855 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
7856 0 \
7857 -s "cookie verification failed" \
7858 -s "cookie verification passed" \
7859 -S "cookie verification skipped" \
7860 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7861 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7862 -S "SSL - The requested feature is not available"
7863
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]7864run_test "DTLS cookie: enabled, nbio" \
7865 "$P_SRV dtls=1 nbio=2 debug_level=2" \
7866 "$P_CLI dtls=1 nbio=2 debug_level=2" \
7867 0 \
7868 -s "cookie verification failed" \
7869 -s "cookie verification passed" \
7870 -S "cookie verification skipped" \
7871 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7872 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]7873 -S "SSL - The requested feature is not available"
7874
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7875# Tests for client reconnecting from the same port with DTLS
7876
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7877not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7878run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]7879 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
7880 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7881 0 \
7882 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7883 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7884 -S "Client initiated reconnection from same port"
7885
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7886not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7887run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]7888 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
7889 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7890 0 \
7891 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7892 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7893 -s "Client initiated reconnection from same port"
7894
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7895not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
7896run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7897 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
7898 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7899 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7900 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7901 -s "Client initiated reconnection from same port"
7902
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7903only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
7904run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
7905 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
7906 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
7907 0 \
7908 -S "The operation timed out" \
7909 -s "Client initiated reconnection from same port"
7910
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7911run_test "DTLS client reconnect from same port: no cookies" \
7912 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]7913 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
7914 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7915 -s "The operation timed out" \
7916 -S "Client initiated reconnection from same port"
7917
Manuel Pégourié-Gonnardbaad2de2020-03-13 11:11:02 +0100[diff] [blame]7918run_test "DTLS client reconnect from same port: attacker-injected" \
7919 -p "$P_PXY inject_clihlo=1" \
7920 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
7921 "$P_CLI dtls=1 exchanges=2" \
7922 0 \
7923 -s "possible client reconnect from the same port" \
7924 -S "Client initiated reconnection from same port"
7925
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7926# Tests for various cases of client authentication with DTLS
7927# (focused on handshake flows and message parsing)
7928
7929run_test "DTLS client auth: required" \
7930 "$P_SRV dtls=1 auth_mode=required" \
7931 "$P_CLI dtls=1" \
7932 0 \
7933 -s "Verifying peer X.509 certificate... ok"
7934
7935run_test "DTLS client auth: optional, client has no cert" \
7936 "$P_SRV dtls=1 auth_mode=optional" \
7937 "$P_CLI dtls=1 crt_file=none key_file=none" \
7938 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7939 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7940
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7941run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7942 "$P_SRV dtls=1 auth_mode=none" \
7943 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
7944 0 \
7945 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7946 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7947
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]7948run_test "DTLS wrong PSK: badmac alert" \
7949 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
7950 "$P_CLI dtls=1 psk=abc124" \
7951 1 \
7952 -s "SSL - Verification of the message MAC failed" \
7953 -c "SSL - A fatal alert message was received from our peer"
7954
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7955# Tests for receiving fragmented handshake messages with DTLS
7956
7957requires_gnutls
7958run_test "DTLS reassembly: no fragmentation (gnutls server)" \
7959 "$G_SRV -u --mtu 2048 -a" \
7960 "$P_CLI dtls=1 debug_level=2" \
7961 0 \
7962 -C "found fragmented DTLS handshake message" \
7963 -C "error"
7964
7965requires_gnutls
7966run_test "DTLS reassembly: some fragmentation (gnutls server)" \
7967 "$G_SRV -u --mtu 512" \
7968 "$P_CLI dtls=1 debug_level=2" \
7969 0 \
7970 -c "found fragmented DTLS handshake message" \
7971 -C "error"
7972
7973requires_gnutls
7974run_test "DTLS reassembly: more fragmentation (gnutls server)" \
7975 "$G_SRV -u --mtu 128" \
7976 "$P_CLI dtls=1 debug_level=2" \
7977 0 \
7978 -c "found fragmented DTLS handshake message" \
7979 -C "error"
7980
7981requires_gnutls
7982run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
7983 "$G_SRV -u --mtu 128" \
7984 "$P_CLI dtls=1 nbio=2 debug_level=2" \
7985 0 \
7986 -c "found fragmented DTLS handshake message" \
7987 -C "error"
7988
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7989requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7990requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7991run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
7992 "$G_SRV -u --mtu 256" \
7993 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
7994 0 \
7995 -c "found fragmented DTLS handshake message" \
7996 -c "client hello, adding renegotiation extension" \
7997 -c "found renegotiation extension" \
7998 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7999 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]8000 -C "error" \
8001 -s "Extra-header:"
8002
8003requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8004requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]8005run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
8006 "$G_SRV -u --mtu 256" \
8007 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
8008 0 \
8009 -c "found fragmented DTLS handshake message" \
8010 -c "client hello, adding renegotiation extension" \
8011 -c "found renegotiation extension" \
8012 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]8013 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]8014 -C "error" \
8015 -s "Extra-header:"
8016
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8017run_test "DTLS reassembly: no fragmentation (openssl server)" \
8018 "$O_SRV -dtls1 -mtu 2048" \
8019 "$P_CLI dtls=1 debug_level=2" \
8020 0 \
8021 -C "found fragmented DTLS handshake message" \
8022 -C "error"
8023
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8024run_test "DTLS reassembly: some fragmentation (openssl server)" \
8025 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]8026 "$P_CLI dtls=1 debug_level=2" \
8027 0 \
8028 -c "found fragmented DTLS handshake message" \
8029 -C "error"
8030
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8031run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]8032 "$O_SRV -dtls1 -mtu 256" \
8033 "$P_CLI dtls=1 debug_level=2" \
8034 0 \
8035 -c "found fragmented DTLS handshake message" \
8036 -C "error"
8037
8038run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
8039 "$O_SRV -dtls1 -mtu 256" \
8040 "$P_CLI dtls=1 nbio=2 debug_level=2" \
8041 0 \
8042 -c "found fragmented DTLS handshake message" \
8043 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8044
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8045# Tests for sending fragmented handshake messages with DTLS
8046#
8047# Use client auth when we need the client to send large messages,
8048# and use large cert chains on both sides too (the long chains we have all use
8049# both RSA and ECDSA, but ideally we should have long chains with either).
8050# Sizes reached (UDP payload):
8051# - 2037B for server certificate
8052# - 1542B for client certificate
8053# - 1013B for newsessionticket
8054# - all others below 512B
8055# All those tests assume MAX_CONTENT_LEN is at least 2048
8056
8057requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8058requires_config_enabled MBEDTLS_RSA_C
8059requires_config_enabled MBEDTLS_ECDSA_C
8060requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8061requires_max_content_len 4096
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8062run_test "DTLS fragmenting: none (for reference)" \
8063 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8064 crt_file=data_files/server7_int-ca.crt \
8065 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8066 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8067 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8068 "$P_CLI dtls=1 debug_level=2 \
8069 crt_file=data_files/server8_int-ca2.crt \
8070 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8071 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8072 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8073 0 \
8074 -S "found fragmented DTLS handshake message" \
8075 -C "found fragmented DTLS handshake message" \
8076 -C "error"
8077
8078requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8079requires_config_enabled MBEDTLS_RSA_C
8080requires_config_enabled MBEDTLS_ECDSA_C
8081requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8082requires_max_content_len 2048
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8083run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8084 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8085 crt_file=data_files/server7_int-ca.crt \
8086 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8087 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8088 max_frag_len=1024" \
8089 "$P_CLI dtls=1 debug_level=2 \
8090 crt_file=data_files/server8_int-ca2.crt \
8091 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8092 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8093 max_frag_len=2048" \
8094 0 \
8095 -S "found fragmented DTLS handshake message" \
8096 -c "found fragmented DTLS handshake message" \
8097 -C "error"
8098
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]8099# With the MFL extension, the server has no way of forcing
8100# the client to not exceed a certain MTU; hence, the following
8101# test can't be replicated with an MTU proxy such as the one
8102# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8103requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8104requires_config_enabled MBEDTLS_RSA_C
8105requires_config_enabled MBEDTLS_ECDSA_C
8106requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8107requires_max_content_len 4096
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8108run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8109 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8110 crt_file=data_files/server7_int-ca.crt \
8111 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8112 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8113 max_frag_len=512" \
8114 "$P_CLI dtls=1 debug_level=2 \
8115 crt_file=data_files/server8_int-ca2.crt \
8116 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8117 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]8118 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8119 0 \
8120 -S "found fragmented DTLS handshake message" \
8121 -c "found fragmented DTLS handshake message" \
8122 -C "error"
8123
8124requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8125requires_config_enabled MBEDTLS_RSA_C
8126requires_config_enabled MBEDTLS_ECDSA_C
8127requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8128requires_max_content_len 2048
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8129run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8130 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
8131 crt_file=data_files/server7_int-ca.crt \
8132 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8133 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8134 max_frag_len=2048" \
8135 "$P_CLI dtls=1 debug_level=2 \
8136 crt_file=data_files/server8_int-ca2.crt \
8137 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8138 hs_timeout=2500-60000 \
8139 max_frag_len=1024" \
8140 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8141 -S "found fragmented DTLS handshake message" \
8142 -c "found fragmented DTLS handshake message" \
8143 -C "error"
8144
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8145# While not required by the standard defining the MFL extension
8146# (according to which it only applies to records, not to datagrams),
8147# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
8148# as otherwise there wouldn't be any means to communicate MTU restrictions
8149# to the peer.
8150# The next test checks that no datagrams significantly larger than the
8151# negotiated MFL are sent.
8152requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8153requires_config_enabled MBEDTLS_RSA_C
8154requires_config_enabled MBEDTLS_ECDSA_C
8155requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8156requires_max_content_len 2048
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8157run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]8158 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8159 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
8160 crt_file=data_files/server7_int-ca.crt \
8161 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8162 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8163 max_frag_len=2048" \
8164 "$P_CLI dtls=1 debug_level=2 \
8165 crt_file=data_files/server8_int-ca2.crt \
8166 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8167 hs_timeout=2500-60000 \
8168 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8169 0 \
8170 -S "found fragmented DTLS handshake message" \
8171 -c "found fragmented DTLS handshake message" \
8172 -C "error"
8173
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8174requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8175requires_config_enabled MBEDTLS_RSA_C
8176requires_config_enabled MBEDTLS_ECDSA_C
8177requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8178requires_max_content_len 2048
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8179run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8180 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8181 crt_file=data_files/server7_int-ca.crt \
8182 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8183 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8184 max_frag_len=2048" \
8185 "$P_CLI dtls=1 debug_level=2 \
8186 crt_file=data_files/server8_int-ca2.crt \
8187 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8188 hs_timeout=2500-60000 \
8189 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8190 0 \
8191 -s "found fragmented DTLS handshake message" \
8192 -c "found fragmented DTLS handshake message" \
8193 -C "error"
8194
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8195# While not required by the standard defining the MFL extension
8196# (according to which it only applies to records, not to datagrams),
8197# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
8198# as otherwise there wouldn't be any means to communicate MTU restrictions
8199# to the peer.
8200# The next test checks that no datagrams significantly larger than the
8201# negotiated MFL are sent.
8202requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8203requires_config_enabled MBEDTLS_RSA_C
8204requires_config_enabled MBEDTLS_ECDSA_C
8205requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8206requires_max_content_len 2048
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8207run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]8208 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8209 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8210 crt_file=data_files/server7_int-ca.crt \
8211 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8212 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8213 max_frag_len=2048" \
8214 "$P_CLI dtls=1 debug_level=2 \
8215 crt_file=data_files/server8_int-ca2.crt \
8216 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8217 hs_timeout=2500-60000 \
8218 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8219 0 \
8220 -s "found fragmented DTLS handshake message" \
8221 -c "found fragmented DTLS handshake message" \
8222 -C "error"
8223
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8224requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8225requires_config_enabled MBEDTLS_RSA_C
8226requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8227requires_max_content_len 4096
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8228run_test "DTLS fragmenting: none (for reference) (MTU)" \
8229 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8230 crt_file=data_files/server7_int-ca.crt \
8231 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8232 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8233 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8234 "$P_CLI dtls=1 debug_level=2 \
8235 crt_file=data_files/server8_int-ca2.crt \
8236 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8237 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8238 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8239 0 \
8240 -S "found fragmented DTLS handshake message" \
8241 -C "found fragmented DTLS handshake message" \
8242 -C "error"
8243
8244requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8245requires_config_enabled MBEDTLS_RSA_C
8246requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8247requires_max_content_len 4096
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8248run_test "DTLS fragmenting: client (MTU)" \
8249 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8250 crt_file=data_files/server7_int-ca.crt \
8251 key_file=data_files/server7.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8252 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8253 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8254 "$P_CLI dtls=1 debug_level=2 \
8255 crt_file=data_files/server8_int-ca2.crt \
8256 key_file=data_files/server8.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8257 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8258 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8259 0 \
8260 -s "found fragmented DTLS handshake message" \
8261 -C "found fragmented DTLS handshake message" \
8262 -C "error"
8263
8264requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8265requires_config_enabled MBEDTLS_RSA_C
8266requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8267requires_max_content_len 2048
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8268run_test "DTLS fragmenting: server (MTU)" \
8269 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8270 crt_file=data_files/server7_int-ca.crt \
8271 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8272 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8273 mtu=512" \
8274 "$P_CLI dtls=1 debug_level=2 \
8275 crt_file=data_files/server8_int-ca2.crt \
8276 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8277 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8278 mtu=2048" \
8279 0 \
8280 -S "found fragmented DTLS handshake message" \
8281 -c "found fragmented DTLS handshake message" \
8282 -C "error"
8283
8284requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8285requires_config_enabled MBEDTLS_RSA_C
8286requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8287requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8288run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8289 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8290 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8291 crt_file=data_files/server7_int-ca.crt \
8292 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8293 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]8294 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8295 "$P_CLI dtls=1 debug_level=2 \
8296 crt_file=data_files/server8_int-ca2.crt \
8297 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8298 hs_timeout=2500-60000 \
8299 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8300 0 \
8301 -s "found fragmented DTLS handshake message" \
8302 -c "found fragmented DTLS handshake message" \
8303 -C "error"
8304
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8305# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8306requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8307requires_config_enabled MBEDTLS_RSA_C
8308requires_config_enabled MBEDTLS_ECDSA_C
8309requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8310requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8311requires_config_enabled MBEDTLS_AES_C
8312requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8313requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8314run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]8315 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]8316 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8317 crt_file=data_files/server7_int-ca.crt \
8318 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8319 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]8320 mtu=512" \
8321 "$P_CLI dtls=1 debug_level=2 \
8322 crt_file=data_files/server8_int-ca2.crt \
8323 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8324 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8325 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8326 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8327 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8328 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8329 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8330 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8331
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8332# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8333# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8334# The ratio of max/min timeout should ideally equal 4 to accept two
8335# retransmissions, but in some cases (like both the server and client using
8336# fragmentation and auto-reduction) an extra retransmission might occur,
8337# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]8338not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8339requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8340requires_config_enabled MBEDTLS_RSA_C
8341requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8342requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8343requires_config_enabled MBEDTLS_AES_C
8344requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8345requires_max_content_len 2048
Gilles Peskine0d8b86a2019-09-20 18:03:11 +0200[diff] [blame]8346run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8347 -p "$P_PXY mtu=508" \
8348 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8349 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8350 key_file=data_files/server7.key \
8351 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8352 "$P_CLI dtls=1 debug_level=2 \
8353 crt_file=data_files/server8_int-ca2.crt \
8354 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8355 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8356 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8357 0 \
8358 -s "found fragmented DTLS handshake message" \
8359 -c "found fragmented DTLS handshake message" \
8360 -C "error"
8361
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8362# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]8363only_with_valgrind
8364requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8365requires_config_enabled MBEDTLS_RSA_C
8366requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8367requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8368requires_config_enabled MBEDTLS_AES_C
8369requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8370requires_max_content_len 2048
Gilles Peskine0d8b86a2019-09-20 18:03:11 +0200[diff] [blame]8371run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]8372 -p "$P_PXY mtu=508" \
8373 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8374 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8375 key_file=data_files/server7.key \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]8376 hs_timeout=250-10000" \
8377 "$P_CLI dtls=1 debug_level=2 \
8378 crt_file=data_files/server8_int-ca2.crt \
8379 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8380 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]8381 hs_timeout=250-10000" \
8382 0 \
8383 -s "found fragmented DTLS handshake message" \
8384 -c "found fragmented DTLS handshake message" \
8385 -C "error"
8386
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8387# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]8388# OTOH the client might resend if the server is to slow to reset after sending
8389# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8390not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8391requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8392requires_config_enabled MBEDTLS_RSA_C
8393requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8394requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8395run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8396 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8397 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8398 crt_file=data_files/server7_int-ca.crt \
8399 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8400 hs_timeout=10000-60000 \
8401 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8402 "$P_CLI dtls=1 debug_level=2 \
8403 crt_file=data_files/server8_int-ca2.crt \
8404 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8405 hs_timeout=10000-60000 \
8406 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8407 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8408 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8409 -s "found fragmented DTLS handshake message" \
8410 -c "found fragmented DTLS handshake message" \
8411 -C "error"
8412
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8413# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8414# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
8415# OTOH the client might resend if the server is to slow to reset after sending
8416# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8417not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8418requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8419requires_config_enabled MBEDTLS_RSA_C
8420requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8421requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8422requires_config_enabled MBEDTLS_AES_C
8423requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8424requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8425run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8426 -p "$P_PXY mtu=512" \
8427 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8428 crt_file=data_files/server7_int-ca.crt \
8429 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8430 hs_timeout=10000-60000 \
8431 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8432 "$P_CLI dtls=1 debug_level=2 \
8433 crt_file=data_files/server8_int-ca2.crt \
8434 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8435 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8436 hs_timeout=10000-60000 \
8437 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8438 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8439 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8440 -s "found fragmented DTLS handshake message" \
8441 -c "found fragmented DTLS handshake message" \
8442 -C "error"
8443
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8444not_with_valgrind # spurious autoreduction due to timeout
8445requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8446requires_config_enabled MBEDTLS_RSA_C
8447requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8448requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8449run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8450 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8451 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8452 crt_file=data_files/server7_int-ca.crt \
8453 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8454 hs_timeout=10000-60000 \
8455 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8456 "$P_CLI dtls=1 debug_level=2 \
8457 crt_file=data_files/server8_int-ca2.crt \
8458 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8459 hs_timeout=10000-60000 \
8460 mtu=1024 nbio=2" \
8461 0 \
8462 -S "autoreduction" \
8463 -s "found fragmented DTLS handshake message" \
8464 -c "found fragmented DTLS handshake message" \
8465 -C "error"
8466
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8467# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8468not_with_valgrind # spurious autoreduction due to timeout
8469requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8470requires_config_enabled MBEDTLS_RSA_C
8471requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8472requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8473requires_config_enabled MBEDTLS_AES_C
8474requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8475requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8476run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
8477 -p "$P_PXY mtu=512" \
8478 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8479 crt_file=data_files/server7_int-ca.crt \
8480 key_file=data_files/server7.key \
8481 hs_timeout=10000-60000 \
8482 mtu=512 nbio=2" \
8483 "$P_CLI dtls=1 debug_level=2 \
8484 crt_file=data_files/server8_int-ca2.crt \
8485 key_file=data_files/server8.key \
8486 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8487 hs_timeout=10000-60000 \
8488 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8489 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8490 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8491 -s "found fragmented DTLS handshake message" \
8492 -c "found fragmented DTLS handshake message" \
8493 -C "error"
8494
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8495# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]8496# This ensures things still work after session_reset().
8497# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8498# Since we don't support reading fragmented ClientHello yet,
8499# up the MTU to 1450 (larger than ClientHello with session ticket,
8500# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8501# An autoreduction on the client-side might happen if the server is
8502# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]8503# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8504# resumed listening, which would result in a spurious autoreduction.
8505not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8506requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8507requires_config_enabled MBEDTLS_RSA_C
8508requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8509requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8510requires_config_enabled MBEDTLS_AES_C
8511requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8512requires_max_content_len 2048
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8513run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
8514 -p "$P_PXY mtu=1450" \
8515 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8516 crt_file=data_files/server7_int-ca.crt \
8517 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8518 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8519 mtu=1450" \
8520 "$P_CLI dtls=1 debug_level=2 \
8521 crt_file=data_files/server8_int-ca2.crt \
8522 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8523 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8524 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]8525 mtu=1450 reconnect=1 skip_close_notify=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8526 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8527 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8528 -s "found fragmented DTLS handshake message" \
8529 -c "found fragmented DTLS handshake message" \
8530 -C "error"
8531
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8532# An autoreduction on the client-side might happen if the server is
8533# slow to reset, therefore omitting '-C "autoreduction"' below.
8534not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8535requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8536requires_config_enabled MBEDTLS_RSA_C
8537requires_config_enabled MBEDTLS_ECDSA_C
8538requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8539requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8540requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8541requires_config_enabled MBEDTLS_CHACHAPOLY_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8542requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8543run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
8544 -p "$P_PXY mtu=512" \
8545 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8546 crt_file=data_files/server7_int-ca.crt \
8547 key_file=data_files/server7.key \
8548 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8549 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8550 mtu=512" \
8551 "$P_CLI dtls=1 debug_level=2 \
8552 crt_file=data_files/server8_int-ca2.crt \
8553 key_file=data_files/server8.key \
8554 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8555 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8556 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8557 mtu=512" \
8558 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8559 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8560 -s "found fragmented DTLS handshake message" \
8561 -c "found fragmented DTLS handshake message" \
8562 -C "error"
8563
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8564# An autoreduction on the client-side might happen if the server is
8565# slow to reset, therefore omitting '-C "autoreduction"' below.
8566not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8567requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8568requires_config_enabled MBEDTLS_RSA_C
8569requires_config_enabled MBEDTLS_ECDSA_C
8570requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8571requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8572requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8573requires_config_enabled MBEDTLS_AES_C
8574requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8575requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8576run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
8577 -p "$P_PXY mtu=512" \
8578 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8579 crt_file=data_files/server7_int-ca.crt \
8580 key_file=data_files/server7.key \
8581 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8582 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8583 mtu=512" \
8584 "$P_CLI dtls=1 debug_level=2 \
8585 crt_file=data_files/server8_int-ca2.crt \
8586 key_file=data_files/server8.key \
8587 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8588 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8589 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8590 mtu=512" \
8591 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8592 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8593 -s "found fragmented DTLS handshake message" \
8594 -c "found fragmented DTLS handshake message" \
8595 -C "error"
8596
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8597# An autoreduction on the client-side might happen if the server is
8598# slow to reset, therefore omitting '-C "autoreduction"' below.
8599not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8600requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8601requires_config_enabled MBEDTLS_RSA_C
8602requires_config_enabled MBEDTLS_ECDSA_C
8603requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8604requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8605requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8606requires_config_enabled MBEDTLS_AES_C
8607requires_config_enabled MBEDTLS_CCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8608requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8609run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8610 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8611 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8612 crt_file=data_files/server7_int-ca.crt \
8613 key_file=data_files/server7.key \
8614 exchanges=2 renegotiation=1 \
8615 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8616 hs_timeout=10000-60000 \
8617 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8618 "$P_CLI dtls=1 debug_level=2 \
8619 crt_file=data_files/server8_int-ca2.crt \
8620 key_file=data_files/server8.key \
8621 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8622 hs_timeout=10000-60000 \
8623 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8624 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8625 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8626 -s "found fragmented DTLS handshake message" \
8627 -c "found fragmented DTLS handshake message" \
8628 -C "error"
8629
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8630# An autoreduction on the client-side might happen if the server is
8631# slow to reset, therefore omitting '-C "autoreduction"' below.
8632not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8633requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8634requires_config_enabled MBEDTLS_RSA_C
8635requires_config_enabled MBEDTLS_ECDSA_C
8636requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8637requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8638requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8639requires_config_enabled MBEDTLS_AES_C
8640requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
8641requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8642requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8643run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8644 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8645 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8646 crt_file=data_files/server7_int-ca.crt \
8647 key_file=data_files/server7.key \
8648 exchanges=2 renegotiation=1 \
8649 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8650 hs_timeout=10000-60000 \
8651 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8652 "$P_CLI dtls=1 debug_level=2 \
8653 crt_file=data_files/server8_int-ca2.crt \
8654 key_file=data_files/server8.key \
8655 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8656 hs_timeout=10000-60000 \
8657 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8658 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8659 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8660 -s "found fragmented DTLS handshake message" \
8661 -c "found fragmented DTLS handshake message" \
8662 -C "error"
8663
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8664# An autoreduction on the client-side might happen if the server is
8665# slow to reset, therefore omitting '-C "autoreduction"' below.
8666not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8667requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8668requires_config_enabled MBEDTLS_RSA_C
8669requires_config_enabled MBEDTLS_ECDSA_C
8670requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8671requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8672requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8673requires_config_enabled MBEDTLS_AES_C
8674requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8675requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8676run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8677 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8678 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8679 crt_file=data_files/server7_int-ca.crt \
8680 key_file=data_files/server7.key \
8681 exchanges=2 renegotiation=1 \
8682 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8683 hs_timeout=10000-60000 \
8684 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8685 "$P_CLI dtls=1 debug_level=2 \
8686 crt_file=data_files/server8_int-ca2.crt \
8687 key_file=data_files/server8.key \
8688 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8689 hs_timeout=10000-60000 \
8690 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8691 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8692 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8693 -s "found fragmented DTLS handshake message" \
8694 -c "found fragmented DTLS handshake message" \
8695 -C "error"
8696
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8697# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8698requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8699requires_config_enabled MBEDTLS_RSA_C
8700requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8701requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8702requires_config_enabled MBEDTLS_AES_C
8703requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8704client_needs_more_time 2
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8705requires_max_content_len 2048
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8706run_test "DTLS fragmenting: proxy MTU + 3d" \
8707 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8708 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8709 crt_file=data_files/server7_int-ca.crt \
8710 key_file=data_files/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8711 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8712 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8713 crt_file=data_files/server8_int-ca2.crt \
8714 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8715 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8716 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8717 0 \
8718 -s "found fragmented DTLS handshake message" \
8719 -c "found fragmented DTLS handshake message" \
8720 -C "error"
8721
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8722# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8723requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8724requires_config_enabled MBEDTLS_RSA_C
8725requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8726requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8727requires_config_enabled MBEDTLS_AES_C
8728requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8729client_needs_more_time 2
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8730requires_max_content_len 2048
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8731run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
8732 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
8733 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8734 crt_file=data_files/server7_int-ca.crt \
8735 key_file=data_files/server7.key \
8736 hs_timeout=250-10000 mtu=512 nbio=2" \
8737 "$P_CLI dtls=1 debug_level=2 \
8738 crt_file=data_files/server8_int-ca2.crt \
8739 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8740 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8741 hs_timeout=250-10000 mtu=512 nbio=2" \
8742 0 \
8743 -s "found fragmented DTLS handshake message" \
8744 -c "found fragmented DTLS handshake message" \
8745 -C "error"
8746
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8747# interop tests for DTLS fragmentating with reliable connection
8748#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8749# here and below we just want to test that the we fragment in a way that
8750# pleases other implementations, so we don't need the peer to fragment
8751requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8752requires_config_enabled MBEDTLS_RSA_C
8753requires_config_enabled MBEDTLS_ECDSA_C
8754requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8755requires_gnutls
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8756requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8757run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
8758 "$G_SRV -u" \
8759 "$P_CLI dtls=1 debug_level=2 \
8760 crt_file=data_files/server8_int-ca2.crt \
8761 key_file=data_files/server8.key \
8762 mtu=512 force_version=dtls1_2" \
8763 0 \
8764 -c "fragmenting handshake message" \
8765 -C "error"
8766
8767requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8768requires_config_enabled MBEDTLS_RSA_C
8769requires_config_enabled MBEDTLS_ECDSA_C
8770requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8771requires_gnutls
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8772requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8773run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
8774 "$G_SRV -u" \
8775 "$P_CLI dtls=1 debug_level=2 \
8776 crt_file=data_files/server8_int-ca2.crt \
8777 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8778 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8779 0 \
8780 -c "fragmenting handshake message" \
8781 -C "error"
8782
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]8783# We use --insecure for the GnuTLS client because it expects
8784# the hostname / IP it connects to to be the name used in the
8785# certificate obtained from the server. Here, however, it
8786# connects to 127.0.0.1 while our test certificates use 'localhost'
8787# as the server name in the certificate. This will make the
8788# certifiate validation fail, but passing --insecure makes
8789# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8790requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8791requires_config_enabled MBEDTLS_RSA_C
8792requires_config_enabled MBEDTLS_ECDSA_C
8793requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8794requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]8795requires_not_i686
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8796requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8797run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8798 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8799 crt_file=data_files/server7_int-ca.crt \
8800 key_file=data_files/server7.key \
8801 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8802 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8803 0 \
8804 -s "fragmenting handshake message"
8805
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]8806# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8807requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8808requires_config_enabled MBEDTLS_RSA_C
8809requires_config_enabled MBEDTLS_ECDSA_C
8810requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8811requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]8812requires_not_i686
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8813requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8814run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8815 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8816 crt_file=data_files/server7_int-ca.crt \
8817 key_file=data_files/server7.key \
8818 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8819 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8820 0 \
8821 -s "fragmenting handshake message"
8822
8823requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8824requires_config_enabled MBEDTLS_RSA_C
8825requires_config_enabled MBEDTLS_ECDSA_C
8826requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8827requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8828run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
8829 "$O_SRV -dtls1_2 -verify 10" \
8830 "$P_CLI dtls=1 debug_level=2 \
8831 crt_file=data_files/server8_int-ca2.crt \
8832 key_file=data_files/server8.key \
8833 mtu=512 force_version=dtls1_2" \
8834 0 \
8835 -c "fragmenting handshake message" \
8836 -C "error"
8837
8838requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8839requires_config_enabled MBEDTLS_RSA_C
8840requires_config_enabled MBEDTLS_ECDSA_C
8841requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8842requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8843run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
8844 "$O_SRV -dtls1 -verify 10" \
8845 "$P_CLI dtls=1 debug_level=2 \
8846 crt_file=data_files/server8_int-ca2.crt \
8847 key_file=data_files/server8.key \
8848 mtu=512 force_version=dtls1" \
8849 0 \
8850 -c "fragmenting handshake message" \
8851 -C "error"
8852
8853requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8854requires_config_enabled MBEDTLS_RSA_C
8855requires_config_enabled MBEDTLS_ECDSA_C
8856requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8857requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8858run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
8859 "$P_SRV dtls=1 debug_level=2 \
8860 crt_file=data_files/server7_int-ca.crt \
8861 key_file=data_files/server7.key \
8862 mtu=512 force_version=dtls1_2" \
8863 "$O_CLI -dtls1_2" \
8864 0 \
8865 -s "fragmenting handshake message"
8866
8867requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8868requires_config_enabled MBEDTLS_RSA_C
8869requires_config_enabled MBEDTLS_ECDSA_C
8870requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8871requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8872run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
8873 "$P_SRV dtls=1 debug_level=2 \
8874 crt_file=data_files/server7_int-ca.crt \
8875 key_file=data_files/server7.key \
8876 mtu=512 force_version=dtls1" \
8877 "$O_CLI -dtls1" \
8878 0 \
8879 -s "fragmenting handshake message"
8880
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8881# interop tests for DTLS fragmentating with unreliable connection
8882#
8883# again we just want to test that the we fragment in a way that
8884# pleases other implementations, so we don't need the peer to fragment
8885requires_gnutls_next
8886requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8887requires_config_enabled MBEDTLS_RSA_C
8888requires_config_enabled MBEDTLS_ECDSA_C
8889requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8890client_needs_more_time 4
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8891requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8892run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
8893 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8894 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8895 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8896 crt_file=data_files/server8_int-ca2.crt \
8897 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8898 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8899 0 \
8900 -c "fragmenting handshake message" \
8901 -C "error"
8902
8903requires_gnutls_next
8904requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8905requires_config_enabled MBEDTLS_RSA_C
8906requires_config_enabled MBEDTLS_ECDSA_C
8907requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8908client_needs_more_time 4
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8909requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8910run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
8911 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8912 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8913 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8914 crt_file=data_files/server8_int-ca2.crt \
8915 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8916 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8917 0 \
8918 -c "fragmenting handshake message" \
8919 -C "error"
8920
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8921requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8922requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8923requires_config_enabled MBEDTLS_RSA_C
8924requires_config_enabled MBEDTLS_ECDSA_C
8925requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8926client_needs_more_time 4
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8927requires_max_content_len 2048
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8928run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
8929 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8930 "$P_SRV dtls=1 debug_level=2 \
8931 crt_file=data_files/server7_int-ca.crt \
8932 key_file=data_files/server7.key \
8933 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8934 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8935 0 \
8936 -s "fragmenting handshake message"
8937
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8938requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8939requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8940requires_config_enabled MBEDTLS_RSA_C
8941requires_config_enabled MBEDTLS_ECDSA_C
8942requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8943client_needs_more_time 4
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8944requires_max_content_len 2048
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8945run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
8946 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8947 "$P_SRV dtls=1 debug_level=2 \
8948 crt_file=data_files/server7_int-ca.crt \
8949 key_file=data_files/server7.key \
8950 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8951 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8952 0 \
8953 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8954
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8955## Interop test with OpenSSL might trigger a bug in recent versions (including
8956## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8957## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8958## They should be re-enabled once a fixed version of OpenSSL is available
8959## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8960skip_next_test
8961requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8962requires_config_enabled MBEDTLS_RSA_C
8963requires_config_enabled MBEDTLS_ECDSA_C
8964requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8965client_needs_more_time 4
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8966requires_max_content_len 2048
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8967run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
8968 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8969 "$O_SRV -dtls1_2 -verify 10" \
8970 "$P_CLI dtls=1 debug_level=2 \
8971 crt_file=data_files/server8_int-ca2.crt \
8972 key_file=data_files/server8.key \
8973 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8974 0 \
8975 -c "fragmenting handshake message" \
8976 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8977
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8978skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8979requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8980requires_config_enabled MBEDTLS_RSA_C
8981requires_config_enabled MBEDTLS_ECDSA_C
8982requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8983client_needs_more_time 4
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8984requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8985run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
8986 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8987 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8988 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8989 crt_file=data_files/server8_int-ca2.crt \
8990 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8991 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8992 0 \
8993 -c "fragmenting handshake message" \
8994 -C "error"
8995
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8996skip_next_test
8997requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8998requires_config_enabled MBEDTLS_RSA_C
8999requires_config_enabled MBEDTLS_ECDSA_C
9000requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
9001client_needs_more_time 4
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]9002requires_max_content_len 2048
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]9003run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
9004 -p "$P_PXY drop=8 delay=8 duplicate=8" \
9005 "$P_SRV dtls=1 debug_level=2 \
9006 crt_file=data_files/server7_int-ca.crt \
9007 key_file=data_files/server7.key \
9008 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
9009 "$O_CLI -dtls1_2" \
9010 0 \
9011 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]9012
9013# -nbio is added to prevent s_client from blocking in case of duplicated
9014# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]9015skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]9016requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
9017requires_config_enabled MBEDTLS_RSA_C
9018requires_config_enabled MBEDTLS_ECDSA_C
9019requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]9020client_needs_more_time 4
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]9021requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]9022run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
9023 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9024 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]9025 crt_file=data_files/server7_int-ca.crt \
9026 key_file=data_files/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]9027 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]9028 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]9029 0 \
9030 -s "fragmenting handshake message"
9031
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9032# Tests for DTLS-SRTP (RFC 5764)
9033requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9034run_test "DTLS-SRTP all profiles supported" \
9035 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9036 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9037 0 \
9038 -s "found use_srtp extension" \
9039 -s "found srtp profile" \
9040 -s "selected srtp profile" \
9041 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9042 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9043 -c "client hello, adding use_srtp extension" \
9044 -c "found use_srtp extension" \
9045 -c "found srtp profile" \
9046 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9047 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9048 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9049 -C "error"
9050
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9051
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9052requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9053run_test "DTLS-SRTP server supports all profiles. Client supports one profile." \
9054 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9055 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=5 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9056 0 \
9057 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9058 -s "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
9059 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9060 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9061 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9062 -c "client hello, adding use_srtp extension" \
9063 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9064 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9065 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9066 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9067 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9068 -C "error"
9069
9070requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9071run_test "DTLS-SRTP server supports one profile. Client supports all profiles." \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9072 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9073 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9074 0 \
9075 -s "found use_srtp extension" \
9076 -s "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9077 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9078 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9079 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9080 -c "client hello, adding use_srtp extension" \
9081 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9082 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9083 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9084 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9085 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9086 -C "error"
9087
9088requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9089run_test "DTLS-SRTP server and Client support only one matching profile." \
9090 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9091 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9092 0 \
9093 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9094 -s "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
9095 -s "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9096 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9097 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9098 -c "client hello, adding use_srtp extension" \
9099 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9100 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9101 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9102 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9103 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9104 -C "error"
9105
9106requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9107run_test "DTLS-SRTP server and Client support only one different profile." \
9108 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9109 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9110 0 \
9111 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9112 -s "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9113 -S "selected srtp profile" \
9114 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9115 -S "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9116 -c "client hello, adding use_srtp extension" \
9117 -C "found use_srtp extension" \
9118 -C "found srtp profile" \
9119 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9120 -C "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9121 -C "error"
9122
9123requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9124run_test "DTLS-SRTP server doesn't support use_srtp extension." \
9125 "$P_SRV dtls=1 debug_level=3" \
9126 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9127 0 \
9128 -s "found use_srtp extension" \
9129 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9130 -S "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9131 -c "client hello, adding use_srtp extension" \
9132 -C "found use_srtp extension" \
9133 -C "found srtp profile" \
9134 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9135 -C "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9136 -C "error"
9137
9138requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9139run_test "DTLS-SRTP all profiles supported. mki used" \
9140 "$P_SRV dtls=1 use_srtp=1 support_mki=1 debug_level=3" \
9141 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
9142 0 \
9143 -s "found use_srtp extension" \
9144 -s "found srtp profile" \
9145 -s "selected srtp profile" \
9146 -s "server hello, adding use_srtp extension" \
9147 -s "dumping 'using mki' (8 bytes)" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9148 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9149 -c "client hello, adding use_srtp extension" \
9150 -c "found use_srtp extension" \
9151 -c "found srtp profile" \
9152 -c "selected srtp profile" \
9153 -c "dumping 'sending mki' (8 bytes)" \
9154 -c "dumping 'received mki' (8 bytes)" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9155 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9156 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]9157 -g "find_in_both '^ *DTLS-SRTP mki value: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9158 -C "error"
9159
9160requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9161run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \
9162 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9163 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
9164 0 \
9165 -s "found use_srtp extension" \
9166 -s "found srtp profile" \
9167 -s "selected srtp profile" \
9168 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9169 -s "DTLS-SRTP key material is"\
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]9170 -s "DTLS-SRTP no mki value negotiated"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9171 -S "dumping 'using mki' (8 bytes)" \
9172 -c "client hello, adding use_srtp extension" \
9173 -c "found use_srtp extension" \
9174 -c "found srtp profile" \
9175 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9176 -c "DTLS-SRTP key material is"\
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]9177 -c "DTLS-SRTP no mki value negotiated"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9178 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9179 -c "dumping 'sending mki' (8 bytes)" \
9180 -C "dumping 'received mki' (8 bytes)" \
9181 -C "error"
9182
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9183requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9184run_test "DTLS-SRTP all profiles supported. openssl client." \
9185 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9186 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9187 0 \
9188 -s "found use_srtp extension" \
9189 -s "found srtp profile" \
9190 -s "selected srtp profile" \
9191 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9192 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9193 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9194 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_80"
9195
9196requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9197run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl client." \
9198 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9199 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9200 0 \
9201 -s "found use_srtp extension" \
9202 -s "found srtp profile" \
9203 -s "selected srtp profile" \
9204 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9205 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9206 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9207 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
9208
9209requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9210run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl client." \
9211 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9212 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9213 0 \
9214 -s "found use_srtp extension" \
9215 -s "found srtp profile" \
9216 -s "selected srtp profile" \
9217 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9218 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9219 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9220 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
9221
9222requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9223run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl client." \
9224 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9225 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9226 0 \
9227 -s "found use_srtp extension" \
9228 -s "found srtp profile" \
9229 -s "selected srtp profile" \
9230 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9231 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9232 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9233 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
9234
9235requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9236run_test "DTLS-SRTP server and Client support only one matching profile. openssl client." \
9237 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9238 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9239 0 \
9240 -s "found use_srtp extension" \
9241 -s "found srtp profile" \
9242 -s "selected srtp profile" \
9243 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9244 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9245 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9246 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
9247
9248requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9249run_test "DTLS-SRTP server and Client support only one different profile. openssl client." \
9250 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9251 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9252 0 \
9253 -s "found use_srtp extension" \
9254 -s "found srtp profile" \
9255 -S "selected srtp profile" \
9256 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9257 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9258 -C "SRTP Extension negotiated, profile"
9259
9260requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9261run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" \
9262 "$P_SRV dtls=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9263 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9264 0 \
9265 -s "found use_srtp extension" \
9266 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9267 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9268 -C "SRTP Extension negotiated, profile"
9269
9270requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9271run_test "DTLS-SRTP all profiles supported. openssl server" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9272 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9273 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9274 0 \
9275 -c "client hello, adding use_srtp extension" \
9276 -c "found use_srtp extension" \
9277 -c "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9278 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9279 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9280 -C "error"
9281
9282requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9283run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9284 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9285 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9286 0 \
9287 -c "client hello, adding use_srtp extension" \
9288 -c "found use_srtp extension" \
9289 -c "found srtp profile" \
9290 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9291 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9292 -C "error"
9293
9294requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9295run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9296 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9297 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9298 0 \
9299 -c "client hello, adding use_srtp extension" \
9300 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9301 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9302 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9303 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9304 -C "error"
9305
9306requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9307run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9308 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9309 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9310 0 \
9311 -c "client hello, adding use_srtp extension" \
9312 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9313 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9314 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9315 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9316 -C "error"
9317
9318requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9319run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9320 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9321 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9322 0 \
9323 -c "client hello, adding use_srtp extension" \
9324 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9325 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9326 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9327 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9328 -C "error"
9329
9330requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9331run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9332 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9333 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9334 0 \
9335 -c "client hello, adding use_srtp extension" \
9336 -C "found use_srtp extension" \
9337 -C "found srtp profile" \
9338 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9339 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9340 -C "error"
9341
9342requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9343run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \
9344 "$O_SRV -dtls1" \
9345 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9346 0 \
9347 -c "client hello, adding use_srtp extension" \
9348 -C "found use_srtp extension" \
9349 -C "found srtp profile" \
9350 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9351 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9352 -C "error"
9353
9354requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9355run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9356 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9357 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
9358 0 \
9359 -c "client hello, adding use_srtp extension" \
9360 -c "found use_srtp extension" \
9361 -c "found srtp profile" \
9362 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9363 -c "DTLS-SRTP key material is"\
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]9364 -c "DTLS-SRTP no mki value negotiated"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9365 -c "dumping 'sending mki' (8 bytes)" \
9366 -C "dumping 'received mki' (8 bytes)" \
9367 -C "error"
9368
9369requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9370requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9371run_test "DTLS-SRTP all profiles supported. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9372 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9373 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9374 0 \
9375 -s "found use_srtp extension" \
9376 -s "found srtp profile" \
9377 -s "selected srtp profile" \
9378 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9379 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9380 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_80"
9381
9382requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9383requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9384run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9385 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9386 "$G_CLI -u --srtp-profiles=SRTP_NULL_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9387 0 \
9388 -s "found use_srtp extension" \
9389 -s "found srtp profile" \
9390 -s "selected srtp profile" \
9391 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9392 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9393 -c "SRTP profile: SRTP_NULL_HMAC_SHA1_80"
9394
9395requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9396requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9397run_test "DTLS-SRTP server supports all profiles. Client supports one profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9398 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9399 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9400 0 \
9401 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9402 -s "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
9403 -s "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9404 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9405 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9406 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_32"
9407
9408requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9409requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9410run_test "DTLS-SRTP server supports one profile. Client supports all profiles. gnutls client." \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9411 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9412 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9413 0 \
9414 -s "found use_srtp extension" \
9415 -s "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9416 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9417 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9418 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9419 -c "SRTP profile: SRTP_NULL_SHA1_32"
9420
9421requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9422requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9423run_test "DTLS-SRTP server and Client support only one matching profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9424 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9425 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9426 0 \
9427 -s "found use_srtp extension" \
9428 -s "found srtp profile" \
9429 -s "selected srtp profile" \
9430 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9431 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9432 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_32"
9433
9434requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9435requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9436run_test "DTLS-SRTP server and Client support only one different profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9437 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \
9438 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9439 0 \
9440 -s "found use_srtp extension" \
9441 -s "found srtp profile" \
9442 -S "selected srtp profile" \
9443 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9444 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9445 -C "SRTP profile:"
9446
9447requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9448requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9449run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls client" \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9450 "$P_SRV dtls=1 debug_level=3" \
9451 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9452 0 \
9453 -s "found use_srtp extension" \
9454 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9455 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9456 -C "SRTP profile:"
9457
9458requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9459requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9460run_test "DTLS-SRTP all profiles supported. gnutls server" \
9461 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
9462 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9463 0 \
9464 -c "client hello, adding use_srtp extension" \
9465 -c "found use_srtp extension" \
9466 -c "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9467 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9468 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9469 -C "error"
9470
9471requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9472requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9473run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. gnutls server." \
9474 "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
9475 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9476 0 \
9477 -c "client hello, adding use_srtp extension" \
9478 -c "found use_srtp extension" \
9479 -c "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9480 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9481 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9482 -C "error"
9483
9484requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9485requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9486run_test "DTLS-SRTP server supports all profiles. Client supports one profile. gnutls server." \
9487 "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
9488 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9489 0 \
9490 -c "client hello, adding use_srtp extension" \
9491 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9492 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9493 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9494 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9495 -C "error"
9496
9497requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9498requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9499run_test "DTLS-SRTP server supports one profile. Client supports all profiles. gnutls server." \
9500 "$G_SRV -u --srtp-profiles=SRTP_NULL_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9501 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9502 0 \
9503 -c "client hello, adding use_srtp extension" \
9504 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9505 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9506 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9507 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9508 -C "error"
9509
9510requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9511requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9512run_test "DTLS-SRTP server and Client support only one matching profile. gnutls server." \
9513 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \
9514 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9515 0 \
9516 -c "client hello, adding use_srtp extension" \
9517 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9518 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9519 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9520 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9521 -C "error"
9522
9523requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9524requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9525run_test "DTLS-SRTP server and Client support only one different profile. gnutls server." \
9526 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9527 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9528 0 \
9529 -c "client hello, adding use_srtp extension" \
9530 -C "found use_srtp extension" \
9531 -C "found srtp profile" \
9532 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9533 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9534 -C "error"
9535
9536requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9537requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9538run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls server" \
9539 "$G_SRV -u" \
9540 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9541 0 \
9542 -c "client hello, adding use_srtp extension" \
9543 -C "found use_srtp extension" \
9544 -C "found srtp profile" \
9545 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9546 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9547 -C "error"
9548
9549requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9550requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9551run_test "DTLS-SRTP all profiles supported. mki used. gnutls server." \
9552 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
9553 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
9554 0 \
9555 -c "client hello, adding use_srtp extension" \
9556 -c "found use_srtp extension" \
9557 -c "found srtp profile" \
9558 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9559 -c "DTLS-SRTP key material is"\
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]9560 -c "DTLS-SRTP mki value:"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9561 -c "dumping 'sending mki' (8 bytes)" \
9562 -c "dumping 'received mki' (8 bytes)" \
9563 -C "error"
9564
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]9565# Tests for specific things with "unreliable" UDP connection
9566
9567not_with_valgrind # spurious resend due to timeout
9568run_test "DTLS proxy: reference" \
9569 -p "$P_PXY" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]9570 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
9571 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]9572 0 \
9573 -C "replayed record" \
9574 -S "replayed record" \
Hanno Beckerb2a86c32019-07-19 15:43:09 +0100[diff] [blame]9575 -C "Buffer record from epoch" \
9576 -S "Buffer record from epoch" \
9577 -C "ssl_buffer_message" \
9578 -S "ssl_buffer_message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]9579 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9580 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]9581 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9582 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]9583 -c "HTTP/1.0 200 OK"
9584
9585not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9586run_test "DTLS proxy: duplicate every packet" \
9587 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]9588 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \
9589 "$P_CLI dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9590 0 \
9591 -c "replayed record" \
9592 -s "replayed record" \
9593 -c "record from another epoch" \
9594 -s "record from another epoch" \
9595 -S "resend" \
9596 -s "Extra-header:" \
9597 -c "HTTP/1.0 200 OK"
9598
9599run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
9600 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9601 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
9602 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]9603 0 \
9604 -c "replayed record" \
9605 -S "replayed record" \
9606 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9607 -s "record from another epoch" \
9608 -c "resend" \
9609 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]9610 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9611 -c "HTTP/1.0 200 OK"
9612
9613run_test "DTLS proxy: multiple records in same datagram" \
9614 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9615 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
9616 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]9617 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9618 -c "next record in same datagram" \
9619 -s "next record in same datagram"
9620
9621run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
9622 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9623 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
9624 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]9625 0 \
9626 -c "next record in same datagram" \
9627 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9628
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]9629run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
9630 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9631 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
9632 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]9633 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]9634 -c "discarding invalid record (mac)" \
9635 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9636 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9637 -c "HTTP/1.0 200 OK" \
9638 -S "too many records with bad MAC" \
9639 -S "Verification of the message MAC failed"
9640
9641run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
9642 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9643 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
9644 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9645 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]9646 -C "discarding invalid record (mac)" \
9647 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9648 -S "Extra-header:" \
9649 -C "HTTP/1.0 200 OK" \
9650 -s "too many records with bad MAC" \
9651 -s "Verification of the message MAC failed"
9652
9653run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
9654 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9655 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
9656 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9657 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]9658 -c "discarding invalid record (mac)" \
9659 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9660 -s "Extra-header:" \
9661 -c "HTTP/1.0 200 OK" \
9662 -S "too many records with bad MAC" \
9663 -S "Verification of the message MAC failed"
9664
9665run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
9666 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9667 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
9668 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9669 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]9670 -c "discarding invalid record (mac)" \
9671 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9672 -s "Extra-header:" \
9673 -c "HTTP/1.0 200 OK" \
9674 -s "too many records with bad MAC" \
9675 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9676
9677run_test "DTLS proxy: delay ChangeCipherSpec" \
9678 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]9679 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
9680 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9681 0 \
9682 -c "record from another epoch" \
9683 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9684 -s "Extra-header:" \
9685 -c "HTTP/1.0 200 OK"
9686
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]9687# Tests for reordering support with DTLS
9688
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9689run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
9690 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9691 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9692 hs_timeout=2500-60000" \
9693 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9694 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]9695 0 \
9696 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9697 -c "Next handshake message has been buffered - load"\
9698 -S "Buffering HS message" \
9699 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9700 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9701 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9702 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9703 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]9704
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]9705run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
9706 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9707 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9708 hs_timeout=2500-60000" \
9709 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9710 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]9711 0 \
9712 -c "Buffering HS message" \
9713 -c "found fragmented DTLS handshake message"\
9714 -c "Next handshake message 1 not or only partially bufffered" \
9715 -c "Next handshake message has been buffered - load"\
9716 -S "Buffering HS message" \
9717 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9718 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]9719 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9720 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]9721 -S "Remember CCS message"
9722
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9723# The client buffers the ServerKeyExchange before receiving the fragmented
9724# Certificate message; at the time of writing, together these are aroudn 1200b
9725# in size, so that the bound below ensures that the certificate can be reassembled
9726# while keeping the ServerKeyExchange.
9727requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
9728run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9729 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9730 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9731 hs_timeout=2500-60000" \
9732 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9733 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9734 0 \
9735 -c "Buffering HS message" \
9736 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9737 -C "attempt to make space by freeing buffered messages" \
9738 -S "Buffering HS message" \
9739 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9740 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9741 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9742 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9743 -S "Remember CCS message"
9744
9745# The size constraints ensure that the delayed certificate message can't
9746# be reassembled while keeping the ServerKeyExchange message, but it can
9747# when dropping it first.
9748requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
9749requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
9750run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
9751 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9752 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9753 hs_timeout=2500-60000" \
9754 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9755 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9756 0 \
9757 -c "Buffering HS message" \
9758 -c "attempt to make space by freeing buffered future messages" \
9759 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9760 -S "Buffering HS message" \
9761 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9762 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9763 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9764 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9765 -S "Remember CCS message"
9766
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9767run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
9768 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9769 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
9770 hs_timeout=2500-60000" \
9771 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9772 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9773 0 \
9774 -C "Buffering HS message" \
9775 -C "Next handshake message has been buffered - load"\
9776 -s "Buffering HS message" \
9777 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9778 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9779 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9780 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9781 -S "Remember CCS message"
9782
9783run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
9784 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9785 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9786 hs_timeout=2500-60000" \
9787 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9788 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9789 0 \
9790 -C "Buffering HS message" \
9791 -C "Next handshake message has been buffered - load"\
9792 -S "Buffering HS message" \
9793 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9794 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9795 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9796 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9797 -S "Remember CCS message"
9798
9799run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
9800 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9801 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9802 hs_timeout=2500-60000" \
9803 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9804 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9805 0 \
9806 -C "Buffering HS message" \
9807 -C "Next handshake message has been buffered - load"\
9808 -S "Buffering HS message" \
9809 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9810 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9811 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9812 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9813 -s "Remember CCS message"
9814
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9815run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9816 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9817 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9818 hs_timeout=2500-60000" \
9819 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9820 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]9821 0 \
9822 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9823 -s "Found buffered record from current epoch - load" \
9824 -c "Buffer record from epoch 1" \
9825 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9826
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9827# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
9828# from the server are delayed, so that the encrypted Finished message
9829# is received and buffered. When the fragmented NewSessionTicket comes
9830# in afterwards, the encrypted Finished message must be freed in order
9831# to make space for the NewSessionTicket to be reassembled.
9832# This works only in very particular circumstances:
9833# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
9834# of the NewSessionTicket, but small enough to also allow buffering of
9835# the encrypted Finished message.
9836# - The MTU setting on the server must be so small that the NewSessionTicket
9837# needs to be fragmented.
9838# - All messages sent by the server must be small enough to be either sent
9839# without fragmentation or be reassembled within the bounds of
9840# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
9841# handshake, omitting CRTs.
Manuel Pégourié-Gonnardeef4c752019-05-28 10:21:30 +0200[diff] [blame]9842requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
9843requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9844run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
9845 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
Manuel Pégourié-Gonnardeef4c752019-05-28 10:21:30 +0200[diff] [blame]9846 "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9847 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
9848 0 \
9849 -s "Buffer record from epoch 1" \
9850 -s "Found buffered record from current epoch - load" \
9851 -c "Buffer record from epoch 1" \
9852 -C "Found buffered record from current epoch - load" \
9853 -c "Enough space available after freeing future epoch record"
9854
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]9855# Tests for "randomly unreliable connection": try a variety of flows and peers
9856
9857client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9858run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
9859 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9860 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9861 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9862 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9863 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9864 0 \
9865 -s "Extra-header:" \
9866 -c "HTTP/1.0 200 OK"
9867
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9868client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9869run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
9870 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9871 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
9872 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9873 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
9874 0 \
9875 -s "Extra-header:" \
9876 -c "HTTP/1.0 200 OK"
9877
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9878client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9879run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
9880 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9881 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
9882 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9883 0 \
9884 -s "Extra-header:" \
9885 -c "HTTP/1.0 200 OK"
9886
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9887client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9888run_test "DTLS proxy: 3d, FS, client auth" \
9889 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9890 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
9891 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9892 0 \
9893 -s "Extra-header:" \
9894 -c "HTTP/1.0 200 OK"
9895
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9896client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9897run_test "DTLS proxy: 3d, FS, ticket" \
9898 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9899 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
9900 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9901 0 \
9902 -s "Extra-header:" \
9903 -c "HTTP/1.0 200 OK"
9904
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9905client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9906run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
9907 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9908 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
9909 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9910 0 \
9911 -s "Extra-header:" \
9912 -c "HTTP/1.0 200 OK"
9913
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9914client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9915run_test "DTLS proxy: 3d, max handshake, nbio" \
9916 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9917 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9918 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9919 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9920 0 \
9921 -s "Extra-header:" \
9922 -c "HTTP/1.0 200 OK"
9923
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9924client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]9925run_test "DTLS proxy: 3d, min handshake, resumption" \
9926 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9927 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]9928 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9929 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]9930 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]9931 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9932 0 \
9933 -s "a session has been resumed" \
9934 -c "a session has been resumed" \
9935 -s "Extra-header:" \
9936 -c "HTTP/1.0 200 OK"
9937
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9938client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]9939run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
9940 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9941 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]9942 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9943 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]9944 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]9945 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
9946 0 \
9947 -s "a session has been resumed" \
9948 -c "a session has been resumed" \
9949 -s "Extra-header:" \
9950 -c "HTTP/1.0 200 OK"
9951
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9952client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9953requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9954run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]9955 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9956 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9957 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9958 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9959 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]9960 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9961 0 \
9962 -c "=> renegotiate" \
9963 -s "=> renegotiate" \
9964 -s "Extra-header:" \
9965 -c "HTTP/1.0 200 OK"
9966
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9967client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9968requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9969run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
9970 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9971 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9972 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9973 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9974 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9975 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9976 0 \
9977 -c "=> renegotiate" \
9978 -s "=> renegotiate" \
9979 -s "Extra-header:" \
9980 -c "HTTP/1.0 200 OK"
9981
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9982client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9983requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9984run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9985 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9986 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9987 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9988 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9989 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9990 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9991 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9992 0 \
9993 -c "=> renegotiate" \
9994 -s "=> renegotiate" \
9995 -s "Extra-header:" \
9996 -c "HTTP/1.0 200 OK"
9997
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9998client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9999requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]10000run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]10001 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10002 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]10003 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]10004 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10005 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]10006 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]10007 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
10008 0 \
10009 -c "=> renegotiate" \
10010 -s "=> renegotiate" \
10011 -s "Extra-header:" \
10012 -c "HTTP/1.0 200 OK"
10013
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]10014## Interop tests with OpenSSL might trigger a bug in recent versions (including
10015## all versions installed on the CI machines), reported here:
10016## Bug report: https://github.com/openssl/openssl/issues/6902
10017## They should be re-enabled once a fixed version of OpenSSL is available
10018## (this should happen in some 1.1.1_ release according to the ticket).
10019skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10020client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10021not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10022run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]10023 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
10024 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10025 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]10026 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]10027 -c "HTTP/1.0 200 OK"
10028
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]10029skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10030client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10031not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10032run_test "DTLS proxy: 3d, openssl server, fragmentation" \
10033 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
10034 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10035 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10036 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10037 -c "HTTP/1.0 200 OK"
10038
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]10039skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10040client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10041not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10042run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
10043 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
10044 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10045 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10046 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10047 -c "HTTP/1.0 200 OK"
10048
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]10049requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10050client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10051not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10052run_test "DTLS proxy: 3d, gnutls server" \
10053 -p "$P_PXY drop=5 delay=5 duplicate=5" \
10054 "$G_SRV -u --mtu 2048 -a" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10055 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10056 0 \
10057 -s "Extra-header:" \
10058 -c "Extra-header:"
10059
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]10060requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10061client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10062not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10063run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
10064 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]10065 "$G_NEXT_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10066 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10067 0 \
10068 -s "Extra-header:" \
10069 -c "Extra-header:"
10070
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]10071requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10072client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10073not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10074run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
10075 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]10076 "$G_NEXT_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10077 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10078 0 \
10079 -s "Extra-header:" \
10080 -c "Extra-header:"
10081
Ron Eldorf75e2522019-05-14 20:38:49 +0300[diff] [blame]10082requires_config_enabled MBEDTLS_SSL_EXPORT_KEYS
10083run_test "export keys functionality" \
10084 "$P_SRV eap_tls=1 debug_level=3" \
10085 "$P_CLI eap_tls=1 debug_level=3" \
10086 0 \
10087 -s "exported maclen is " \
10088 -s "exported keylen is " \
10089 -s "exported ivlen is " \
10090 -c "exported maclen is " \
10091 -c "exported keylen is " \
Ron Eldor65d8c262019-06-04 13:05:36 +0300[diff] [blame]10092 -c "exported ivlen is " \
10093 -c "EAP-TLS key material is:"\
10094 -s "EAP-TLS key material is:"\
10095 -c "EAP-TLS IV is:" \
10096 -s "EAP-TLS IV is:"
Ron Eldorf75e2522019-05-14 20:38:49 +0300[diff] [blame]10097
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]10098# Test heap memory usage after handshake
10099requires_config_enabled MBEDTLS_MEMORY_DEBUG
10100requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C
10101requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]10102requires_max_content_len 16384
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]10103run_tests_memory_after_hanshake
10104
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]10105# Final report
10106
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]10107echo "------------------------------------------------------------------------"
10108
10109if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]10110 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]10111else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]10112 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]10113fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]10114PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]10115echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]10116
10117exit $FAILS