TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / bf77960368e85e6909a8ed95ea0c8a998570b2ed / . / tests / ssl-opt.sh
blob: 49d2d1fc4f3b41a365aa17383baee8fa2d0eedd0 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Jaeden Ameroa258ccd2019-07-03 13:51:04 +0100[diff] [blame]24# Limit the size of each log to 10 GiB, in case of failures with this script
25# where it may output seemingly unlimited length error logs.
26ulimit -f 20971520
27
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]28if cd $( dirname $0 ); then :; else
29 echo "cd $( dirname $0 ) failed" >&2
30 exit 1
31fi
32
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]33# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]34: ${P_SRV:=../programs/ssl/ssl_server2}
35: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]36: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]37: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]38: ${GNUTLS_CLI:=gnutls-cli}
39: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]40: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]41
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]42O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]43O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]44G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]45G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]46TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]47
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]48# alternative versions of OpenSSL and GnuTLS (no default path)
49
50if [ -n "${OPENSSL_LEGACY:-}" ]; then
51 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
52 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
53else
54 O_LEGACY_SRV=false
55 O_LEGACY_CLI=false
56fi
57
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]58if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]59 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
60else
61 G_NEXT_SRV=false
62fi
63
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]64if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]65 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
66else
67 G_NEXT_CLI=false
68fi
69
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]70TESTS=0
71FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]72SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]73
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]74CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]75
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]76MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]78EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]79
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]80SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]81RUN_TEST_NUMBER=''
82
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]83PRESERVE_LOGS=0
84
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]85# Pick a "unique" server port in the range 10000-19999, and a proxy
86# port which is this plus 10000. Each port number may be independently
87# overridden by a command line option.
88SRV_PORT=$(($$ % 10000 + 10000))
89PXY_PORT=$((SRV_PORT + 10000))
90
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]91print_usage() {
92 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]93 printf " -h|--help\tPrint this help.\n"
94 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
96 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]97 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]98 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]99 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]100 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
101 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]102 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]103}
104
105get_options() {
106 while [ $# -gt 0 ]; do
107 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]108 -f|--filter)
109 shift; FILTER=$1
110 ;;
111 -e|--exclude)
112 shift; EXCLUDE=$1
113 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]114 -m|--memcheck)
115 MEMCHECK=1
116 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]117 -n|--number)
118 shift; RUN_TEST_NUMBER=$1
119 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]120 -s|--show-numbers)
121 SHOW_TEST_NUMBER=1
122 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]123 -p|--preserve-logs)
124 PRESERVE_LOGS=1
125 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]126 --port)
127 shift; SRV_PORT=$1
128 ;;
129 --proxy-port)
130 shift; PXY_PORT=$1
131 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]132 --seed)
133 shift; SEED="$1"
134 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]135 -h|--help)
136 print_usage
137 exit 0
138 ;;
139 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]140 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]141 print_usage
142 exit 1
143 ;;
144 esac
145 shift
146 done
147}
148
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]149# Skip next test; use this macro to skip tests which are legitimate
150# in theory and expected to be re-introduced at some point, but
151# aren't expected to succeed at the moment due to problems outside
152# our control (such as bugs in other TLS implementations).
153skip_next_test() {
154 SKIP_NEXT="YES"
155}
156
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]157# skip next test if the flag is not enabled in config.h
158requires_config_enabled() {
159 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
160 SKIP_NEXT="YES"
161 fi
162}
163
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]164# skip next test if the flag is enabled in config.h
165requires_config_disabled() {
166 if grep "^#define $1" $CONFIG_H > /dev/null; then
167 SKIP_NEXT="YES"
168 fi
169}
170
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]171requires_ciphersuite_enabled() {
172 if [ -z "$($P_CLI --help | grep "$1")" ]; then
173 SKIP_NEXT="YES"
174 fi
175}
176
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]177get_config_value_or_default() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]178 # This function uses the query_config command line option to query the
179 # required Mbed TLS compile time configuration from the ssl_server2
180 # program. The command will always return a success value if the
181 # configuration is defined and the value will be printed to stdout.
182 #
183 # Note that if the configuration is not defined or is defined to nothing,
184 # the output of this function will be an empty string.
185 ${P_SRV} "query_config=${1}"
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]186}
187
188requires_config_value_at_least() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]189 VAL="$( get_config_value_or_default "$1" )"
190 if [ -z "$VAL" ]; then
191 # Should never happen
192 echo "Mbed TLS configuration $1 is not defined"
193 exit 1
194 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]195 SKIP_NEXT="YES"
196 fi
197}
198
199requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]200 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]201 if [ -z "$VAL" ]; then
202 # Should never happen
203 echo "Mbed TLS configuration $1 is not defined"
204 exit 1
205 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]206 SKIP_NEXT="YES"
207 fi
208}
209
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]210# skip next test if OpenSSL doesn't support FALLBACK_SCSV
211requires_openssl_with_fallback_scsv() {
212 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
213 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
214 then
215 OPENSSL_HAS_FBSCSV="YES"
216 else
217 OPENSSL_HAS_FBSCSV="NO"
218 fi
219 fi
220 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
221 SKIP_NEXT="YES"
222 fi
223}
224
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]225# skip next test if GnuTLS isn't available
226requires_gnutls() {
227 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]228 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]229 GNUTLS_AVAILABLE="YES"
230 else
231 GNUTLS_AVAILABLE="NO"
232 fi
233 fi
234 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
235 SKIP_NEXT="YES"
236 fi
237}
238
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]239# skip next test if GnuTLS-next isn't available
240requires_gnutls_next() {
241 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
242 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
243 GNUTLS_NEXT_AVAILABLE="YES"
244 else
245 GNUTLS_NEXT_AVAILABLE="NO"
246 fi
247 fi
248 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
249 SKIP_NEXT="YES"
250 fi
251}
252
253# skip next test if OpenSSL-legacy isn't available
254requires_openssl_legacy() {
255 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
256 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
257 OPENSSL_LEGACY_AVAILABLE="YES"
258 else
259 OPENSSL_LEGACY_AVAILABLE="NO"
260 fi
261 fi
262 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
263 SKIP_NEXT="YES"
264 fi
265}
266
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]267# skip next test if IPv6 isn't available on this host
268requires_ipv6() {
269 if [ -z "${HAS_IPV6:-}" ]; then
270 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
271 SRV_PID=$!
272 sleep 1
273 kill $SRV_PID >/dev/null 2>&1
274 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
275 HAS_IPV6="NO"
276 else
277 HAS_IPV6="YES"
278 fi
279 rm -r $SRV_OUT
280 fi
281
282 if [ "$HAS_IPV6" = "NO" ]; then
283 SKIP_NEXT="YES"
284 fi
285}
286
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]287# skip next test if it's i686 or uname is not available
288requires_not_i686() {
289 if [ -z "${IS_I686:-}" ]; then
290 IS_I686="YES"
291 if which "uname" >/dev/null 2>&1; then
292 if [ -z "$(uname -a | grep i686)" ]; then
293 IS_I686="NO"
294 fi
295 fi
296 fi
297 if [ "$IS_I686" = "YES" ]; then
298 SKIP_NEXT="YES"
299 fi
300}
301
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]302# Calculate the input & output maximum content lengths set in the config
303MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
304MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
305MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
306
307if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
308 MAX_CONTENT_LEN="$MAX_IN_LEN"
309fi
310if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
311 MAX_CONTENT_LEN="$MAX_OUT_LEN"
312fi
313
314# skip the next test if the SSL output buffer is less than 16KB
315requires_full_size_output_buffer() {
316 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
317 SKIP_NEXT="YES"
318 fi
319}
320
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]321# skip the next test if valgrind is in use
322not_with_valgrind() {
323 if [ "$MEMCHECK" -gt 0 ]; then
324 SKIP_NEXT="YES"
325 fi
326}
327
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]328# skip the next test if valgrind is NOT in use
329only_with_valgrind() {
330 if [ "$MEMCHECK" -eq 0 ]; then
331 SKIP_NEXT="YES"
332 fi
333}
334
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]335# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]336client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]337 CLI_DELAY_FACTOR=$1
338}
339
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]340# wait for the given seconds after the client finished in the next test
341server_needs_more_time() {
342 SRV_DELAY_SECONDS=$1
343}
344
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]345# print_name <name>
346print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]347 TESTS=$(( $TESTS + 1 ))
348 LINE=""
349
350 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
351 LINE="$TESTS "
352 fi
353
354 LINE="$LINE$1"
355 printf "$LINE "
356 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]357 for i in `seq 1 $LEN`; do printf '.'; done
358 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]359
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]360}
361
362# fail <message>
363fail() {
364 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]365 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]366
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]367 mv $SRV_OUT o-srv-${TESTS}.log
368 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]369 if [ -n "$PXY_CMD" ]; then
370 mv $PXY_OUT o-pxy-${TESTS}.log
371 fi
372 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]373
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]374 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]375 echo " ! server output:"
376 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]377 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]378 echo " ! client output:"
379 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]380 if [ -n "$PXY_CMD" ]; then
381 echo " ! ========================================================"
382 echo " ! proxy output:"
383 cat o-pxy-${TESTS}.log
384 fi
385 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]386 fi
387
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]388 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]389}
390
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]391# is_polar <cmd_line>
392is_polar() {
393 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
394}
395
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]396# openssl s_server doesn't have -www with DTLS
397check_osrv_dtls() {
398 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
399 NEEDS_INPUT=1
400 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
401 else
402 NEEDS_INPUT=0
403 fi
404}
405
406# provide input to commands that need it
407provide_input() {
408 if [ $NEEDS_INPUT -eq 0 ]; then
409 return
410 fi
411
412 while true; do
413 echo "HTTP/1.0 200 OK"
414 sleep 1
415 done
416}
417
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]418# has_mem_err <log_file_name>
419has_mem_err() {
420 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
421 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
422 then
423 return 1 # false: does not have errors
424 else
425 return 0 # true: has errors
426 fi
427}
428
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]429# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]430if type lsof >/dev/null 2>/dev/null; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]431 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]432 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]433 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]434 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]435 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]436 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]437 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]438 # Make a tight loop, server normally takes less than 1s to start.
439 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
440 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]441 echo "$3 START TIMEOUT"
442 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]443 break
444 fi
445 # Linux and *BSD support decimal arguments to sleep. On other
446 # OSes this may be a tight loop.
447 sleep 0.1 2>/dev/null || true
448 done
449 }
450else
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]451 echo "Warning: lsof not available, wait_app_start = sleep"
452 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]453 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]454 }
455fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]456
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]457# Wait for server process $2 to be listening on port $1.
458wait_server_start() {
459 wait_app_start $1 $2 "SERVER" $SRV_OUT
460}
461
462# Wait for proxy process $2 to be listening on port $1.
463wait_proxy_start() {
464 wait_app_start $1 $2 "PROXY" $PXY_OUT
465}
466
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]467# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]468# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]469# acceptable bounds
470check_server_hello_time() {
471 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]472 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]473 # Get the Unix timestamp for now
474 CUR_TIME=$(date +'%s')
475 THRESHOLD_IN_SECS=300
476
477 # Check if the ServerHello time was printed
478 if [ -z "$SERVER_HELLO_TIME" ]; then
479 return 1
480 fi
481
482 # Check the time in ServerHello is within acceptable bounds
483 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
484 # The time in ServerHello is at least 5 minutes before now
485 return 1
486 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]487 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]488 return 1
489 else
490 return 0
491 fi
492}
493
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]494# wait for client to terminate and set CLI_EXIT
495# must be called right after starting the client
496wait_client_done() {
497 CLI_PID=$!
498
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]499 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
500 CLI_DELAY_FACTOR=1
501
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]502 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]503 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]504
505 wait $CLI_PID
506 CLI_EXIT=$?
507
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]508 kill $DOG_PID >/dev/null 2>&1
509 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]510
511 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]512
513 sleep $SRV_DELAY_SECONDS
514 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]515}
516
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]517# check if the given command uses dtls and sets global variable DTLS
518detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]519 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]520 DTLS=1
521 else
522 DTLS=0
523 fi
524}
525
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]526# Strip off a particular parameter from the command line
527# and return its value.
528# Parameter 1: Command line parameter to strip off
529# ENV I/O: CMD command line to search and modify
530extract_cmdline_argument() {
531 __ARG=$(echo "$CMD" | sed -n "s/^.* $1=\([^ ]*\).*$/\1/p")
532 CMD=$(echo "$CMD" | sed "s/$1=\([^ ]*\)//")
533}
534
535# Check compatibility of the ssl_client2/ssl_server2 command-line
536# with a particular compile-time configurable option.
537# Parameter 1: Command-line argument (e.g. extended_ms)
538# Parameter 2: Corresponding compile-time configuration
539# (e.g. MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
540# ENV I/O: CMD command line to search and modify
541# SKIP_NEXT set to "YES" on a mismatch
542check_cmdline_param_compat() {
543 __VAL="$( get_config_value_or_default "$2" )"
544 if [ ! -z "$__VAL" ]; then
545 extract_cmdline_argument "$1"
546 if [ ! -z "$__ARG" ] && [ "$__ARG" != "$__VAL" ]; then
547 SKIP_NEXT="YES"
548 fi
549 fi
550}
551
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]552check_cmdline_check_tls_dtls() {
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]553 detect_dtls "$CMD"
554 if [ "$DTLS" = "0" ]; then
555 requires_config_disabled MBEDTLS_SSL_PROTO_NO_TLS
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]556 elif [ "$DTLS" = "1" ]; then
557 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]558 fi
559}
560
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]561check_cmdline_authmode_compat() {
562 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_AUTHMODE" )"
563 if [ ! -z "$__VAL" ]; then
564 extract_cmdline_argument "auth_mode"
565 if [ "$__ARG" = "none" ] && [ "$__VAL" != "0" ]; then
566 SKIP_NEXT="YES";
567 elif [ "$__ARG" = "optional" ] && [ "$__VAL" != "1" ]; then
568 SKIP_NEXT="YES"
569 elif [ "$__ARG" = "required" ] && [ "$__VAL" != "2" ]; then
570 SKIP_NEXT="YES"
571 fi
572 fi
573}
574
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]575check_cmdline_legacy_renego_compat() {
576 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )"
577 if [ ! -z "$__VAL" ]; then
578 extract_cmdline_argument "allow_legacy"
579 if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then
580 SKIP_NEXT="YES";
581 elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then
582 SKIP_NEXT="YES"
583 elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then
584 SKIP_NEXT="YES"
585 fi
586 fi
587}
588
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]589check_cmdline_min_minor_version_compat() {
590 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
591 if [ ! -z "$__VAL" ]; then
592 extract_cmdline_argument "min_version"
593 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
594 SKIP_NEXT="YES";
595 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
596 SKIP_NEXT="YES"
597 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
598 SKIP_NEXT="YES"
599 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
600 SKIP_NEXT="YES"
601 fi
602 fi
603}
604
605check_cmdline_max_minor_version_compat() {
606 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
607 if [ ! -z "$__VAL" ]; then
608 extract_cmdline_argument "max_version"
609 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
610 SKIP_NEXT="YES";
611 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
612 SKIP_NEXT="YES"
613 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
614 SKIP_NEXT="YES"
615 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
616 SKIP_NEXT="YES"
617 fi
618 fi
619}
620
621check_cmdline_force_version_compat() {
622 __VAL_MAX="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
623 __VAL_MIN="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
624 if [ ! -z "$__VAL_MIN" ]; then
625
626 # SSL cli/srv cmd line
627
628 extract_cmdline_argument "force_version"
629 if [ "$__ARG" = "ssl3" ] && \
630 ( [ "$__VAL_MIN" != "0" ] || [ "$__VAL_MAX" != "0" ] ); then
631 SKIP_NEXT="YES";
632 elif [ "$__ARG" = "tls1" ] && \
633 ( [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ] ); then
634 SKIP_NEXT="YES"
635 elif ( [ "$__ARG" = "tls1_1" ] || [ "$__ARG" = "dtls1" ] ) && \
636 ( [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ] ); then
637 SKIP_NEXT="YES"
638 elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
639 ( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
640 echo "FORCE SKIP"
641 SKIP_NEXT="YES"
642 fi
643
644 # OpenSSL cmd line
645
646 if echo "$CMD" | grep -e "-tls1\($\|[^_]\)" > /dev/null; then
647 if [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ]; then
648 SKIP_NEXT="YES"
649 fi
650 fi
651
652 if echo "$CMD" | grep -e "-\(dtls1\($\|[^_]\)\|tls1_1\)" > /dev/null; then
653 if [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ]; then
654 SKIP_NEXT="YES"
655 fi
656 fi
657
658 if echo "$CMD" | grep -e "-\(dtls1_2\($\|[^_]\)\|tls1_2\)" > /dev/null; then
659 if [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ]; then
660 SKIP_NEXT="YES"
661 fi
662 fi
663
664 fi
665}
666
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]667check_cmdline_crt_key_files_compat() {
668
669 # test-ca2.crt
670 if echo "$CMD" | grep -e "test-ca2" > /dev/null; then
671 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
672 fi
673
674 # Variants of server5.key and server5.crt
675 if echo "$CMD" | grep -e "server5" > /dev/null; then
676 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
677 fi
678
679 # Variants of server6.key and server6.crt
680 if echo "$CMD" | grep -e "server6" > /dev/null; then
681 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
682 fi
683
684}
685
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]686# Go through all options that can be hardcoded at compile-time and
687# detect whether the command line configures them in a conflicting
688# way. If so, skip the test. Otherwise, remove the corresponding
689# entry.
690# Parameter 1: Command line to inspect
691# Output: Modified command line
692# ENV I/O: SKIP_TEST set to 1 on mismatch.
693check_cmdline_compat() {
694 CMD="$1"
695
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]696 # Check that if we're specifying particular certificate and/or
697 # ECC key files, the corresponding curve is enabled.
698 check_cmdline_crt_key_files_compat
699
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]700 # ExtendedMasterSecret configuration
701 check_cmdline_param_compat "extended_ms" \
702 "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET"
703 check_cmdline_param_compat "enforce_extended_master_secret" \
704 "MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET"
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]705
706 # DTLS anti replay protection configuration
707 check_cmdline_param_compat "anti_replay" \
708 "MBEDTLS_SSL_CONF_ANTI_REPLAY"
709
Hanno Beckerde671542019-06-12 16:30:46 +0100[diff] [blame]710 # DTLS bad MAC limit
711 check_cmdline_param_compat "badmac_limit" \
712 "MBEDTLS_SSL_CONF_BADMAC_LIMIT"
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]713
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]714 # Skip tests relying on TLS/DTLS in configs that disable it.
715 check_cmdline_check_tls_dtls
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]716
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]717 # Authentication mode
718 check_cmdline_authmode_compat
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]719
720 # Legacy renegotiation
721 check_cmdline_legacy_renego_compat
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]722
723 # Version configuration
724 check_cmdline_min_minor_version_compat
725 check_cmdline_max_minor_version_compat
726 check_cmdline_force_version_compat
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]727}
728
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]729# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]730# Options: -s pattern pattern that must be present in server output
731# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]732# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]733# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]734# -S pattern pattern that must be absent in server output
735# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]736# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]737# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]738run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]739 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]740 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]741
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]742 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
743 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]744 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]745 return
746 fi
747
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]748 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]749
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]750 # Do we only run numbered tests?
751 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
752 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
753 else
754 SKIP_NEXT="YES"
755 fi
756
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]757 # does this test use a proxy?
758 if [ "X$1" = "X-p" ]; then
759 PXY_CMD="$2"
760 shift 2
761 else
762 PXY_CMD=""
763 fi
764
765 # get commands and client output
766 SRV_CMD="$1"
767 CLI_CMD="$2"
768 CLI_EXPECT="$3"
769 shift 3
770
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]771 check_cmdline_compat "$SRV_CMD"
772 SRV_CMD="$CMD"
773
774 check_cmdline_compat "$CLI_CMD"
775 CLI_CMD="$CMD"
776
Hanno Becker7a11e722019-05-10 14:38:42 +0100[diff] [blame]777 # Check if test uses files
778 TEST_USES_FILES=$(echo "$SRV_CMD $CLI_CMD" | grep "\.\(key\|crt\|pem\)" )
779 if [ ! -z "$TEST_USES_FILES" ]; then
780 requires_config_enabled MBEDTLS_FS_IO
781 fi
782
783 # should we skip?
784 if [ "X$SKIP_NEXT" = "XYES" ]; then
785 SKIP_NEXT="NO"
786 echo "SKIP"
787 SKIPS=$(( $SKIPS + 1 ))
788 return
789 fi
790
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]791 # fix client port
792 if [ -n "$PXY_CMD" ]; then
793 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
794 else
795 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
796 fi
797
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]798 # update DTLS variable
799 detect_dtls "$SRV_CMD"
800
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]801 # prepend valgrind to our commands if active
802 if [ "$MEMCHECK" -gt 0 ]; then
803 if is_polar "$SRV_CMD"; then
804 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
805 fi
806 if is_polar "$CLI_CMD"; then
807 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
808 fi
809 fi
810
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]811 TIMES_LEFT=2
812 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]813 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]814
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]815 # run the commands
816 if [ -n "$PXY_CMD" ]; then
817 echo "$PXY_CMD" > $PXY_OUT
818 $PXY_CMD >> $PXY_OUT 2>&1 &
819 PXY_PID=$!
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]820 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]821 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]822
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]823 check_osrv_dtls
824 echo "$SRV_CMD" > $SRV_OUT
825 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
826 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]827 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]828
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]829 echo "$CLI_CMD" > $CLI_OUT
830 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
831 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]832
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]833 sleep 0.05
834
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]835 # terminate the server (and the proxy)
836 kill $SRV_PID
837 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]838
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]839 if [ -n "$PXY_CMD" ]; then
840 kill $PXY_PID >/dev/null 2>&1
841 wait $PXY_PID
842 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]843
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]844 # retry only on timeouts
845 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
846 printf "RETRY "
847 else
848 TIMES_LEFT=0
849 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]850 done
851
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]852 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]853 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]854 # expected client exit to incorrectly succeed in case of catastrophic
855 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]856 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]857 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]858 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]859 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]860 return
861 fi
862 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]863 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]864 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]865 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]866 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]867 return
868 fi
869 fi
870
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]871 # check server exit code
872 if [ $? != 0 ]; then
873 fail "server fail"
874 return
875 fi
876
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]877 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]878 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
879 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]880 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]881 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]882 return
883 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]884
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]885 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]886 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]887 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]888 while [ $# -gt 0 ]
889 do
890 case $1 in
891 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]892 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]893 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]894 return
895 fi
896 ;;
897
898 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]899 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]900 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]901 return
902 fi
903 ;;
904
905 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]906 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]907 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]908 return
909 fi
910 ;;
911
912 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]913 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]914 fail "pattern '$2' MUST NOT be present in the Client output"
915 return
916 fi
917 ;;
918
919 # The filtering in the following two options (-u and -U) do the following
920 # - ignore valgrind output
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]921 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]922 # - keep one of each non-unique line
923 # - count how many lines remain
924 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
925 # if there were no duplicates.
926 "-U")
927 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
928 fail "lines following pattern '$2' must be unique in Server output"
929 return
930 fi
931 ;;
932
933 "-u")
934 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
935 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]936 return
937 fi
938 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]939 "-F")
940 if ! $2 "$SRV_OUT"; then
941 fail "function call to '$2' failed on Server output"
942 return
943 fi
944 ;;
945 "-f")
946 if ! $2 "$CLI_OUT"; then
947 fail "function call to '$2' failed on Client output"
948 return
949 fi
950 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]951
952 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]953 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]954 exit 1
955 esac
956 shift 2
957 done
958
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]959 # check valgrind's results
960 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]961 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]962 fail "Server has memory errors"
963 return
964 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]965 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]966 fail "Client has memory errors"
967 return
968 fi
969 fi
970
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]971 # if we're here, everything is ok
972 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]973 if [ "$PRESERVE_LOGS" -gt 0 ]; then
974 mv $SRV_OUT o-srv-${TESTS}.log
975 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]976 if [ -n "$PXY_CMD" ]; then
977 mv $PXY_OUT o-pxy-${TESTS}.log
978 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]979 fi
980
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]981 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]982}
983
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]984cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]985 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]986 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
987 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
988 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
989 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]990 exit 1
991}
992
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]993#
994# MAIN
995#
996
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]997get_options "$@"
998
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]999# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]1000P_SRV_BIN="${P_SRV%%[ ]*}"
1001P_CLI_BIN="${P_CLI%%[ ]*}"
1002P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1003if [ ! -x "$P_SRV_BIN" ]; then
1004 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1005 exit 1
1006fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1007if [ ! -x "$P_CLI_BIN" ]; then
1008 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1009 exit 1
1010fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1011if [ ! -x "$P_PXY_BIN" ]; then
1012 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1013 exit 1
1014fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]1015if [ "$MEMCHECK" -gt 0 ]; then
1016 if which valgrind >/dev/null 2>&1; then :; else
1017 echo "Memcheck not possible. Valgrind not found"
1018 exit 1
1019 fi
1020fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1021if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
1022 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1023 exit 1
1024fi
1025
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]1026# used by watchdog
1027MAIN_PID="$$"
1028
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1029# We use somewhat arbitrary delays for tests:
1030# - how long do we wait for the server to start (when lsof not available)?
1031# - how long do we allow for the client to finish?
1032# (not to check performance, just to avoid waiting indefinitely)
1033# Things are slower with valgrind, so give extra time here.
1034#
1035# Note: without lsof, there is a trade-off between the running time of this
1036# script and the risk of spurious errors because we didn't wait long enough.
1037# The watchdog delay on the other hand doesn't affect normal running time of
1038# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1039if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1040 START_DELAY=6
1041 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1042else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1043 START_DELAY=2
1044 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1045fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1046
1047# some particular tests need more time:
1048# - for the client, we multiply the usual watchdog limit by a factor
1049# - for the server, we sleep for a number of seconds after the client exits
1050# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]1051CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]1052SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1053
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1054# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]1055# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1056P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
1057P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]1058P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]1059O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1060O_CLI="$O_CLI -connect localhost:+SRV_PORT"
1061G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1062G_CLI="$G_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1063
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1064if [ -n "${OPENSSL_LEGACY:-}" ]; then
1065 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
1066 O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
1067fi
1068
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1069if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1070 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
1071fi
1072
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1073if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1074 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1075fi
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1076
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]1077# Allow SHA-1, because many of our test certificates use it
1078P_SRV="$P_SRV allow_sha1=1"
1079P_CLI="$P_CLI allow_sha1=1"
1080
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1081# Also pick a unique name for intermediate files
1082SRV_OUT="srv_out.$$"
1083CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1084PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1085SESSION="session.$$"
1086
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]1087SKIP_NEXT="NO"
1088
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1089trap cleanup INT TERM HUP
1090
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1091# Basic test
1092
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1093run_test "Default" \
1094 "$P_SRV debug_level=3" \
1095 "$P_CLI" \
1096 0
1097
1098run_test "Default, DTLS" \
1099 "$P_SRV dtls=1" \
1100 "$P_CLI dtls=1" \
1101 0
1102
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1103# Checks that:
1104# - things work with all ciphersuites active (used with config-full in all.sh)
1105# - the expected (highest security) parameters are selected
1106# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1107requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1108requires_config_enabled MBEDTLS_SHA512_C
1109requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1110requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1111run_test "Default, choose highest security suite and hash" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1112 "$P_SRV debug_level=3" \
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1113 "$P_CLI" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1114 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1115 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1116 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1117 -s "client hello v3, signature_algorithm ext: 6" \
1118 -s "ECDHE curve: secp521r1" \
1119 -S "error" \
1120 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1121
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1122requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1123requires_config_enabled MBEDTLS_SHA512_C
1124requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1125requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1126run_test "Default, choose highest security suite and hash, DTLS" \
1127 "$P_SRV debug_level=3 dtls=1" \
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1128 "$P_CLI dtls=1" \
1129 0 \
1130 -s "Protocol is DTLSv1.2" \
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1131 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
1132 -s "client hello v3, signature_algorithm ext: 6" \
1133 -s "ECDHE curve: secp521r1"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1134
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1135# Test current time in ServerHello
1136requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1137run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1138 "$P_SRV debug_level=3" \
1139 "$P_CLI debug_level=3" \
1140 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1141 -f "check_server_hello_time" \
1142 -F "check_server_hello_time"
1143
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1144# Test for uniqueness of IVs in AEAD ciphersuites
1145run_test "Unique IV in GCM" \
1146 "$P_SRV exchanges=20 debug_level=4" \
1147 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1148 0 \
1149 -u "IV used" \
1150 -U "IV used"
1151
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1152# Tests for rc4 option
1153
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1154requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1155run_test "RC4: server disabled, client enabled" \
1156 "$P_SRV" \
1157 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1158 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1159 -s "SSL - The server has no ciphersuites in common"
1160
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1161requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1162run_test "RC4: server half, client enabled" \
1163 "$P_SRV arc4=1" \
1164 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1165 1 \
1166 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1167
1168run_test "RC4: server enabled, client disabled" \
1169 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1170 "$P_CLI" \
1171 1 \
1172 -s "SSL - The server has no ciphersuites in common"
1173
1174run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1175 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1176 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1177 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1178 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1179 -S "SSL - The server has no ciphersuites in common"
1180
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1181# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
1182
1183requires_gnutls
1184requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
1185run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
1186 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1187 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1188 0
1189
1190requires_gnutls
1191requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
1192run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
1193 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1194 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1195 0
1196
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1197# Tests for SHA-1 support
1198
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1199requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1200requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1201requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1202run_test "SHA-1 forbidden by default in server certificate" \
1203 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1204 "$P_CLI debug_level=2 allow_sha1=0" \
1205 1 \
1206 -c "The certificate is signed with an unacceptable hash"
1207
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1208requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1209run_test "SHA-1 forbidden by default in server certificate" \
1210 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1211 "$P_CLI debug_level=2 allow_sha1=0" \
1212 0
1213
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1214run_test "SHA-1 explicitly allowed in server certificate" \
1215 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1216 "$P_CLI allow_sha1=1" \
1217 0
1218
1219run_test "SHA-256 allowed by default in server certificate" \
1220 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
1221 "$P_CLI allow_sha1=0" \
1222 0
1223
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1224requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1225requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1226requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1227run_test "SHA-1 forbidden by default in client certificate" \
1228 "$P_SRV auth_mode=required allow_sha1=0" \
1229 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1230 1 \
1231 -s "The certificate is signed with an unacceptable hash"
1232
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1233requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1234run_test "SHA-1 forbidden by default in client certificate" \
1235 "$P_SRV auth_mode=required allow_sha1=0" \
1236 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1237 0
1238
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1239run_test "SHA-1 explicitly allowed in client certificate" \
1240 "$P_SRV auth_mode=required allow_sha1=1" \
1241 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1242 0
1243
1244run_test "SHA-256 allowed by default in client certificate" \
1245 "$P_SRV auth_mode=required allow_sha1=0" \
1246 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
1247 0
1248
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1249# Tests for datagram packing
1250run_test "DTLS: multiple records in same datagram, client and server" \
1251 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1252 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1253 0 \
1254 -c "next record in same datagram" \
1255 -s "next record in same datagram"
1256
1257run_test "DTLS: multiple records in same datagram, client only" \
1258 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1259 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1260 0 \
1261 -s "next record in same datagram" \
1262 -C "next record in same datagram"
1263
1264run_test "DTLS: multiple records in same datagram, server only" \
1265 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1266 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1267 0 \
1268 -S "next record in same datagram" \
1269 -c "next record in same datagram"
1270
1271run_test "DTLS: multiple records in same datagram, neither client nor server" \
1272 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1273 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1274 0 \
1275 -S "next record in same datagram" \
1276 -C "next record in same datagram"
1277
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1278# Tests for Truncated HMAC extension
1279
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1280run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1281 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1282 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1283 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1284 -s "dumping 'expected mac' (20 bytes)" \
1285 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1286
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1287requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1288run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1289 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1290 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1291 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1292 -s "dumping 'expected mac' (20 bytes)" \
1293 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1294
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1295requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1296run_test "Truncated HMAC: client enabled, server default" \
1297 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1298 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1299 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1300 -s "dumping 'expected mac' (20 bytes)" \
1301 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1302
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1303requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1304run_test "Truncated HMAC: client enabled, server disabled" \
1305 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1306 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1307 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1308 -s "dumping 'expected mac' (20 bytes)" \
1309 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1310
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1311requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1312run_test "Truncated HMAC: client disabled, server enabled" \
1313 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1314 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1315 0 \
1316 -s "dumping 'expected mac' (20 bytes)" \
1317 -S "dumping 'expected mac' (10 bytes)"
1318
1319requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1320run_test "Truncated HMAC: client enabled, server enabled" \
1321 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1322 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1323 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1324 -S "dumping 'expected mac' (20 bytes)" \
1325 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1326
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1327run_test "Truncated HMAC, DTLS: client default, server default" \
1328 "$P_SRV dtls=1 debug_level=4" \
1329 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1330 0 \
1331 -s "dumping 'expected mac' (20 bytes)" \
1332 -S "dumping 'expected mac' (10 bytes)"
1333
1334requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1335run_test "Truncated HMAC, DTLS: client disabled, server default" \
1336 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1337 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1338 0 \
1339 -s "dumping 'expected mac' (20 bytes)" \
1340 -S "dumping 'expected mac' (10 bytes)"
1341
1342requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1343run_test "Truncated HMAC, DTLS: client enabled, server default" \
1344 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1345 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1346 0 \
1347 -s "dumping 'expected mac' (20 bytes)" \
1348 -S "dumping 'expected mac' (10 bytes)"
1349
1350requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1351run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1352 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1353 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1354 0 \
1355 -s "dumping 'expected mac' (20 bytes)" \
1356 -S "dumping 'expected mac' (10 bytes)"
1357
1358requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1359run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1360 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1361 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1362 0 \
1363 -s "dumping 'expected mac' (20 bytes)" \
1364 -S "dumping 'expected mac' (10 bytes)"
1365
1366requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1367run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1368 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1369 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1370 0 \
1371 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1372 -s "dumping 'expected mac' (10 bytes)"
1373
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1374# Tests for Context serialization
1375
1376requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1377run_test "Context serialization, client serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1378 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1379 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1380 0 \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1381 -c "Deserializing connection..." \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1382 -S "Deserializing connection..."
1383
1384requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1385run_test "Context serialization, client serializes, ChaChaPoly" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1386 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1387 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1388 0 \
1389 -c "Deserializing connection..." \
1390 -S "Deserializing connection..."
1391
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1392requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1393run_test "Context serialization, client serializes, GCM" \
1394 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1395 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1396 0 \
1397 -c "Deserializing connection..." \
1398 -S "Deserializing connection..."
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1399
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1400requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1401requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1402run_test "Context serialization, client serializes, with CID" \
1403 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1404 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1405 0 \
1406 -c "Deserializing connection..." \
1407 -S "Deserializing connection..."
1408
1409requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1410run_test "Context serialization, server serializes, CCM" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1411 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1412 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1413 0 \
1414 -C "Deserializing connection..." \
1415 -s "Deserializing connection..."
1416
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1417requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1418run_test "Context serialization, server serializes, ChaChaPoly" \
1419 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1420 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1421 0 \
1422 -C "Deserializing connection..." \
1423 -s "Deserializing connection..."
1424
1425requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1426run_test "Context serialization, server serializes, GCM" \
1427 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1428 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1429 0 \
1430 -C "Deserializing connection..." \
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1431 -s "Deserializing connection..."
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1432
1433requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1434requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1435run_test "Context serialization, server serializes, with CID" \
1436 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1437 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1438 0 \
1439 -C "Deserializing connection..." \
1440 -s "Deserializing connection..."
1441
1442requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1443run_test "Context serialization, both serialize, CCM" \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1444 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1445 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1446 0 \
1447 -c "Deserializing connection..." \
1448 -s "Deserializing connection..."
1449
1450requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1451run_test "Context serialization, both serialize, ChaChaPoly" \
1452 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1453 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1454 0 \
1455 -c "Deserializing connection..." \
1456 -s "Deserializing connection..."
1457
1458requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1459run_test "Context serialization, both serialize, GCM" \
1460 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1461 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1462 0 \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1463 -c "Deserializing connection..." \
1464 -s "Deserializing connection..."
1465
1466requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1467requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1468run_test "Context serialization, both serialize, with CID" \
1469 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1470 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1471 0 \
1472 -c "Deserializing connection..." \
1473 -s "Deserializing connection..."
1474
1475requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1476run_test "Context serialization, re-init, client serializes, CCM" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1477 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1478 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1479 0 \
1480 -c "Deserializing connection..." \
1481 -S "Deserializing connection..."
1482
1483requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1484run_test "Context serialization, re-init, client serializes, ChaChaPoly" \
1485 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1486 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1487 0 \
1488 -c "Deserializing connection..." \
1489 -S "Deserializing connection..."
1490
1491requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1492run_test "Context serialization, re-init, client serializes, GCM" \
1493 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1494 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1495 0 \
1496 -c "Deserializing connection..." \
1497 -S "Deserializing connection..."
1498
1499requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1500requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1501run_test "Context serialization, re-init, client serializes, with CID" \
1502 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1503 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1504 0 \
1505 -c "Deserializing connection..." \
1506 -S "Deserializing connection..."
1507
1508requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1509run_test "Context serialization, re-init, server serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1510 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1511 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1512 0 \
1513 -C "Deserializing connection..." \
1514 -s "Deserializing connection..."
1515
1516requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1517run_test "Context serialization, re-init, server serializes, ChaChaPoly" \
1518 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1519 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1520 0 \
1521 -C "Deserializing connection..." \
1522 -s "Deserializing connection..."
1523
1524requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1525run_test "Context serialization, re-init, server serializes, GCM" \
1526 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1527 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1528 0 \
1529 -C "Deserializing connection..." \
1530 -s "Deserializing connection..."
1531
1532requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1533requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1534run_test "Context serialization, re-init, server serializes, with CID" \
1535 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1536 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1537 0 \
1538 -C "Deserializing connection..." \
1539 -s "Deserializing connection..."
1540
1541requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1542run_test "Context serialization, re-init, both serialize, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1543 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1544 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1545 0 \
1546 -c "Deserializing connection..." \
1547 -s "Deserializing connection..."
1548
1549requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1550run_test "Context serialization, re-init, both serialize, ChaChaPoly" \
1551 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1552 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1553 0 \
1554 -c "Deserializing connection..." \
1555 -s "Deserializing connection..."
1556
1557requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1558run_test "Context serialization, re-init, both serialize, GCM" \
1559 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1560 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1561 0 \
1562 -c "Deserializing connection..." \
1563 -s "Deserializing connection..."
1564
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1565requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1566requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1567run_test "Context serialization, re-init, both serialize, with CID" \
1568 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1569 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1570 0 \
1571 -c "Deserializing connection..." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1572 -s "Deserializing connection..."
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1573
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1574# Tests for DTLS Connection ID extension
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1575
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1576# So far, the CID API isn't implemented, so we can't
1577# grep for output witnessing its use. This needs to be
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1578# changed once the CID extension is implemented.
Hanno Beckerad8e2c92019-05-08 13:19:53 +0100[diff] [blame]1579
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1580requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1581run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1582 "$P_SRV debug_level=3 dtls=1 cid=0" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1583 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1584 0 \
1585 -s "Disable use of CID extension." \
1586 -s "found CID extension" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1587 -s "Client sent CID extension, but CID disabled" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1588 -c "Enable use of CID extension." \
1589 -c "client hello, adding CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1590 -S "server hello, adding CID extension" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1591 -C "found CID extension" \
1592 -S "Copy CIDs into SSL transform" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1593 -C "Copy CIDs into SSL transform" \
1594 -c "Use of Connection ID was rejected by the server"
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1595
1596requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1597run_test "Connection ID: Cli disabled, Srv enabled" \
1598 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1599 "$P_CLI debug_level=3 dtls=1 cid=0" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1600 0 \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1601 -c "Disable use of CID extension." \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1602 -C "client hello, adding CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1603 -S "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1604 -s "Enable use of CID extension." \
1605 -S "server hello, adding CID extension" \
1606 -C "found CID extension" \
1607 -S "Copy CIDs into SSL transform" \
1608 -C "Copy CIDs into SSL transform" \
1609 -s "Use of Connection ID was not offered by client"
1610
1611requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1612run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
1613 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1614 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
1615 0 \
1616 -c "Enable use of CID extension." \
1617 -s "Enable use of CID extension." \
1618 -c "client hello, adding CID extension" \
1619 -s "found CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1620 -s "Use of CID extension negotiated" \
1621 -s "server hello, adding CID extension" \
1622 -c "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1623 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1624 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1625 -c "Copy CIDs into SSL transform" \
1626 -c "Peer CID (length 2 Bytes): de ad" \
1627 -s "Peer CID (length 2 Bytes): be ef" \
1628 -s "Use of Connection ID has been negotiated" \
1629 -c "Use of Connection ID has been negotiated"
1630
1631requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1632run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
1633 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
1634 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
1635 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
1636 0 \
1637 -c "Enable use of CID extension." \
1638 -s "Enable use of CID extension." \
1639 -c "client hello, adding CID extension" \
1640 -s "found CID extension" \
1641 -s "Use of CID extension negotiated" \
1642 -s "server hello, adding CID extension" \
1643 -c "found CID extension" \
1644 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1645 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1646 -c "Copy CIDs into SSL transform" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1647 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1648 -s "Peer CID (length 2 Bytes): be ef" \
1649 -s "Use of Connection ID has been negotiated" \
1650 -c "Use of Connection ID has been negotiated" \
1651 -c "ignoring unexpected CID" \
1652 -s "ignoring unexpected CID"
1653
1654requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1655run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
1656 -p "$P_PXY mtu=800" \
1657 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1658 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1659 0 \
1660 -c "Enable use of CID extension." \
1661 -s "Enable use of CID extension." \
1662 -c "client hello, adding CID extension" \
1663 -s "found CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1664 -s "Use of CID extension negotiated" \
1665 -s "server hello, adding CID extension" \
1666 -c "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1667 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1668 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1669 -c "Copy CIDs into SSL transform" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1670 -c "Peer CID (length 2 Bytes): de ad" \
1671 -s "Peer CID (length 2 Bytes): be ef" \
1672 -s "Use of Connection ID has been negotiated" \
1673 -c "Use of Connection ID has been negotiated"
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1674
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1675requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1676run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1677 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1678 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1679 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1680 0 \
1681 -c "Enable use of CID extension." \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1682 -s "Enable use of CID extension." \
1683 -c "client hello, adding CID extension" \
1684 -s "found CID extension" \
1685 -s "Use of CID extension negotiated" \
1686 -s "server hello, adding CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1687 -c "found CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1688 -c "Use of CID extension negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1689 -s "Copy CIDs into SSL transform" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1690 -c "Copy CIDs into SSL transform" \
1691 -c "Peer CID (length 2 Bytes): de ad" \
1692 -s "Peer CID (length 2 Bytes): be ef" \
1693 -s "Use of Connection ID has been negotiated" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1694 -c "Use of Connection ID has been negotiated" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1695 -c "ignoring unexpected CID" \
1696 -s "ignoring unexpected CID"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1697
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1698requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1699run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1700 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1701 "$P_CLI debug_level=3 dtls=1 cid=1" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1702 0 \
1703 -c "Enable use of CID extension." \
1704 -s "Enable use of CID extension." \
1705 -c "client hello, adding CID extension" \
1706 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1707 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1708 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1709 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1710 -c "Use of CID extension negotiated" \
1711 -s "Copy CIDs into SSL transform" \
1712 -c "Copy CIDs into SSL transform" \
1713 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1714 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1715 -s "Use of Connection ID has been negotiated" \
1716 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1717
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1718requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1719run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1720 "$P_SRV debug_level=3 dtls=1 cid=1" \
1721 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1722 0 \
1723 -c "Enable use of CID extension." \
1724 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1725 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1726 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1727 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1728 -s "server hello, adding CID extension" \
1729 -c "found CID extension" \
1730 -c "Use of CID extension negotiated" \
1731 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1732 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1733 -s "Peer CID (length 4 Bytes): de ad be ef" \
1734 -c "Peer CID (length 0 Bytes):" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1735 -s "Use of Connection ID has been negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1736 -c "Use of Connection ID has been negotiated"
1737
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1738requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1739run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1740 "$P_SRV debug_level=3 dtls=1 cid=1" \
1741 "$P_CLI debug_level=3 dtls=1 cid=1" \
1742 0 \
1743 -c "Enable use of CID extension." \
1744 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1745 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1746 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1747 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1748 -s "server hello, adding CID extension" \
1749 -c "found CID extension" \
1750 -c "Use of CID extension negotiated" \
1751 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1752 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1753 -S "Use of Connection ID has been negotiated" \
1754 -C "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1755
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1756requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1757run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1758 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1759 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1760 0 \
1761 -c "Enable use of CID extension." \
1762 -s "Enable use of CID extension." \
1763 -c "client hello, adding CID extension" \
1764 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1765 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1766 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1767 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1768 -c "Use of CID extension negotiated" \
1769 -s "Copy CIDs into SSL transform" \
1770 -c "Copy CIDs into SSL transform" \
1771 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1772 -s "Peer CID (length 2 Bytes): be ef" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1773 -s "Use of Connection ID has been negotiated" \
1774 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1775
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1776requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1777run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1778 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1779 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1780 0 \
1781 -c "Enable use of CID extension." \
1782 -s "Enable use of CID extension." \
1783 -c "client hello, adding CID extension" \
1784 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1785 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1786 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1787 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1788 -c "Use of CID extension negotiated" \
1789 -s "Copy CIDs into SSL transform" \
1790 -c "Copy CIDs into SSL transform" \
1791 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1792 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1793 -s "Use of Connection ID has been negotiated" \
1794 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1795
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1796requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1797run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1798 "$P_SRV debug_level=3 dtls=1 cid=1" \
1799 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1800 0 \
1801 -c "Enable use of CID extension." \
1802 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1803 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1804 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1805 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1806 -s "server hello, adding CID extension" \
1807 -c "found CID extension" \
1808 -c "Use of CID extension negotiated" \
1809 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1810 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1811 -s "Peer CID (length 4 Bytes): de ad be ef" \
1812 -c "Peer CID (length 0 Bytes):" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1813 -s "Use of Connection ID has been negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1814 -c "Use of Connection ID has been negotiated"
1815
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1816requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1817run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1818 "$P_SRV debug_level=3 dtls=1 cid=1" \
1819 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1820 0 \
1821 -c "Enable use of CID extension." \
1822 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1823 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1824 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1825 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1826 -s "server hello, adding CID extension" \
1827 -c "found CID extension" \
1828 -c "Use of CID extension negotiated" \
1829 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1830 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1831 -S "Use of Connection ID has been negotiated" \
1832 -C "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1833
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1834requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1835run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1836 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1837 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1838 0 \
1839 -c "Enable use of CID extension." \
1840 -s "Enable use of CID extension." \
1841 -c "client hello, adding CID extension" \
1842 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1843 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1844 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1845 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1846 -c "Use of CID extension negotiated" \
1847 -s "Copy CIDs into SSL transform" \
1848 -c "Copy CIDs into SSL transform" \
1849 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1850 -s "Peer CID (length 2 Bytes): be ef" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1851 -s "Use of Connection ID has been negotiated" \
1852 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1853
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1854requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1855run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1856 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1857 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1858 0 \
1859 -c "Enable use of CID extension." \
1860 -s "Enable use of CID extension." \
1861 -c "client hello, adding CID extension" \
1862 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1863 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1864 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1865 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1866 -c "Use of CID extension negotiated" \
1867 -s "Copy CIDs into SSL transform" \
1868 -c "Copy CIDs into SSL transform" \
1869 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1870 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1871 -s "Use of Connection ID has been negotiated" \
1872 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1873
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1874requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1875run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1876 "$P_SRV debug_level=3 dtls=1 cid=1" \
1877 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1878 0 \
1879 -c "Enable use of CID extension." \
1880 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1881 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1882 -s "found CID extension" \
Hanno Becker963cb352019-04-23 11:52:44 +0100[diff] [blame]1883 -s "Use of CID extension negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1884 -s "server hello, adding CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1885 -c "found CID extension" \
1886 -c "Use of CID extension negotiated" \
1887 -s "Copy CIDs into SSL transform" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1888 -c "Copy CIDs into SSL transform" \
1889 -s "Peer CID (length 4 Bytes): de ad be ef" \
1890 -c "Peer CID (length 0 Bytes):" \
1891 -s "Use of Connection ID has been negotiated" \
1892 -c "Use of Connection ID has been negotiated"
1893
1894requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1895run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
1896 "$P_SRV debug_level=3 dtls=1 cid=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1897 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1898 0 \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1899 -c "Enable use of CID extension." \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1900 -s "Enable use of CID extension." \
1901 -c "client hello, adding CID extension" \
1902 -s "found CID extension" \
1903 -s "Use of CID extension negotiated" \
1904 -s "server hello, adding CID extension" \
1905 -c "found CID extension" \
1906 -c "Use of CID extension negotiated" \
1907 -s "Copy CIDs into SSL transform" \
1908 -c "Copy CIDs into SSL transform" \
1909 -S "Use of Connection ID has been negotiated" \
1910 -C "Use of Connection ID has been negotiated"
1911
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1912requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1913requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1914run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
1915 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
1916 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
1917 0 \
1918 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1919 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1920 -s "(initial handshake) Use of Connection ID has been negotiated" \
1921 -c "(initial handshake) Use of Connection ID has been negotiated" \
1922 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1923 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1924 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1925 -c "(after renegotiation) Use of Connection ID has been negotiated"
1926
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1927requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1928requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1929run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1930 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1931 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1932 0 \
1933 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1934 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1935 -s "(initial handshake) Use of Connection ID has been negotiated" \
1936 -c "(initial handshake) Use of Connection ID has been negotiated" \
1937 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1938 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1939 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1940 -c "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1941
1942requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1943requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1944run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1945 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1946 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1947 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1948 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1949 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1950 -s "(initial handshake) Use of Connection ID has been negotiated" \
1951 -c "(initial handshake) Use of Connection ID has been negotiated" \
1952 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1953 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1954 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1955 -c "(after renegotiation) Use of Connection ID has been negotiated"
1956
1957requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1958requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1959run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1960 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1961 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1962 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1963 0 \
1964 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1965 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1966 -s "(initial handshake) Use of Connection ID has been negotiated" \
1967 -c "(initial handshake) Use of Connection ID has been negotiated" \
1968 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1969 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1970 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1971 -c "(after renegotiation) Use of Connection ID has been negotiated" \
1972 -c "ignoring unexpected CID" \
1973 -s "ignoring unexpected CID"
1974
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1975requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1976requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1977run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1978 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1979 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1980 0 \
1981 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1982 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1983 -s "(initial handshake) Use of Connection ID has been negotiated" \
1984 -c "(initial handshake) Use of Connection ID has been negotiated" \
1985 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1986 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1987 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1988 -S "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1989
1990requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1991requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1992run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1993 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1994 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1995 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1996 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1997 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1998 -s "(initial handshake) Use of Connection ID has been negotiated" \
1999 -c "(initial handshake) Use of Connection ID has been negotiated" \
2000 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2001 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2002 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2003 -S "(after renegotiation) Use of Connection ID has been negotiated"
2004
2005requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2006requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2007run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2008 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
2009 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2010 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2011 0 \
2012 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2013 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2014 -s "(initial handshake) Use of Connection ID has been negotiated" \
2015 -c "(initial handshake) Use of Connection ID has been negotiated" \
2016 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2017 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2018 -C "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2019 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2020 -c "ignoring unexpected CID" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2021 -s "ignoring unexpected CID"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2022
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2023requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2024requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2025run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
2026 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2027 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2028 0 \
2029 -S "(initial handshake) Use of Connection ID has been negotiated" \
2030 -C "(initial handshake) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2031 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2032 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2033 -c "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2034 -s "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2035
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2036requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2037requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2038run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
2039 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2040 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2041 0 \
2042 -S "(initial handshake) Use of Connection ID has been negotiated" \
2043 -C "(initial handshake) Use of Connection ID has been negotiated" \
2044 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2045 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2046 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2047 -s "(after renegotiation) Use of Connection ID has been negotiated"
2048
2049requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2050requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2051run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2052 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2053 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2054 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2055 0 \
2056 -S "(initial handshake) Use of Connection ID has been negotiated" \
2057 -C "(initial handshake) Use of Connection ID has been negotiated" \
2058 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2059 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2060 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2061 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2062 -c "ignoring unexpected CID" \
2063 -s "ignoring unexpected CID"
2064
2065requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2066requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2067run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
2068 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2069 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2070 0 \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2071 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2072 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2073 -s "(initial handshake) Use of Connection ID has been negotiated" \
2074 -c "(initial handshake) Use of Connection ID has been negotiated" \
2075 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2076 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2077 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2078 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2079 -s "(after renegotiation) Use of Connection ID was not offered by client"
2080
2081requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2082requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2083run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
2084 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
2085 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2086 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2087 0 \
2088 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2089 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2090 -s "(initial handshake) Use of Connection ID has been negotiated" \
2091 -c "(initial handshake) Use of Connection ID has been negotiated" \
2092 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2093 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2094 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2095 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2096 -s "(after renegotiation) Use of Connection ID was not offered by client" \
2097 -c "ignoring unexpected CID" \
2098 -s "ignoring unexpected CID"
2099
2100requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2101requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2102run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
2103 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]2104 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2105 0 \
2106 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2107 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2108 -s "(initial handshake) Use of Connection ID has been negotiated" \
2109 -c "(initial handshake) Use of Connection ID has been negotiated" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2110 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2111 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2112 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2113 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2114 -c "(after renegotiation) Use of Connection ID was rejected by the server"
2115
2116requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2117requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2118run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
2119 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2120 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2121 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2122 0 \
2123 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2124 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2125 -s "(initial handshake) Use of Connection ID has been negotiated" \
2126 -c "(initial handshake) Use of Connection ID has been negotiated" \
2127 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2128 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2129 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2130 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2131 -c "(after renegotiation) Use of Connection ID was rejected by the server" \
2132 -c "ignoring unexpected CID" \
2133 -s "ignoring unexpected CID"
2134
2135# Tests for Encrypt-then-MAC extension
2136
2137run_test "Encrypt then MAC: default" \
2138 "$P_SRV debug_level=3 \
2139 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2140 "$P_CLI debug_level=3" \
2141 0 \
2142 -c "client hello, adding encrypt_then_mac extension" \
2143 -s "found encrypt then mac extension" \
2144 -s "server hello, adding encrypt then mac extension" \
2145 -c "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2146 -c "using encrypt then mac" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2147 -s "using encrypt then mac"
2148
2149run_test "Encrypt then MAC: client enabled, server disabled" \
2150 "$P_SRV debug_level=3 etm=0 \
2151 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2152 "$P_CLI debug_level=3 etm=1" \
2153 0 \
2154 -c "client hello, adding encrypt_then_mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2155 -s "found encrypt then mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2156 -S "server hello, adding encrypt then mac extension" \
2157 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2158 -C "using encrypt then mac" \
2159 -S "using encrypt then mac"
2160
2161run_test "Encrypt then MAC: client enabled, aead cipher" \
2162 "$P_SRV debug_level=3 etm=1 \
2163 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
2164 "$P_CLI debug_level=3 etm=1" \
2165 0 \
2166 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2167 -s "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2168 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2169 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2170 -C "using encrypt then mac" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2171 -S "using encrypt then mac"
2172
2173run_test "Encrypt then MAC: client enabled, stream cipher" \
2174 "$P_SRV debug_level=3 etm=1 \
2175 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2176 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2177 0 \
2178 -c "client hello, adding encrypt_then_mac extension" \
2179 -s "found encrypt then mac extension" \
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2180 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2181 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2182 -C "using encrypt then mac" \
2183 -S "using encrypt then mac"
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2184
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2185run_test "Encrypt then MAC: client disabled, server enabled" \
2186 "$P_SRV debug_level=3 etm=1 \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2187 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2188 "$P_CLI debug_level=3 etm=0" \
2189 0 \
2190 -C "client hello, adding encrypt_then_mac extension" \
2191 -S "found encrypt then mac extension" \
2192 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2193 -C "found encrypt_then_mac extension" \
2194 -C "using encrypt then mac" \
Jarno Lamsa31d940b2019-06-12 10:21:33 +0300[diff] [blame]2195 -S "using encrypt then mac"
2196
2197requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2198run_test "Encrypt then MAC: client SSLv3, server enabled" \
2199 "$P_SRV debug_level=3 min_version=ssl3 \
2200 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2201 "$P_CLI debug_level=3 force_version=ssl3" \
2202 0 \
2203 -C "client hello, adding encrypt_then_mac extension" \
2204 -S "found encrypt then mac extension" \
2205 -S "server hello, adding encrypt then mac extension" \
2206 -C "found encrypt_then_mac extension" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2207 -C "using encrypt then mac" \
2208 -S "using encrypt then mac"
2209
2210requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2211run_test "Encrypt then MAC: client enabled, server SSLv3" \
2212 "$P_SRV debug_level=3 force_version=ssl3 \
2213 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2214 "$P_CLI debug_level=3 min_version=ssl3" \
2215 0 \
2216 -c "client hello, adding encrypt_then_mac extension" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2217 -S "found encrypt then mac extension" \
2218 -S "server hello, adding encrypt then mac extension" \
2219 -C "found encrypt_then_mac extension" \
2220 -C "using encrypt then mac" \
2221 -S "using encrypt then mac"
2222
2223# Tests for Extended Master Secret extension
2224
2225run_test "Extended Master Secret: default (not enforcing)" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2226 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0 " \
2227 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]2228 0 \
2229 -c "client hello, adding extended_master_secret extension" \
2230 -s "found extended master secret extension" \
2231 -s "server hello, adding extended master secret extension" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2232 -c "found extended_master_secret extension" \
2233 -c "session hash for extended master secret" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2234 -s "session hash for extended master secret"
2235
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2236run_test "Extended Master Secret: both enabled, both enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2237 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2238 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2239 0 \
2240 -c "client hello, adding extended_master_secret extension" \
2241 -s "found extended master secret extension" \
2242 -s "server hello, adding extended master secret extension" \
2243 -c "found extended_master_secret extension" \
2244 -c "session hash for extended master secret" \
2245 -s "session hash for extended master secret"
2246
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2247run_test "Extended Master Secret: both enabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2248 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2249 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2250 0 \
2251 -c "client hello, adding extended_master_secret extension" \
2252 -s "found extended master secret extension" \
2253 -s "server hello, adding extended master secret extension" \
2254 -c "found extended_master_secret extension" \
2255 -c "session hash for extended master secret" \
2256 -s "session hash for extended master secret"
2257
2258run_test "Extended Master Secret: both enabled, server enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2259 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2260 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2261 0 \
2262 -c "client hello, adding extended_master_secret extension" \
2263 -s "found extended master secret extension" \
2264 -s "server hello, adding extended master secret extension" \
2265 -c "found extended_master_secret extension" \
2266 -c "session hash for extended master secret" \
2267 -s "session hash for extended master secret"
2268
2269run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2270 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2271 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2272 1 \
2273 -c "client hello, adding extended_master_secret extension" \
2274 -s "found extended master secret extension" \
2275 -S "server hello, adding extended master secret extension" \
2276 -C "found extended_master_secret extension" \
2277 -c "Peer not offering extended master secret, while it is enforced"
2278
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2279run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2280 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2281 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2282 1 \
2283 -C "client hello, adding extended_master_secret extension" \
2284 -S "found extended master secret extension" \
2285 -S "server hello, adding extended master secret extension" \
2286 -C "found extended_master_secret extension" \
2287 -s "Peer not offering extended master secret, while it is enforced"
2288
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2289run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2290 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2291 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2292 0 \
2293 -c "client hello, adding extended_master_secret extension" \
2294 -s "found extended master secret extension" \
2295 -S "server hello, adding extended master secret extension" \
2296 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2297 -C "session hash for extended master secret" \
2298 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2299
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2300run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2301 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2302 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2303 0 \
2304 -C "client hello, adding extended_master_secret extension" \
2305 -S "found extended master secret extension" \
2306 -S "server hello, adding extended master secret extension" \
2307 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2308 -C "session hash for extended master secret" \
2309 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2310
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2311run_test "Extended Master Secret: client disabled, server disabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2312 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2313 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2314 0 \
2315 -C "client hello, adding extended_master_secret extension" \
2316 -S "found extended master secret extension" \
2317 -S "server hello, adding extended master secret extension" \
2318 -C "found extended_master_secret extension" \
2319 -C "session hash for extended master secret" \
2320 -S "session hash for extended master secret"
2321
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2322requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2323run_test "Extended Master Secret: client SSLv3, server enabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2324 "$P_SRV debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2325 "$P_CLI debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2326 0 \
2327 -C "client hello, adding extended_master_secret extension" \
2328 -S "found extended master secret extension" \
2329 -S "server hello, adding extended master secret extension" \
2330 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2331 -C "session hash for extended master secret" \
2332 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2333
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2334requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2335run_test "Extended Master Secret: client enabled, server SSLv3" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2336 "$P_SRV debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2337 "$P_CLI debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2338 0 \
2339 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2340 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2341 -S "server hello, adding extended master secret extension" \
2342 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2343 -C "session hash for extended master secret" \
2344 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2345
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2346# Tests for FALLBACK_SCSV
2347
2348run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2349 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2350 "$P_CLI debug_level=3 force_version=tls1_1" \
2351 0 \
2352 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2353 -S "received FALLBACK_SCSV" \
2354 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2355 -C "is a fatal alert message (msg 86)"
2356
2357run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2358 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2359 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2360 0 \
2361 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2362 -S "received FALLBACK_SCSV" \
2363 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2364 -C "is a fatal alert message (msg 86)"
2365
2366run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2367 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2368 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2369 1 \
2370 -c "adding FALLBACK_SCSV" \
2371 -s "received FALLBACK_SCSV" \
2372 -s "inapropriate fallback" \
2373 -c "is a fatal alert message (msg 86)"
2374
2375run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2376 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2377 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2378 0 \
2379 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2380 -s "received FALLBACK_SCSV" \
2381 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2382 -C "is a fatal alert message (msg 86)"
2383
2384requires_openssl_with_fallback_scsv
2385run_test "Fallback SCSV: default, openssl server" \
2386 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2387 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2388 0 \
2389 -C "adding FALLBACK_SCSV" \
2390 -C "is a fatal alert message (msg 86)"
2391
2392requires_openssl_with_fallback_scsv
2393run_test "Fallback SCSV: enabled, openssl server" \
2394 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2395 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2396 1 \
2397 -c "adding FALLBACK_SCSV" \
2398 -c "is a fatal alert message (msg 86)"
2399
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2400requires_openssl_with_fallback_scsv
2401run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2402 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2403 "$O_CLI -tls1_1" \
2404 0 \
2405 -S "received FALLBACK_SCSV" \
2406 -S "inapropriate fallback"
2407
2408requires_openssl_with_fallback_scsv
2409run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2410 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2411 "$O_CLI -tls1_1 -fallback_scsv" \
2412 1 \
2413 -s "received FALLBACK_SCSV" \
2414 -s "inapropriate fallback"
2415
2416requires_openssl_with_fallback_scsv
2417run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2418 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2419 "$O_CLI -fallback_scsv" \
2420 0 \
2421 -s "received FALLBACK_SCSV" \
2422 -S "inapropriate fallback"
2423
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2424# Test sending and receiving empty application data records
2425
2426run_test "Encrypt then MAC: empty application data record" \
2427 "$P_SRV auth_mode=none debug_level=4 etm=1" \
2428 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
2429 0 \
2430 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2431 -s "dumping 'input payload after decrypt' (0 bytes)" \
2432 -c "0 bytes written in 1 fragments"
2433
2434run_test "Default, no Encrypt then MAC: empty application data record" \
2435 "$P_SRV auth_mode=none debug_level=4 etm=0" \
2436 "$P_CLI auth_mode=none etm=0 request_size=0" \
2437 0 \
2438 -s "dumping 'input payload after decrypt' (0 bytes)" \
2439 -c "0 bytes written in 1 fragments"
2440
2441run_test "Encrypt then MAC, DTLS: empty application data record" \
2442 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
2443 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
2444 0 \
2445 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2446 -s "dumping 'input payload after decrypt' (0 bytes)" \
2447 -c "0 bytes written in 1 fragments"
2448
2449run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
2450 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
2451 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
2452 0 \
2453 -s "dumping 'input payload after decrypt' (0 bytes)" \
2454 -c "0 bytes written in 1 fragments"
2455
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2456## ClientHello generated with
2457## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
2458## then manually twiddling the ciphersuite list.
2459## The ClientHello content is spelled out below as a hex string as
2460## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
2461## The expected response is an inappropriate_fallback alert.
2462requires_openssl_with_fallback_scsv
2463run_test "Fallback SCSV: beginning of list" \
2464 "$P_SRV debug_level=2" \
2465 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
2466 0 \
2467 -s "received FALLBACK_SCSV" \
2468 -s "inapropriate fallback"
2469
2470requires_openssl_with_fallback_scsv
2471run_test "Fallback SCSV: end of list" \
2472 "$P_SRV debug_level=2" \
2473 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
2474 0 \
2475 -s "received FALLBACK_SCSV" \
2476 -s "inapropriate fallback"
2477
2478## Here the expected response is a valid ServerHello prefix, up to the random.
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]2479## Due to the way the clienthello was generated, this currently needs the
2480## server to have support for session tickets.
2481requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2482requires_openssl_with_fallback_scsv
2483run_test "Fallback SCSV: not in list" \
2484 "$P_SRV debug_level=2" \
2485 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
2486 0 \
2487 -S "received FALLBACK_SCSV" \
2488 -S "inapropriate fallback"
2489
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2490# Tests for CBC 1/n-1 record splitting
2491
2492run_test "CBC Record splitting: TLS 1.2, no splitting" \
2493 "$P_SRV" \
2494 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2495 request_size=123 force_version=tls1_2" \
2496 0 \
2497 -s "Read from client: 123 bytes read" \
2498 -S "Read from client: 1 bytes read" \
2499 -S "122 bytes read"
2500
2501run_test "CBC Record splitting: TLS 1.1, no splitting" \
2502 "$P_SRV" \
2503 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2504 request_size=123 force_version=tls1_1" \
2505 0 \
2506 -s "Read from client: 123 bytes read" \
2507 -S "Read from client: 1 bytes read" \
2508 -S "122 bytes read"
2509
2510run_test "CBC Record splitting: TLS 1.0, splitting" \
2511 "$P_SRV" \
2512 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2513 request_size=123 force_version=tls1" \
2514 0 \
2515 -S "Read from client: 123 bytes read" \
2516 -s "Read from client: 1 bytes read" \
2517 -s "122 bytes read"
2518
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2519requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2520run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2521 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2522 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2523 request_size=123 force_version=ssl3" \
2524 0 \
2525 -S "Read from client: 123 bytes read" \
2526 -s "Read from client: 1 bytes read" \
2527 -s "122 bytes read"
2528
2529run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2530 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2531 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2532 request_size=123 force_version=tls1" \
2533 0 \
2534 -s "Read from client: 123 bytes read" \
2535 -S "Read from client: 1 bytes read" \
2536 -S "122 bytes read"
2537
2538run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
2539 "$P_SRV" \
2540 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2541 request_size=123 force_version=tls1 recsplit=0" \
2542 0 \
2543 -s "Read from client: 123 bytes read" \
2544 -S "Read from client: 1 bytes read" \
2545 -S "122 bytes read"
2546
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]2547run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
2548 "$P_SRV nbio=2" \
2549 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2550 request_size=123 force_version=tls1" \
2551 0 \
2552 -S "Read from client: 123 bytes read" \
2553 -s "Read from client: 1 bytes read" \
2554 -s "122 bytes read"
2555
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2556# Tests for Session Tickets
2557
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2558requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2559requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2560run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2561 "$P_SRV debug_level=3 tickets=1" \
2562 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2563 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2564 -c "client hello, adding session ticket extension" \
2565 -s "found session ticket extension" \
2566 -s "server hello, adding session ticket extension" \
2567 -c "found session_ticket extension" \
2568 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2569 -S "session successfully restored from cache" \
2570 -s "session successfully restored from ticket" \
2571 -s "a session has been resumed" \
2572 -c "a session has been resumed"
2573
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2574requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2575requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2576run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2577 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2578 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2579 0 \
2580 -c "client hello, adding session ticket extension" \
2581 -s "found session ticket extension" \
2582 -s "server hello, adding session ticket extension" \
2583 -c "found session_ticket extension" \
2584 -c "parse new session ticket" \
2585 -S "session successfully restored from cache" \
2586 -s "session successfully restored from ticket" \
2587 -s "a session has been resumed" \
2588 -c "a session has been resumed"
2589
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2590requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2591requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2592run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2593 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
2594 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2595 0 \
2596 -c "client hello, adding session ticket extension" \
2597 -s "found session ticket extension" \
2598 -s "server hello, adding session ticket extension" \
2599 -c "found session_ticket extension" \
2600 -c "parse new session ticket" \
2601 -S "session successfully restored from cache" \
2602 -S "session successfully restored from ticket" \
2603 -S "a session has been resumed" \
2604 -C "a session has been resumed"
2605
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2606requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2607requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2608run_test "Session resume using tickets: session copy" \
2609 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2610 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
2611 0 \
2612 -c "client hello, adding session ticket extension" \
2613 -s "found session ticket extension" \
2614 -s "server hello, adding session ticket extension" \
2615 -c "found session_ticket extension" \
2616 -c "parse new session ticket" \
2617 -S "session successfully restored from cache" \
2618 -s "session successfully restored from ticket" \
2619 -s "a session has been resumed" \
2620 -c "a session has been resumed"
2621
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2622requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2623requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2624run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2625 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2626 "$P_CLI debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2627 0 \
2628 -c "client hello, adding session ticket extension" \
2629 -c "found session_ticket extension" \
2630 -c "parse new session ticket" \
2631 -c "a session has been resumed"
2632
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2633requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2634requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2635run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2636 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2637 "( $O_CLI -sess_out $SESSION; \
2638 $O_CLI -sess_in $SESSION; \
2639 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2640 0 \
2641 -s "found session ticket extension" \
2642 -s "server hello, adding session ticket extension" \
2643 -S "session successfully restored from cache" \
2644 -s "session successfully restored from ticket" \
2645 -s "a session has been resumed"
2646
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2647# Tests for Session Tickets with DTLS
2648
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2649requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2650requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2651run_test "Session resume using tickets, DTLS: basic" \
2652 "$P_SRV debug_level=3 dtls=1 tickets=1" \
2653 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2654 0 \
2655 -c "client hello, adding session ticket extension" \
2656 -s "found session ticket extension" \
2657 -s "server hello, adding session ticket extension" \
2658 -c "found session_ticket extension" \
2659 -c "parse new session ticket" \
2660 -S "session successfully restored from cache" \
2661 -s "session successfully restored from ticket" \
2662 -s "a session has been resumed" \
2663 -c "a session has been resumed"
2664
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2665requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2666requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2667run_test "Session resume using tickets, DTLS: cache disabled" \
2668 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2669 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2670 0 \
2671 -c "client hello, adding session ticket extension" \
2672 -s "found session ticket extension" \
2673 -s "server hello, adding session ticket extension" \
2674 -c "found session_ticket extension" \
2675 -c "parse new session ticket" \
2676 -S "session successfully restored from cache" \
2677 -s "session successfully restored from ticket" \
2678 -s "a session has been resumed" \
2679 -c "a session has been resumed"
2680
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2681requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2682requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2683run_test "Session resume using tickets, DTLS: timeout" \
2684 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
2685 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
2686 0 \
2687 -c "client hello, adding session ticket extension" \
2688 -s "found session ticket extension" \
2689 -s "server hello, adding session ticket extension" \
2690 -c "found session_ticket extension" \
2691 -c "parse new session ticket" \
2692 -S "session successfully restored from cache" \
2693 -S "session successfully restored from ticket" \
2694 -S "a session has been resumed" \
2695 -C "a session has been resumed"
2696
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2697requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2698requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2699run_test "Session resume using tickets, DTLS: session copy" \
2700 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2701 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_mode=0" \
2702 0 \
2703 -c "client hello, adding session ticket extension" \
2704 -s "found session ticket extension" \
2705 -s "server hello, adding session ticket extension" \
2706 -c "found session_ticket extension" \
2707 -c "parse new session ticket" \
2708 -S "session successfully restored from cache" \
2709 -s "session successfully restored from ticket" \
2710 -s "a session has been resumed" \
2711 -c "a session has been resumed"
2712
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2713requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2714requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2715run_test "Session resume using tickets, DTLS: openssl server" \
2716 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2717 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2718 0 \
2719 -c "client hello, adding session ticket extension" \
2720 -c "found session_ticket extension" \
2721 -c "parse new session ticket" \
2722 -c "a session has been resumed"
2723
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2724requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2725requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2726run_test "Session resume using tickets, DTLS: openssl client" \
2727 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2728 "( $O_CLI -dtls1 -sess_out $SESSION; \
2729 $O_CLI -dtls1 -sess_in $SESSION; \
2730 rm -f $SESSION )" \
2731 0 \
2732 -s "found session ticket extension" \
2733 -s "server hello, adding session ticket extension" \
2734 -S "session successfully restored from cache" \
2735 -s "session successfully restored from ticket" \
2736 -s "a session has been resumed"
2737
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2738# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2739
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2740requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2741requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2742requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2743run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2744 "$P_SRV debug_level=3 tickets=0" \
2745 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2746 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2747 -c "client hello, adding session ticket extension" \
2748 -s "found session ticket extension" \
2749 -S "server hello, adding session ticket extension" \
2750 -C "found session_ticket extension" \
2751 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2752 -s "session successfully restored from cache" \
2753 -S "session successfully restored from ticket" \
2754 -s "a session has been resumed" \
2755 -c "a session has been resumed"
2756
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2757requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2758requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2759requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2760run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2761 "$P_SRV debug_level=3 tickets=1" \
2762 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2763 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2764 -C "client hello, adding session ticket extension" \
2765 -S "found session ticket extension" \
2766 -S "server hello, adding session ticket extension" \
2767 -C "found session_ticket extension" \
2768 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2769 -s "session successfully restored from cache" \
2770 -S "session successfully restored from ticket" \
2771 -s "a session has been resumed" \
2772 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2773
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2774requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2775requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2776run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2777 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
2778 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2779 0 \
2780 -S "session successfully restored from cache" \
2781 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2782 -S "a session has been resumed" \
2783 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2784
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2785requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2786requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2787run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2788 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
2789 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2790 0 \
2791 -s "session successfully restored from cache" \
2792 -S "session successfully restored from ticket" \
2793 -s "a session has been resumed" \
2794 -c "a session has been resumed"
2795
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2796requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2797requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]2798run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2799 "$P_SRV debug_level=3 tickets=0" \
2800 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2801 0 \
2802 -s "session successfully restored from cache" \
2803 -S "session successfully restored from ticket" \
2804 -s "a session has been resumed" \
2805 -c "a session has been resumed"
2806
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2807requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2808requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2809run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2810 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
2811 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2812 0 \
2813 -S "session successfully restored from cache" \
2814 -S "session successfully restored from ticket" \
2815 -S "a session has been resumed" \
2816 -C "a session has been resumed"
2817
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2818requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2819requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2820run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2821 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
2822 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2823 0 \
2824 -s "session successfully restored from cache" \
2825 -S "session successfully restored from ticket" \
2826 -s "a session has been resumed" \
2827 -c "a session has been resumed"
2828
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2829requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2830requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2831run_test "Session resume using cache: session copy" \
2832 "$P_SRV debug_level=3 tickets=0" \
2833 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
2834 0 \
2835 -s "session successfully restored from cache" \
2836 -S "session successfully restored from ticket" \
2837 -s "a session has been resumed" \
2838 -c "a session has been resumed"
2839
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2840requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2841requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2842run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2843 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2844 "( $O_CLI -sess_out $SESSION; \
2845 $O_CLI -sess_in $SESSION; \
2846 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2847 0 \
2848 -s "found session ticket extension" \
2849 -S "server hello, adding session ticket extension" \
2850 -s "session successfully restored from cache" \
2851 -S "session successfully restored from ticket" \
2852 -s "a session has been resumed"
2853
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2854requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2855requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2856run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2857 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2858 "$P_CLI debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2859 0 \
2860 -C "found session_ticket extension" \
2861 -C "parse new session ticket" \
2862 -c "a session has been resumed"
2863
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2864# Tests for Session Resume based on session-ID and cache, DTLS
2865
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2866requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2867requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2868requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2869run_test "Session resume using cache, DTLS: tickets enabled on client" \
2870 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2871 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
2872 0 \
2873 -c "client hello, adding session ticket extension" \
2874 -s "found session ticket extension" \
2875 -S "server hello, adding session ticket extension" \
2876 -C "found session_ticket extension" \
2877 -C "parse new session ticket" \
2878 -s "session successfully restored from cache" \
2879 -S "session successfully restored from ticket" \
2880 -s "a session has been resumed" \
2881 -c "a session has been resumed"
2882
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2883requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2884requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2885requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2886run_test "Session resume using cache, DTLS: tickets enabled on server" \
2887 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2888 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2889 0 \
2890 -C "client hello, adding session ticket extension" \
2891 -S "found session ticket extension" \
2892 -S "server hello, adding session ticket extension" \
2893 -C "found session_ticket extension" \
2894 -C "parse new session ticket" \
2895 -s "session successfully restored from cache" \
2896 -S "session successfully restored from ticket" \
2897 -s "a session has been resumed" \
2898 -c "a session has been resumed"
2899
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2900requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2901requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2902run_test "Session resume using cache, DTLS: cache_max=0" \
2903 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
2904 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2905 0 \
2906 -S "session successfully restored from cache" \
2907 -S "session successfully restored from ticket" \
2908 -S "a session has been resumed" \
2909 -C "a session has been resumed"
2910
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2911requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2912requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2913run_test "Session resume using cache, DTLS: cache_max=1" \
2914 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
2915 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2916 0 \
2917 -s "session successfully restored from cache" \
2918 -S "session successfully restored from ticket" \
2919 -s "a session has been resumed" \
2920 -c "a session has been resumed"
2921
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2922requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2923requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2924run_test "Session resume using cache, DTLS: timeout > delay" \
2925 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2926 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
2927 0 \
2928 -s "session successfully restored from cache" \
2929 -S "session successfully restored from ticket" \
2930 -s "a session has been resumed" \
2931 -c "a session has been resumed"
2932
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2933requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2934requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2935run_test "Session resume using cache, DTLS: timeout < delay" \
2936 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
2937 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2938 0 \
2939 -S "session successfully restored from cache" \
2940 -S "session successfully restored from ticket" \
2941 -S "a session has been resumed" \
2942 -C "a session has been resumed"
2943
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2944requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2945requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2946run_test "Session resume using cache, DTLS: no timeout" \
2947 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
2948 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2949 0 \
2950 -s "session successfully restored from cache" \
2951 -S "session successfully restored from ticket" \
2952 -s "a session has been resumed" \
2953 -c "a session has been resumed"
2954
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2955requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2956requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2957run_test "Session resume using cache, DTLS: session copy" \
2958 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2959 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
2960 0 \
2961 -s "session successfully restored from cache" \
2962 -S "session successfully restored from ticket" \
2963 -s "a session has been resumed" \
2964 -c "a session has been resumed"
2965
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2966requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2967requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2968run_test "Session resume using cache, DTLS: openssl client" \
2969 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2970 "( $O_CLI -dtls1 -sess_out $SESSION; \
2971 $O_CLI -dtls1 -sess_in $SESSION; \
2972 rm -f $SESSION )" \
2973 0 \
2974 -s "found session ticket extension" \
2975 -S "server hello, adding session ticket extension" \
2976 -s "session successfully restored from cache" \
2977 -S "session successfully restored from ticket" \
2978 -s "a session has been resumed"
2979
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2980requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2981requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2982run_test "Session resume using cache, DTLS: openssl server" \
2983 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2984 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2985 0 \
2986 -C "found session_ticket extension" \
2987 -C "parse new session ticket" \
2988 -c "a session has been resumed"
2989
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2990# Tests for Max Fragment Length extension
2991
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2992if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
2993 printf "${CONFIG_H} defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n"
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]2994 exit 1
2995fi
2996
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2997if [ $MAX_CONTENT_LEN -ne 16384 ]; then
2998 printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
2999fi
3000
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3001requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3002run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3003 "$P_SRV debug_level=3" \
3004 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3005 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3006 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3007 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3008 -C "client hello, adding max_fragment_length extension" \
3009 -S "found max fragment length extension" \
3010 -S "server hello, max_fragment_length extension" \
3011 -C "found max_fragment_length extension"
3012
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3013requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3014run_test "Max fragment length: enabled, default, larger message" \
3015 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3016 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3017 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3018 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3019 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3020 -C "client hello, adding max_fragment_length extension" \
3021 -S "found max fragment length extension" \
3022 -S "server hello, max_fragment_length extension" \
3023 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3024 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3025 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3026 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3027
3028requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3029run_test "Max fragment length, DTLS: enabled, default, larger message" \
3030 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3031 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3032 1 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3033 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3034 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3035 -C "client hello, adding max_fragment_length extension" \
3036 -S "found max fragment length extension" \
3037 -S "server hello, max_fragment_length extension" \
3038 -C "found max_fragment_length extension" \
3039 -c "fragment larger than.*maximum "
3040
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3041# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
3042# (session fragment length will be 16384 regardless of mbedtls
3043# content length configuration.)
3044
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3045requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3046run_test "Max fragment length: disabled, larger message" \
3047 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3048 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3049 0 \
3050 -C "Maximum fragment length is 16384" \
3051 -S "Maximum fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3052 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3053 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3054 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3055
3056requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3057run_test "Max fragment length DTLS: disabled, larger message" \
3058 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3059 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3060 1 \
3061 -C "Maximum fragment length is 16384" \
3062 -S "Maximum fragment length is 16384" \
3063 -c "fragment larger than.*maximum "
3064
3065requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3066run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3067 "$P_SRV debug_level=3" \
3068 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3069 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3070 -c "Maximum fragment length is 4096" \
3071 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3072 -c "client hello, adding max_fragment_length extension" \
3073 -s "found max fragment length extension" \
3074 -s "server hello, max_fragment_length extension" \
3075 -c "found max_fragment_length extension"
3076
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3077requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3078run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3079 "$P_SRV debug_level=3 max_frag_len=4096" \
3080 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3081 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3082 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3083 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3084 -C "client hello, adding max_fragment_length extension" \
3085 -S "found max fragment length extension" \
3086 -S "server hello, max_fragment_length extension" \
3087 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3088
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3089requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3090requires_gnutls
3091run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3092 "$G_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3093 "$P_CLI debug_level=3 max_frag_len=4096 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3094 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3095 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3096 -c "client hello, adding max_fragment_length extension" \
3097 -c "found max_fragment_length extension"
3098
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3099requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3100run_test "Max fragment length: client, message just fits" \
3101 "$P_SRV debug_level=3" \
3102 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
3103 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3104 -c "Maximum fragment length is 2048" \
3105 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3106 -c "client hello, adding max_fragment_length extension" \
3107 -s "found max fragment length extension" \
3108 -s "server hello, max_fragment_length extension" \
3109 -c "found max_fragment_length extension" \
3110 -c "2048 bytes written in 1 fragments" \
3111 -s "2048 bytes read"
3112
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3113requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3114run_test "Max fragment length: client, larger message" \
3115 "$P_SRV debug_level=3" \
3116 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
3117 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3118 -c "Maximum fragment length is 2048" \
3119 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3120 -c "client hello, adding max_fragment_length extension" \
3121 -s "found max fragment length extension" \
3122 -s "server hello, max_fragment_length extension" \
3123 -c "found max_fragment_length extension" \
3124 -c "2345 bytes written in 2 fragments" \
3125 -s "2048 bytes read" \
3126 -s "297 bytes read"
3127
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3128requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]3129run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3130 "$P_SRV debug_level=3 dtls=1" \
3131 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
3132 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3133 -c "Maximum fragment length is 2048" \
3134 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3135 -c "client hello, adding max_fragment_length extension" \
3136 -s "found max fragment length extension" \
3137 -s "server hello, max_fragment_length extension" \
3138 -c "found max_fragment_length extension" \
3139 -c "fragment larger than.*maximum"
3140
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3141# Tests for renegotiation
3142
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3143# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3144run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3145 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3146 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3147 0 \
3148 -C "client hello, adding renegotiation extension" \
3149 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3150 -S "found renegotiation extension" \
3151 -s "server hello, secure renegotiation extension" \
3152 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3153 -C "=> renegotiate" \
3154 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3155 -S "write hello request"
3156
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3157requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3158run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3159 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3160 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3161 0 \
3162 -c "client hello, adding renegotiation extension" \
3163 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3164 -s "found renegotiation extension" \
3165 -s "server hello, secure renegotiation extension" \
3166 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3167 -c "=> renegotiate" \
3168 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3169 -S "write hello request"
3170
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3171requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3172run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3173 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3174 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3175 0 \
3176 -c "client hello, adding renegotiation extension" \
3177 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3178 -s "found renegotiation extension" \
3179 -s "server hello, secure renegotiation extension" \
3180 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3181 -c "=> renegotiate" \
3182 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3183 -s "write hello request"
3184
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3185# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3186# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3187# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3188requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3189run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
3190 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
3191 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
3192 0 \
3193 -c "client hello, adding renegotiation extension" \
3194 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3195 -s "found renegotiation extension" \
3196 -s "server hello, secure renegotiation extension" \
3197 -c "found renegotiation extension" \
3198 -c "=> renegotiate" \
3199 -s "=> renegotiate" \
3200 -S "write hello request" \
3201 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3202
3203# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3204# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3205# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3206requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3207run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
3208 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
3209 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3210 0 \
3211 -c "client hello, adding renegotiation extension" \
3212 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3213 -s "found renegotiation extension" \
3214 -s "server hello, secure renegotiation extension" \
3215 -c "found renegotiation extension" \
3216 -c "=> renegotiate" \
3217 -s "=> renegotiate" \
3218 -s "write hello request" \
3219 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3220
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3221requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3222run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3223 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3224 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3225 0 \
3226 -c "client hello, adding renegotiation extension" \
3227 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3228 -s "found renegotiation extension" \
3229 -s "server hello, secure renegotiation extension" \
3230 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3231 -c "=> renegotiate" \
3232 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3233 -s "write hello request"
3234
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3235requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3236run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3237 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3238 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3239 1 \
3240 -c "client hello, adding renegotiation extension" \
3241 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3242 -S "found renegotiation extension" \
3243 -s "server hello, secure renegotiation extension" \
3244 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3245 -c "=> renegotiate" \
3246 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3247 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]3248 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3249 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3250
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3251requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3252run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3253 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3254 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3255 0 \
3256 -C "client hello, adding renegotiation extension" \
3257 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3258 -S "found renegotiation extension" \
3259 -s "server hello, secure renegotiation extension" \
3260 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3261 -C "=> renegotiate" \
3262 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3263 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]3264 -S "SSL - An unexpected message was received from our peer" \
3265 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3266
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3267requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3268run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3269 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3270 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3271 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3272 0 \
3273 -C "client hello, adding renegotiation extension" \
3274 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3275 -S "found renegotiation extension" \
3276 -s "server hello, secure renegotiation extension" \
3277 -c "found renegotiation extension" \
3278 -C "=> renegotiate" \
3279 -S "=> renegotiate" \
3280 -s "write hello request" \
3281 -S "SSL - An unexpected message was received from our peer" \
3282 -S "failed"
3283
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3284# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3285requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3286run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3287 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3288 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3289 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3290 0 \
3291 -C "client hello, adding renegotiation extension" \
3292 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3293 -S "found renegotiation extension" \
3294 -s "server hello, secure renegotiation extension" \
3295 -c "found renegotiation extension" \
3296 -C "=> renegotiate" \
3297 -S "=> renegotiate" \
3298 -s "write hello request" \
3299 -S "SSL - An unexpected message was received from our peer" \
3300 -S "failed"
3301
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3302requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3303run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3304 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3305 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3306 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3307 0 \
3308 -C "client hello, adding renegotiation extension" \
3309 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3310 -S "found renegotiation extension" \
3311 -s "server hello, secure renegotiation extension" \
3312 -c "found renegotiation extension" \
3313 -C "=> renegotiate" \
3314 -S "=> renegotiate" \
3315 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3316 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3317
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3318requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3319run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3320 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3321 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3322 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3323 0 \
3324 -c "client hello, adding renegotiation extension" \
3325 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3326 -s "found renegotiation extension" \
3327 -s "server hello, secure renegotiation extension" \
3328 -c "found renegotiation extension" \
3329 -c "=> renegotiate" \
3330 -s "=> renegotiate" \
3331 -s "write hello request" \
3332 -S "SSL - An unexpected message was received from our peer" \
3333 -S "failed"
3334
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3335requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3336run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3337 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3338 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3339 0 \
3340 -C "client hello, adding renegotiation extension" \
3341 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3342 -S "found renegotiation extension" \
3343 -s "server hello, secure renegotiation extension" \
3344 -c "found renegotiation extension" \
3345 -S "record counter limit reached: renegotiate" \
3346 -C "=> renegotiate" \
3347 -S "=> renegotiate" \
3348 -S "write hello request" \
3349 -S "SSL - An unexpected message was received from our peer" \
3350 -S "failed"
3351
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3352# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3353requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3354run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3355 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3356 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3357 0 \
3358 -c "client hello, adding renegotiation extension" \
3359 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3360 -s "found renegotiation extension" \
3361 -s "server hello, secure renegotiation extension" \
3362 -c "found renegotiation extension" \
3363 -s "record counter limit reached: renegotiate" \
3364 -c "=> renegotiate" \
3365 -s "=> renegotiate" \
3366 -s "write hello request" \
3367 -S "SSL - An unexpected message was received from our peer" \
3368 -S "failed"
3369
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3370requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3371run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3372 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3373 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3374 0 \
3375 -c "client hello, adding renegotiation extension" \
3376 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3377 -s "found renegotiation extension" \
3378 -s "server hello, secure renegotiation extension" \
3379 -c "found renegotiation extension" \
3380 -s "record counter limit reached: renegotiate" \
3381 -c "=> renegotiate" \
3382 -s "=> renegotiate" \
3383 -s "write hello request" \
3384 -S "SSL - An unexpected message was received from our peer" \
3385 -S "failed"
3386
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3387requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3388run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3389 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3390 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
3391 0 \
3392 -C "client hello, adding renegotiation extension" \
3393 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3394 -S "found renegotiation extension" \
3395 -s "server hello, secure renegotiation extension" \
3396 -c "found renegotiation extension" \
3397 -S "record counter limit reached: renegotiate" \
3398 -C "=> renegotiate" \
3399 -S "=> renegotiate" \
3400 -S "write hello request" \
3401 -S "SSL - An unexpected message was received from our peer" \
3402 -S "failed"
3403
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3404requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3405run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3406 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3407 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3408 0 \
3409 -c "client hello, adding renegotiation extension" \
3410 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3411 -s "found renegotiation extension" \
3412 -s "server hello, secure renegotiation extension" \
3413 -c "found renegotiation extension" \
3414 -c "=> renegotiate" \
3415 -s "=> renegotiate" \
3416 -S "write hello request"
3417
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3418requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3419run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3420 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3421 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3422 0 \
3423 -c "client hello, adding renegotiation extension" \
3424 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3425 -s "found renegotiation extension" \
3426 -s "server hello, secure renegotiation extension" \
3427 -c "found renegotiation extension" \
3428 -c "=> renegotiate" \
3429 -s "=> renegotiate" \
3430 -s "write hello request"
3431
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3432requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3433run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3434 "$O_SRV -www" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3435 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3436 0 \
3437 -c "client hello, adding renegotiation extension" \
3438 -c "found renegotiation extension" \
3439 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3440 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3441 -C "error" \
3442 -c "HTTP/1.0 200 [Oo][Kk]"
3443
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3444requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3445requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3446run_test "Renegotiation: gnutls server strict, client-initiated" \
3447 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3448 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3449 0 \
3450 -c "client hello, adding renegotiation extension" \
3451 -c "found renegotiation extension" \
3452 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3453 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3454 -C "error" \
3455 -c "HTTP/1.0 200 [Oo][Kk]"
3456
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3457requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3458requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3459run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
3460 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3461 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3462 1 \
3463 -c "client hello, adding renegotiation extension" \
3464 -C "found renegotiation extension" \
3465 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3466 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3467 -c "error" \
3468 -C "HTTP/1.0 200 [Oo][Kk]"
3469
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3470requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3471requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3472run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
3473 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3474 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3475 allow_legacy=0" \
3476 1 \
3477 -c "client hello, adding renegotiation extension" \
3478 -C "found renegotiation extension" \
3479 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3480 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3481 -c "error" \
3482 -C "HTTP/1.0 200 [Oo][Kk]"
3483
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3484requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3485requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3486run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
3487 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3488 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3489 allow_legacy=1" \
3490 0 \
3491 -c "client hello, adding renegotiation extension" \
3492 -C "found renegotiation extension" \
3493 -c "=> renegotiate" \
3494 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3495 -C "error" \
3496 -c "HTTP/1.0 200 [Oo][Kk]"
3497
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3498requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]3499run_test "Renegotiation: DTLS, client-initiated" \
3500 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
3501 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
3502 0 \
3503 -c "client hello, adding renegotiation extension" \
3504 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3505 -s "found renegotiation extension" \
3506 -s "server hello, secure renegotiation extension" \
3507 -c "found renegotiation extension" \
3508 -c "=> renegotiate" \
3509 -s "=> renegotiate" \
3510 -S "write hello request"
3511
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3512requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3513run_test "Renegotiation: DTLS, server-initiated" \
3514 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]3515 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
3516 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3517 0 \
3518 -c "client hello, adding renegotiation extension" \
3519 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3520 -s "found renegotiation extension" \
3521 -s "server hello, secure renegotiation extension" \
3522 -c "found renegotiation extension" \
3523 -c "=> renegotiate" \
3524 -s "=> renegotiate" \
3525 -s "write hello request"
3526
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3527requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3528run_test "Renegotiation: DTLS, renego_period overflow" \
3529 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
3530 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
3531 0 \
3532 -c "client hello, adding renegotiation extension" \
3533 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3534 -s "found renegotiation extension" \
3535 -s "server hello, secure renegotiation extension" \
3536 -s "record counter limit reached: renegotiate" \
3537 -c "=> renegotiate" \
3538 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3539 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3540
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3541requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3542requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3543run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
3544 "$G_SRV -u --mtu 4096" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3545 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3546 0 \
3547 -c "client hello, adding renegotiation extension" \
3548 -c "found renegotiation extension" \
3549 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3550 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3551 -C "error" \
3552 -s "Extra-header:"
3553
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3554# Test for the "secure renegotation" extension only (no actual renegotiation)
3555
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3556requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3557run_test "Renego ext: gnutls server strict, client default" \
3558 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3559 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3560 0 \
3561 -c "found renegotiation extension" \
3562 -C "error" \
3563 -c "HTTP/1.0 200 [Oo][Kk]"
3564
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3565requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3566run_test "Renego ext: gnutls server unsafe, client default" \
3567 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3568 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3569 0 \
3570 -C "found renegotiation extension" \
3571 -C "error" \
3572 -c "HTTP/1.0 200 [Oo][Kk]"
3573
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3574requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3575run_test "Renego ext: gnutls server unsafe, client break legacy" \
3576 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3577 "$P_CLI debug_level=3 allow_legacy=-1" \
3578 1 \
3579 -C "found renegotiation extension" \
3580 -c "error" \
3581 -C "HTTP/1.0 200 [Oo][Kk]"
3582
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3583requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3584run_test "Renego ext: gnutls client strict, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3585 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3586 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3587 0 \
3588 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3589 -s "server hello, secure renegotiation extension"
3590
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3591requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3592run_test "Renego ext: gnutls client unsafe, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3593 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3594 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3595 0 \
3596 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3597 -S "server hello, secure renegotiation extension"
3598
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3599requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3600run_test "Renego ext: gnutls client unsafe, server break legacy" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3601 "$P_SRV debug_level=3 allow_legacy=-1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3602 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3603 1 \
3604 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3605 -S "server hello, secure renegotiation extension"
3606
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3607# Tests for silently dropping trailing extra bytes in .der certificates
3608
3609requires_gnutls
3610run_test "DER format: no trailing bytes" \
3611 "$P_SRV crt_file=data_files/server5-der0.crt \
3612 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3613 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3614 0 \
3615 -c "Handshake was completed" \
3616
3617requires_gnutls
3618run_test "DER format: with a trailing zero byte" \
3619 "$P_SRV crt_file=data_files/server5-der1a.crt \
3620 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3621 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3622 0 \
3623 -c "Handshake was completed" \
3624
3625requires_gnutls
3626run_test "DER format: with a trailing random byte" \
3627 "$P_SRV crt_file=data_files/server5-der1b.crt \
3628 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3629 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3630 0 \
3631 -c "Handshake was completed" \
3632
3633requires_gnutls
3634run_test "DER format: with 2 trailing random bytes" \
3635 "$P_SRV crt_file=data_files/server5-der2.crt \
3636 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3637 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3638 0 \
3639 -c "Handshake was completed" \
3640
3641requires_gnutls
3642run_test "DER format: with 4 trailing random bytes" \
3643 "$P_SRV crt_file=data_files/server5-der4.crt \
3644 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3645 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3646 0 \
3647 -c "Handshake was completed" \
3648
3649requires_gnutls
3650run_test "DER format: with 8 trailing random bytes" \
3651 "$P_SRV crt_file=data_files/server5-der8.crt \
3652 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3653 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3654 0 \
3655 -c "Handshake was completed" \
3656
3657requires_gnutls
3658run_test "DER format: with 9 trailing random bytes" \
3659 "$P_SRV crt_file=data_files/server5-der9.crt \
3660 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3661 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3662 0 \
3663 -c "Handshake was completed" \
3664
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3665# Tests for auth_mode
3666
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3667requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3668requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3669run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3670 "$P_SRV crt_file=data_files/server5-badsign.crt \
3671 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3672 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3673 1 \
3674 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3675 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3676 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3677 -c "X509 - Certificate verification failed"
3678
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3679requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3680requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3681run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3682 "$P_SRV crt_file=data_files/server5-badsign.crt \
3683 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3684 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3685 0 \
3686 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3687 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3688 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3689 -C "X509 - Certificate verification failed"
3690
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3691requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3692requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3693run_test "Authentication: server goodcert, client optional, no trusted CA" \
3694 "$P_SRV" \
3695 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
3696 0 \
3697 -c "x509_verify_cert() returned" \
3698 -c "! The certificate is not correctly signed by the trusted CA" \
3699 -c "! Certificate verification flags"\
3700 -C "! mbedtls_ssl_handshake returned" \
3701 -C "X509 - Certificate verification failed" \
3702 -C "SSL - No CA Chain is set, but required to operate"
3703
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3704requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3705requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3706run_test "Authentication: server goodcert, client required, no trusted CA" \
3707 "$P_SRV" \
3708 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
3709 1 \
3710 -c "x509_verify_cert() returned" \
3711 -c "! The certificate is not correctly signed by the trusted CA" \
3712 -c "! Certificate verification flags"\
3713 -c "! mbedtls_ssl_handshake returned" \
3714 -c "SSL - No CA Chain is set, but required to operate"
3715
3716# The purpose of the next two tests is to test the client's behaviour when receiving a server
3717# certificate with an unsupported elliptic curve. This should usually not happen because
3718# the client informs the server about the supported curves - it does, though, in the
3719# corner case of a static ECDH suite, because the server doesn't check the curve on that
3720# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
3721# different means to have the server ignoring the client's supported curve list.
3722
3723requires_config_enabled MBEDTLS_ECP_C
3724run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
3725 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3726 crt_file=data_files/server5.ku-ka.crt" \
3727 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
3728 1 \
3729 -c "bad certificate (EC key curve)"\
3730 -c "! Certificate verification flags"\
3731 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
3732
3733requires_config_enabled MBEDTLS_ECP_C
3734run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
3735 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3736 crt_file=data_files/server5.ku-ka.crt" \
3737 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
3738 1 \
3739 -c "bad certificate (EC key curve)"\
3740 -c "! Certificate verification flags"\
3741 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
3742
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3743run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]3744 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3745 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3746 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3747 0 \
3748 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3749 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3750 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3751 -C "X509 - Certificate verification failed"
3752
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3753run_test "Authentication: client SHA256, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3754 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3755 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3756 key_file=data_files/server6.key \
3757 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
3758 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3759 -c "Supported Signature Algorithm found: 5,"
3760
3761run_test "Authentication: client SHA384, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3762 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3763 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3764 key_file=data_files/server6.key \
3765 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
3766 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3767 -c "Supported Signature Algorithm found: 5,"
3768
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3769requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3770run_test "Authentication: client has no cert, server required (SSLv3)" \
3771 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
3772 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
3773 key_file=data_files/server5.key" \
3774 1 \
3775 -S "skip write certificate request" \
3776 -C "skip parse certificate request" \
3777 -c "got a certificate request" \
3778 -c "got no certificate to send" \
3779 -S "x509_verify_cert() returned" \
3780 -s "client has no certificate" \
3781 -s "! mbedtls_ssl_handshake returned" \
3782 -c "! mbedtls_ssl_handshake returned" \
3783 -s "No client certification received from the client, but required by the authentication mode"
3784
3785run_test "Authentication: client has no cert, server required (TLS)" \
3786 "$P_SRV debug_level=3 auth_mode=required" \
3787 "$P_CLI debug_level=3 crt_file=none \
3788 key_file=data_files/server5.key" \
3789 1 \
3790 -S "skip write certificate request" \
3791 -C "skip parse certificate request" \
3792 -c "got a certificate request" \
3793 -c "= write certificate$" \
3794 -C "skip write certificate$" \
3795 -S "x509_verify_cert() returned" \
3796 -s "client has no certificate" \
3797 -s "! mbedtls_ssl_handshake returned" \
3798 -c "! mbedtls_ssl_handshake returned" \
3799 -s "No client certification received from the client, but required by the authentication mode"
3800
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3801requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3802requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3803run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3804 "$P_SRV debug_level=3 auth_mode=required" \
3805 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3806 key_file=data_files/server5.key" \
3807 1 \
3808 -S "skip write certificate request" \
3809 -C "skip parse certificate request" \
3810 -c "got a certificate request" \
3811 -C "skip write certificate" \
3812 -C "skip write certificate verify" \
3813 -S "skip parse certificate verify" \
3814 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3815 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3816 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3817 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3818 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3819 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3820# We don't check that the client receives the alert because it might
3821# detect that its write end of the connection is closed and abort
3822# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3823
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3824requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3825requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]3826run_test "Authentication: client cert not trusted, server required" \
3827 "$P_SRV debug_level=3 auth_mode=required" \
3828 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
3829 key_file=data_files/server5.key" \
3830 1 \
3831 -S "skip write certificate request" \
3832 -C "skip parse certificate request" \
3833 -c "got a certificate request" \
3834 -C "skip write certificate" \
3835 -C "skip write certificate verify" \
3836 -S "skip parse certificate verify" \
3837 -s "x509_verify_cert() returned" \
3838 -s "! The certificate is not correctly signed by the trusted CA" \
3839 -s "! mbedtls_ssl_handshake returned" \
3840 -c "! mbedtls_ssl_handshake returned" \
3841 -s "X509 - Certificate verification failed"
3842
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3843requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3844requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3845run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3846 "$P_SRV debug_level=3 auth_mode=optional" \
3847 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3848 key_file=data_files/server5.key" \
3849 0 \
3850 -S "skip write certificate request" \
3851 -C "skip parse certificate request" \
3852 -c "got a certificate request" \
3853 -C "skip write certificate" \
3854 -C "skip write certificate verify" \
3855 -S "skip parse certificate verify" \
3856 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3857 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3858 -S "! mbedtls_ssl_handshake returned" \
3859 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3860 -S "X509 - Certificate verification failed"
3861
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3862run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3863 "$P_SRV debug_level=3 auth_mode=none" \
3864 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3865 key_file=data_files/server5.key" \
3866 0 \
3867 -s "skip write certificate request" \
3868 -C "skip parse certificate request" \
3869 -c "got no certificate request" \
3870 -c "skip write certificate" \
3871 -c "skip write certificate verify" \
3872 -s "skip parse certificate verify" \
3873 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3874 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3875 -S "! mbedtls_ssl_handshake returned" \
3876 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3877 -S "X509 - Certificate verification failed"
3878
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3879requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3880requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3881run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3882 "$P_SRV debug_level=3 auth_mode=optional" \
3883 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3884 0 \
3885 -S "skip write certificate request" \
3886 -C "skip parse certificate request" \
3887 -c "got a certificate request" \
3888 -C "skip write certificate$" \
3889 -C "got no certificate to send" \
3890 -S "SSLv3 client has no certificate" \
3891 -c "skip write certificate verify" \
3892 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3893 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3894 -S "! mbedtls_ssl_handshake returned" \
3895 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3896 -S "X509 - Certificate verification failed"
3897
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3898requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3899requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3900run_test "Authentication: openssl client no cert, server optional" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3901 "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3902 "$O_CLI" \
3903 0 \
3904 -S "skip write certificate request" \
3905 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3906 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3907 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3908 -S "X509 - Certificate verification failed"
3909
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3910run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3911 "$O_SRV -verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3912 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3913 0 \
3914 -C "skip parse certificate request" \
3915 -c "got a certificate request" \
3916 -C "skip write certificate$" \
3917 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3918 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3919
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3920run_test "Authentication: client no cert, openssl server required" \
3921 "$O_SRV -Verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3922 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3923 1 \
3924 -C "skip parse certificate request" \
3925 -c "got a certificate request" \
3926 -C "skip write certificate$" \
3927 -c "skip write certificate verify" \
3928 -c "! mbedtls_ssl_handshake returned"
3929
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3930requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]3931requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3932requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3933run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3934 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3935 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3936 0 \
3937 -S "skip write certificate request" \
3938 -C "skip parse certificate request" \
3939 -c "got a certificate request" \
3940 -C "skip write certificate$" \
3941 -c "skip write certificate verify" \
3942 -c "got no certificate to send" \
3943 -s "SSLv3 client has no certificate" \
3944 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3945 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3946 -S "! mbedtls_ssl_handshake returned" \
3947 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3948 -S "X509 - Certificate verification failed"
3949
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]3950# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
3951# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3952
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3953MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3954MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3955
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3956if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3957 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3958 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3959 printf "test value of ${MAX_IM_CA}. \n"
3960 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3961 printf "The tests assume this value and if it changes, the tests in this\n"
3962 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3963 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3964
3965 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3966fi
3967
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3968requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3969run_test "Authentication: server max_int chain, client default" \
3970 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
3971 key_file=data_files/dir-maxpath/09.key" \
3972 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
3973 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3974 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3975
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3976requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3977run_test "Authentication: server max_int+1 chain, client default" \
3978 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3979 key_file=data_files/dir-maxpath/10.key" \
3980 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
3981 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3982 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3983
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3984requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3985run_test "Authentication: server max_int+1 chain, client optional" \
3986 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3987 key_file=data_files/dir-maxpath/10.key" \
3988 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
3989 auth_mode=optional" \
3990 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3991 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3992
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3993requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3994run_test "Authentication: server max_int+1 chain, client none" \
3995 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3996 key_file=data_files/dir-maxpath/10.key" \
3997 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
3998 auth_mode=none" \
3999 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4000 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4001
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4002requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4003run_test "Authentication: client max_int+1 chain, server default" \
4004 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
4005 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4006 key_file=data_files/dir-maxpath/10.key" \
4007 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4008 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4009
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4010requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4011run_test "Authentication: client max_int+1 chain, server optional" \
4012 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4013 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4014 key_file=data_files/dir-maxpath/10.key" \
4015 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4016 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4017
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4018requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4019run_test "Authentication: client max_int+1 chain, server required" \
4020 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4021 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4022 key_file=data_files/dir-maxpath/10.key" \
4023 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4024 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4025
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4026requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4027run_test "Authentication: client max_int chain, server required" \
4028 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4029 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4030 key_file=data_files/dir-maxpath/09.key" \
4031 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4032 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4033
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4034# Tests for CA list in CertificateRequest messages
4035
4036run_test "Authentication: send CA list in CertificateRequest (default)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4037 "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4038 "$P_CLI crt_file=data_files/server6.crt \
4039 key_file=data_files/server6.key" \
4040 0 \
4041 -s "requested DN"
4042
4043run_test "Authentication: do not send CA list in CertificateRequest" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4044 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0 ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4045 "$P_CLI crt_file=data_files/server6.crt \
4046 key_file=data_files/server6.key" \
4047 0 \
4048 -S "requested DN"
4049
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4050requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4051requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4052run_test "Authentication: send CA list in CertificateRequest, client self signed" \
4053 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4054 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4055 key_file=data_files/server5.key" \
4056 1 \
4057 -S "requested DN" \
4058 -s "x509_verify_cert() returned" \
4059 -s "! The certificate is not correctly signed by the trusted CA" \
4060 -s "! mbedtls_ssl_handshake returned" \
4061 -c "! mbedtls_ssl_handshake returned" \
4062 -s "X509 - Certificate verification failed"
4063
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4064# Tests for certificate selection based on SHA verson
4065
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4066requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4067requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4068run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
4069 "$P_SRV crt_file=data_files/server5.crt \
4070 key_file=data_files/server5.key \
4071 crt_file2=data_files/server5-sha1.crt \
4072 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4073 "$P_CLI force_version=tls1_2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4074 0 \
4075 -c "signed using.*ECDSA with SHA256" \
4076 -C "signed using.*ECDSA with SHA1"
4077
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4078requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4079requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4080run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
4081 "$P_SRV crt_file=data_files/server5.crt \
4082 key_file=data_files/server5.key \
4083 crt_file2=data_files/server5-sha1.crt \
4084 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4085 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4086 0 \
4087 -C "signed using.*ECDSA with SHA256" \
4088 -c "signed using.*ECDSA with SHA1"
4089
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4090requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4091requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4092run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
4093 "$P_SRV crt_file=data_files/server5.crt \
4094 key_file=data_files/server5.key \
4095 crt_file2=data_files/server5-sha1.crt \
4096 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4097 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4098 0 \
4099 -C "signed using.*ECDSA with SHA256" \
4100 -c "signed using.*ECDSA with SHA1"
4101
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4102requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4103requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4104run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
4105 "$P_SRV crt_file=data_files/server5.crt \
4106 key_file=data_files/server5.key \
4107 crt_file2=data_files/server6.crt \
4108 key_file2=data_files/server6.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4109 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4110 0 \
4111 -c "serial number.*09" \
4112 -c "signed using.*ECDSA with SHA256" \
4113 -C "signed using.*ECDSA with SHA1"
4114
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4115requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4116requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4117run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
4118 "$P_SRV crt_file=data_files/server6.crt \
4119 key_file=data_files/server6.key \
4120 crt_file2=data_files/server5.crt \
4121 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4122 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4123 0 \
4124 -c "serial number.*0A" \
4125 -c "signed using.*ECDSA with SHA256" \
4126 -C "signed using.*ECDSA with SHA1"
4127
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4128# tests for SNI
4129
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4130requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4131requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4132run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4133 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4134 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4135 "$P_CLI server_name=localhost ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4136 0 \
4137 -S "parse ServerName extension" \
4138 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4139 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4140
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4141requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4142requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4143requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4144run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4145 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4146 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4147 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4148 "$P_CLI server_name=localhost ca_file=data_files/test-ca.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4149 0 \
4150 -s "parse ServerName extension" \
4151 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4152 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4153
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4154requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4155requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4156requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4157run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4158 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4159 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4160 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4161 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4162 0 \
4163 -s "parse ServerName extension" \
4164 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4165 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4166
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4167requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4168run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4169 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4170 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4171 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4172 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4173 1 \
4174 -s "parse ServerName extension" \
4175 -s "ssl_sni_wrapper() returned" \
4176 -s "mbedtls_ssl_handshake returned" \
4177 -c "mbedtls_ssl_handshake returned" \
4178 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4179
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4180run_test "SNI: client auth no override: optional" \
4181 "$P_SRV debug_level=3 auth_mode=optional \
4182 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4183 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4184 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4185 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4186 -S "skip write certificate request" \
4187 -C "skip parse certificate request" \
4188 -c "got a certificate request" \
4189 -C "skip write certificate" \
4190 -C "skip write certificate verify" \
4191 -S "skip parse certificate verify"
4192
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4193requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4194run_test "SNI: client auth override: none -> optional" \
4195 "$P_SRV debug_level=3 auth_mode=none \
4196 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4197 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4198 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4199 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4200 -S "skip write certificate request" \
4201 -C "skip parse certificate request" \
4202 -c "got a certificate request" \
4203 -C "skip write certificate" \
4204 -C "skip write certificate verify" \
4205 -S "skip parse certificate verify"
4206
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4207requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4208run_test "SNI: client auth override: optional -> none" \
4209 "$P_SRV debug_level=3 auth_mode=optional \
4210 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4211 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4212 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4213 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4214 -s "skip write certificate request" \
4215 -C "skip parse certificate request" \
4216 -c "got no certificate request" \
4217 -c "skip write certificate" \
4218 -c "skip write certificate verify" \
4219 -s "skip parse certificate verify"
4220
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4221requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4222requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4223requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4224run_test "SNI: CA no override" \
4225 "$P_SRV debug_level=3 auth_mode=optional \
4226 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4227 ca_file=data_files/test-ca.crt \
4228 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4229 "$P_CLI debug_level=3 server_name=localhost \
4230 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4231 1 \
4232 -S "skip write certificate request" \
4233 -C "skip parse certificate request" \
4234 -c "got a certificate request" \
4235 -C "skip write certificate" \
4236 -C "skip write certificate verify" \
4237 -S "skip parse certificate verify" \
4238 -s "x509_verify_cert() returned" \
4239 -s "! The certificate is not correctly signed by the trusted CA" \
4240 -S "The certificate has been revoked (is on a CRL)"
4241
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4242requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4243requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4244requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4245run_test "SNI: CA override" \
4246 "$P_SRV debug_level=3 auth_mode=optional \
4247 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4248 ca_file=data_files/test-ca.crt \
4249 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4250 "$P_CLI debug_level=3 server_name=localhost \
4251 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4252 0 \
4253 -S "skip write certificate request" \
4254 -C "skip parse certificate request" \
4255 -c "got a certificate request" \
4256 -C "skip write certificate" \
4257 -C "skip write certificate verify" \
4258 -S "skip parse certificate verify" \
4259 -S "x509_verify_cert() returned" \
4260 -S "! The certificate is not correctly signed by the trusted CA" \
4261 -S "The certificate has been revoked (is on a CRL)"
4262
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4263requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4264requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4265requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4266run_test "SNI: CA override with CRL" \
4267 "$P_SRV debug_level=3 auth_mode=optional \
4268 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4269 ca_file=data_files/test-ca.crt \
4270 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4271 "$P_CLI debug_level=3 server_name=localhost \
4272 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4273 1 \
4274 -S "skip write certificate request" \
4275 -C "skip parse certificate request" \
4276 -c "got a certificate request" \
4277 -C "skip write certificate" \
4278 -C "skip write certificate verify" \
4279 -S "skip parse certificate verify" \
4280 -s "x509_verify_cert() returned" \
4281 -S "! The certificate is not correctly signed by the trusted CA" \
4282 -s "The certificate has been revoked (is on a CRL)"
4283
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4284# Tests for SNI and DTLS
4285
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4286requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4287requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4288run_test "SNI: DTLS, no SNI callback" \
4289 "$P_SRV debug_level=3 dtls=1 \
4290 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4291 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca2.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4292 0 \
4293 -S "parse ServerName extension" \
4294 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4295 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4296
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4297requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4298requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4299requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4300run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4301 "$P_SRV debug_level=3 dtls=1 \
4302 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4303 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4304 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca.crt" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4305 0 \
4306 -s "parse ServerName extension" \
4307 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4308 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4309
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4310requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4311requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4312requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4313run_test "SNI: DTLS, matching cert 2" \
4314 "$P_SRV debug_level=3 dtls=1 \
4315 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4316 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4317 "$P_CLI server_name=polarssl.example dtls=1 ca_file=data_files/test-ca.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4318 0 \
4319 -s "parse ServerName extension" \
4320 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4321 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4322
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4323requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4324run_test "SNI: DTLS, no matching cert" \
4325 "$P_SRV debug_level=3 dtls=1 \
4326 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4327 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4328 "$P_CLI server_name=nonesuch.example dtls=1" \
4329 1 \
4330 -s "parse ServerName extension" \
4331 -s "ssl_sni_wrapper() returned" \
4332 -s "mbedtls_ssl_handshake returned" \
4333 -c "mbedtls_ssl_handshake returned" \
4334 -c "SSL - A fatal alert message was received from our peer"
4335
4336run_test "SNI: DTLS, client auth no override: optional" \
4337 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4338 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4339 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4340 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4341 0 \
4342 -S "skip write certificate request" \
4343 -C "skip parse certificate request" \
4344 -c "got a certificate request" \
4345 -C "skip write certificate" \
4346 -C "skip write certificate verify" \
4347 -S "skip parse certificate verify"
4348
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4349requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4350run_test "SNI: DTLS, client auth override: none -> optional" \
4351 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
4352 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4353 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4354 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4355 0 \
4356 -S "skip write certificate request" \
4357 -C "skip parse certificate request" \
4358 -c "got a certificate request" \
4359 -C "skip write certificate" \
4360 -C "skip write certificate verify" \
4361 -S "skip parse certificate verify"
4362
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4363requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4364run_test "SNI: DTLS, client auth override: optional -> none" \
4365 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4366 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4367 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4368 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4369 0 \
4370 -s "skip write certificate request" \
4371 -C "skip parse certificate request" \
4372 -c "got no certificate request" \
4373 -c "skip write certificate" \
4374 -c "skip write certificate verify" \
4375 -s "skip parse certificate verify"
4376
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4377requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4378requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4379requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4380run_test "SNI: DTLS, CA no override" \
4381 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4382 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4383 ca_file=data_files/test-ca.crt \
4384 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4385 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4386 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4387 1 \
4388 -S "skip write certificate request" \
4389 -C "skip parse certificate request" \
4390 -c "got a certificate request" \
4391 -C "skip write certificate" \
4392 -C "skip write certificate verify" \
4393 -S "skip parse certificate verify" \
4394 -s "x509_verify_cert() returned" \
4395 -s "! The certificate is not correctly signed by the trusted CA" \
4396 -S "The certificate has been revoked (is on a CRL)"
4397
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4398requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4399run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4400 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4401 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4402 ca_file=data_files/test-ca.crt \
4403 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4404 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4405 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4406 0 \
4407 -S "skip write certificate request" \
4408 -C "skip parse certificate request" \
4409 -c "got a certificate request" \
4410 -C "skip write certificate" \
4411 -C "skip write certificate verify" \
4412 -S "skip parse certificate verify" \
4413 -S "x509_verify_cert() returned" \
4414 -S "! The certificate is not correctly signed by the trusted CA" \
4415 -S "The certificate has been revoked (is on a CRL)"
4416
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4417requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4418requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4419requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4420run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4421 "$P_SRV debug_level=3 auth_mode=optional \
4422 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
4423 ca_file=data_files/test-ca.crt \
4424 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4425 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4426 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4427 1 \
4428 -S "skip write certificate request" \
4429 -C "skip parse certificate request" \
4430 -c "got a certificate request" \
4431 -C "skip write certificate" \
4432 -C "skip write certificate verify" \
4433 -S "skip parse certificate verify" \
4434 -s "x509_verify_cert() returned" \
4435 -S "! The certificate is not correctly signed by the trusted CA" \
4436 -s "The certificate has been revoked (is on a CRL)"
4437
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4438# Tests for non-blocking I/O: exercise a variety of handshake flows
4439
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4440run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4441 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4442 "$P_CLI nbio=2 tickets=0" \
4443 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4444 -S "mbedtls_ssl_handshake returned" \
4445 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4446 -c "Read from server: .* bytes read"
4447
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4448run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4449 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
4450 "$P_CLI nbio=2 tickets=0" \
4451 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4452 -S "mbedtls_ssl_handshake returned" \
4453 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4454 -c "Read from server: .* bytes read"
4455
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4456run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4457 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4458 "$P_CLI nbio=2 tickets=1" \
4459 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4460 -S "mbedtls_ssl_handshake returned" \
4461 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4462 -c "Read from server: .* bytes read"
4463
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4464run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4465 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4466 "$P_CLI nbio=2 tickets=1" \
4467 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4468 -S "mbedtls_ssl_handshake returned" \
4469 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4470 -c "Read from server: .* bytes read"
4471
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4472run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4473 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4474 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4475 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4476 -S "mbedtls_ssl_handshake returned" \
4477 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4478 -c "Read from server: .* bytes read"
4479
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4480run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4481 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4482 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4483 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4484 -S "mbedtls_ssl_handshake returned" \
4485 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4486 -c "Read from server: .* bytes read"
4487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4488run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4489 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4490 "$P_CLI nbio=2 tickets=0 reconnect=1" \
4491 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4492 -S "mbedtls_ssl_handshake returned" \
4493 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4494 -c "Read from server: .* bytes read"
4495
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]4496# Tests for event-driven I/O: exercise a variety of handshake flows
4497
4498run_test "Event-driven I/O: basic handshake" \
4499 "$P_SRV event=1 tickets=0 auth_mode=none" \
4500 "$P_CLI event=1 tickets=0" \
4501 0 \
4502 -S "mbedtls_ssl_handshake returned" \
4503 -C "mbedtls_ssl_handshake returned" \
4504 -c "Read from server: .* bytes read"
4505
4506run_test "Event-driven I/O: client auth" \
4507 "$P_SRV event=1 tickets=0 auth_mode=required" \
4508 "$P_CLI event=1 tickets=0" \
4509 0 \
4510 -S "mbedtls_ssl_handshake returned" \
4511 -C "mbedtls_ssl_handshake returned" \
4512 -c "Read from server: .* bytes read"
4513
4514run_test "Event-driven I/O: ticket" \
4515 "$P_SRV event=1 tickets=1 auth_mode=none" \
4516 "$P_CLI event=1 tickets=1" \
4517 0 \
4518 -S "mbedtls_ssl_handshake returned" \
4519 -C "mbedtls_ssl_handshake returned" \
4520 -c "Read from server: .* bytes read"
4521
4522run_test "Event-driven I/O: ticket + client auth" \
4523 "$P_SRV event=1 tickets=1 auth_mode=required" \
4524 "$P_CLI event=1 tickets=1" \
4525 0 \
4526 -S "mbedtls_ssl_handshake returned" \
4527 -C "mbedtls_ssl_handshake returned" \
4528 -c "Read from server: .* bytes read"
4529
4530run_test "Event-driven I/O: ticket + client auth + resume" \
4531 "$P_SRV event=1 tickets=1 auth_mode=required" \
4532 "$P_CLI event=1 tickets=1 reconnect=1" \
4533 0 \
4534 -S "mbedtls_ssl_handshake returned" \
4535 -C "mbedtls_ssl_handshake returned" \
4536 -c "Read from server: .* bytes read"
4537
4538run_test "Event-driven I/O: ticket + resume" \
4539 "$P_SRV event=1 tickets=1 auth_mode=none" \
4540 "$P_CLI event=1 tickets=1 reconnect=1" \
4541 0 \
4542 -S "mbedtls_ssl_handshake returned" \
4543 -C "mbedtls_ssl_handshake returned" \
4544 -c "Read from server: .* bytes read"
4545
4546run_test "Event-driven I/O: session-id resume" \
4547 "$P_SRV event=1 tickets=0 auth_mode=none" \
4548 "$P_CLI event=1 tickets=0 reconnect=1" \
4549 0 \
4550 -S "mbedtls_ssl_handshake returned" \
4551 -C "mbedtls_ssl_handshake returned" \
4552 -c "Read from server: .* bytes read"
4553
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4554run_test "Event-driven I/O, DTLS: basic handshake" \
4555 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4556 "$P_CLI dtls=1 event=1 tickets=0" \
4557 0 \
4558 -c "Read from server: .* bytes read"
4559
4560run_test "Event-driven I/O, DTLS: client auth" \
4561 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4562 "$P_CLI dtls=1 event=1 tickets=0" \
4563 0 \
4564 -c "Read from server: .* bytes read"
4565
4566run_test "Event-driven I/O, DTLS: ticket" \
4567 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4568 "$P_CLI dtls=1 event=1 tickets=1" \
4569 0 \
4570 -c "Read from server: .* bytes read"
4571
4572run_test "Event-driven I/O, DTLS: ticket + client auth" \
4573 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4574 "$P_CLI dtls=1 event=1 tickets=1" \
4575 0 \
4576 -c "Read from server: .* bytes read"
4577
4578run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
4579 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4580 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4581 0 \
4582 -c "Read from server: .* bytes read"
4583
4584run_test "Event-driven I/O, DTLS: ticket + resume" \
4585 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4586 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4587 0 \
4588 -c "Read from server: .* bytes read"
4589
4590run_test "Event-driven I/O, DTLS: session-id resume" \
4591 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4592 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4593 0 \
4594 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4595
4596# This test demonstrates the need for the mbedtls_ssl_check_pending function.
4597# During session resumption, the client will send its ApplicationData record
4598# within the same datagram as the Finished messages. In this situation, the
4599# server MUST NOT idle on the underlying transport after handshake completion,
4600# because the ApplicationData request has already been queued internally.
4601run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]4602 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4603 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4604 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4605 0 \
4606 -c "Read from server: .* bytes read"
4607
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4608# Tests for version negotiation
4609
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4610run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4611 "$P_SRV" \
4612 "$P_CLI" \
4613 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4614 -S "mbedtls_ssl_handshake returned" \
4615 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4616 -s "Protocol is TLSv1.2" \
4617 -c "Protocol is TLSv1.2"
4618
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4619run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4620 "$P_SRV" \
4621 "$P_CLI max_version=tls1_1" \
4622 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4623 -S "mbedtls_ssl_handshake returned" \
4624 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4625 -s "Protocol is TLSv1.1" \
4626 -c "Protocol is TLSv1.1"
4627
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4628run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4629 "$P_SRV max_version=tls1_1" \
4630 "$P_CLI" \
4631 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4632 -S "mbedtls_ssl_handshake returned" \
4633 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4634 -s "Protocol is TLSv1.1" \
4635 -c "Protocol is TLSv1.1"
4636
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4637run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4638 "$P_SRV max_version=tls1_1" \
4639 "$P_CLI max_version=tls1_1" \
4640 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4641 -S "mbedtls_ssl_handshake returned" \
4642 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4643 -s "Protocol is TLSv1.1" \
4644 -c "Protocol is TLSv1.1"
4645
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4646run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4647 "$P_SRV min_version=tls1_1" \
4648 "$P_CLI max_version=tls1_1" \
4649 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4650 -S "mbedtls_ssl_handshake returned" \
4651 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4652 -s "Protocol is TLSv1.1" \
4653 -c "Protocol is TLSv1.1"
4654
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4655run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4656 "$P_SRV max_version=tls1_1" \
4657 "$P_CLI min_version=tls1_1" \
4658 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4659 -S "mbedtls_ssl_handshake returned" \
4660 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4661 -s "Protocol is TLSv1.1" \
4662 -c "Protocol is TLSv1.1"
4663
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4664run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4665 "$P_SRV max_version=tls1_1" \
4666 "$P_CLI min_version=tls1_2" \
4667 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4668 -s "mbedtls_ssl_handshake returned" \
4669 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4670 -c "SSL - Handshake protocol not within min/max boundaries"
4671
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4672run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4673 "$P_SRV min_version=tls1_2" \
4674 "$P_CLI max_version=tls1_1" \
4675 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4676 -s "mbedtls_ssl_handshake returned" \
4677 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4678 -s "SSL - Handshake protocol not within min/max boundaries"
4679
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4680# Tests for ALPN extension
4681
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4682run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4683 "$P_SRV debug_level=3" \
4684 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4685 0 \
4686 -C "client hello, adding alpn extension" \
4687 -S "found alpn extension" \
4688 -C "got an alert message, type: \\[2:120]" \
4689 -S "server hello, adding alpn extension" \
4690 -C "found alpn extension " \
4691 -C "Application Layer Protocol is" \
4692 -S "Application Layer Protocol is"
4693
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4694run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4695 "$P_SRV debug_level=3" \
4696 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4697 0 \
4698 -c "client hello, adding alpn extension" \
4699 -s "found alpn extension" \
4700 -C "got an alert message, type: \\[2:120]" \
4701 -S "server hello, adding alpn extension" \
4702 -C "found alpn extension " \
4703 -c "Application Layer Protocol is (none)" \
4704 -S "Application Layer Protocol is"
4705
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4706run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4707 "$P_SRV debug_level=3 alpn=abc,1234" \
4708 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4709 0 \
4710 -C "client hello, adding alpn extension" \
4711 -S "found alpn extension" \
4712 -C "got an alert message, type: \\[2:120]" \
4713 -S "server hello, adding alpn extension" \
4714 -C "found alpn extension " \
4715 -C "Application Layer Protocol is" \
4716 -s "Application Layer Protocol is (none)"
4717
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4718run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4719 "$P_SRV debug_level=3 alpn=abc,1234" \
4720 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4721 0 \
4722 -c "client hello, adding alpn extension" \
4723 -s "found alpn extension" \
4724 -C "got an alert message, type: \\[2:120]" \
4725 -s "server hello, adding alpn extension" \
4726 -c "found alpn extension" \
4727 -c "Application Layer Protocol is abc" \
4728 -s "Application Layer Protocol is abc"
4729
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4730run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4731 "$P_SRV debug_level=3 alpn=abc,1234" \
4732 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4733 0 \
4734 -c "client hello, adding alpn extension" \
4735 -s "found alpn extension" \
4736 -C "got an alert message, type: \\[2:120]" \
4737 -s "server hello, adding alpn extension" \
4738 -c "found alpn extension" \
4739 -c "Application Layer Protocol is abc" \
4740 -s "Application Layer Protocol is abc"
4741
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4742run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4743 "$P_SRV debug_level=3 alpn=abc,1234" \
4744 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4745 0 \
4746 -c "client hello, adding alpn extension" \
4747 -s "found alpn extension" \
4748 -C "got an alert message, type: \\[2:120]" \
4749 -s "server hello, adding alpn extension" \
4750 -c "found alpn extension" \
4751 -c "Application Layer Protocol is 1234" \
4752 -s "Application Layer Protocol is 1234"
4753
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4754run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4755 "$P_SRV debug_level=3 alpn=abc,123" \
4756 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4757 1 \
4758 -c "client hello, adding alpn extension" \
4759 -s "found alpn extension" \
4760 -c "got an alert message, type: \\[2:120]" \
4761 -S "server hello, adding alpn extension" \
4762 -C "found alpn extension" \
4763 -C "Application Layer Protocol is 1234" \
4764 -S "Application Layer Protocol is 1234"
4765
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]4766
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4767# Tests for keyUsage in leaf certificates, part 1:
4768# server-side certificate/suite selection
4769
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4770run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4771 "$P_SRV key_file=data_files/server2.key \
4772 crt_file=data_files/server2.ku-ds.crt" \
4773 "$P_CLI" \
4774 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]4775 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4776
4777
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4778run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4779 "$P_SRV key_file=data_files/server2.key \
4780 crt_file=data_files/server2.ku-ke.crt" \
4781 "$P_CLI" \
4782 0 \
4783 -c "Ciphersuite is TLS-RSA-WITH-"
4784
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4785run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4786 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4787 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4788 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4789 1 \
4790 -C "Ciphersuite is "
4791
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4792run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4793 "$P_SRV key_file=data_files/server5.key \
4794 crt_file=data_files/server5.ku-ds.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4795 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4796 0 \
4797 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
4798
4799
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4800run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4801 "$P_SRV key_file=data_files/server5.key \
4802 crt_file=data_files/server5.ku-ka.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4803 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4804 0 \
4805 -c "Ciphersuite is TLS-ECDH-"
4806
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4807run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4808 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4809 crt_file=data_files/server5.ku-ke.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4810 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4811 1 \
4812 -C "Ciphersuite is "
4813
4814# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4815# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4816
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4817run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4818 "$O_SRV -key data_files/server2.key \
4819 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4820 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4821 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4822 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4823 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4824 -C "Processing of the Certificate handshake message failed" \
4825 -c "Ciphersuite is TLS-"
4826
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4827run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4828 "$O_SRV -key data_files/server2.key \
4829 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4830 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4831 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4832 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4833 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4834 -C "Processing of the Certificate handshake message failed" \
4835 -c "Ciphersuite is TLS-"
4836
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4837run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4838 "$O_SRV -key data_files/server2.key \
4839 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4840 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4841 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4842 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4843 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4844 -C "Processing of the Certificate handshake message failed" \
4845 -c "Ciphersuite is TLS-"
4846
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4847run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4848 "$O_SRV -key data_files/server2.key \
4849 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4850 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4851 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4852 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4853 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4854 -c "Processing of the Certificate handshake message failed" \
4855 -C "Ciphersuite is TLS-"
4856
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4857requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4858requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4859run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
4860 "$O_SRV -key data_files/server2.key \
4861 -cert data_files/server2.ku-ke.crt" \
4862 "$P_CLI debug_level=1 auth_mode=optional \
4863 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4864 0 \
4865 -c "bad certificate (usage extensions)" \
4866 -C "Processing of the Certificate handshake message failed" \
4867 -c "Ciphersuite is TLS-" \
4868 -c "! Usage does not match the keyUsage extension"
4869
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4870run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4871 "$O_SRV -key data_files/server2.key \
4872 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4873 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4874 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4875 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4876 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4877 -C "Processing of the Certificate handshake message failed" \
4878 -c "Ciphersuite is TLS-"
4879
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4880run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4881 "$O_SRV -key data_files/server2.key \
4882 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4883 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4884 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4885 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4886 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4887 -c "Processing of the Certificate handshake message failed" \
4888 -C "Ciphersuite is TLS-"
4889
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4890requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4891requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4892run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
4893 "$O_SRV -key data_files/server2.key \
4894 -cert data_files/server2.ku-ds.crt" \
4895 "$P_CLI debug_level=1 auth_mode=optional \
4896 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4897 0 \
4898 -c "bad certificate (usage extensions)" \
4899 -C "Processing of the Certificate handshake message failed" \
4900 -c "Ciphersuite is TLS-" \
4901 -c "! Usage does not match the keyUsage extension"
4902
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4903# Tests for keyUsage in leaf certificates, part 3:
4904# server-side checking of client cert
4905
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4906run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4907 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4908 "$O_CLI -key data_files/server2.key \
4909 -cert data_files/server2.ku-ds.crt" \
4910 0 \
4911 -S "bad certificate (usage extensions)" \
4912 -S "Processing of the Certificate handshake message failed"
4913
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4914run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4915 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4916 "$O_CLI -key data_files/server2.key \
4917 -cert data_files/server2.ku-ke.crt" \
4918 0 \
4919 -s "bad certificate (usage extensions)" \
4920 -S "Processing of the Certificate handshake message failed"
4921
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4922run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4923 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4924 "$O_CLI -key data_files/server2.key \
4925 -cert data_files/server2.ku-ke.crt" \
4926 1 \
4927 -s "bad certificate (usage extensions)" \
4928 -s "Processing of the Certificate handshake message failed"
4929
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4930run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4931 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4932 "$O_CLI -key data_files/server5.key \
4933 -cert data_files/server5.ku-ds.crt" \
4934 0 \
4935 -S "bad certificate (usage extensions)" \
4936 -S "Processing of the Certificate handshake message failed"
4937
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4938run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4939 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4940 "$O_CLI -key data_files/server5.key \
4941 -cert data_files/server5.ku-ka.crt" \
4942 0 \
4943 -s "bad certificate (usage extensions)" \
4944 -S "Processing of the Certificate handshake message failed"
4945
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4946# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
4947
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4948run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4949 "$P_SRV key_file=data_files/server5.key \
4950 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4951 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4952 0
4953
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4954run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4955 "$P_SRV key_file=data_files/server5.key \
4956 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4957 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4958 0
4959
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4960run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4961 "$P_SRV key_file=data_files/server5.key \
4962 crt_file=data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4963 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4964 0
4965
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4966run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]4967 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4968 crt_file=data_files/server5.eku-cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4969 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4970 1
4971
4972# Tests for extendedKeyUsage, part 2: client-side checking of server cert
4973
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4974run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4975 "$O_SRV -key data_files/server5.key \
4976 -cert data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4977 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4978 0 \
4979 -C "bad certificate (usage extensions)" \
4980 -C "Processing of the Certificate handshake message failed" \
4981 -c "Ciphersuite is TLS-"
4982
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4983run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4984 "$O_SRV -key data_files/server5.key \
4985 -cert data_files/server5.eku-srv_cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4986 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4987 0 \
4988 -C "bad certificate (usage extensions)" \
4989 -C "Processing of the Certificate handshake message failed" \
4990 -c "Ciphersuite is TLS-"
4991
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4992run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4993 "$O_SRV -key data_files/server5.key \
4994 -cert data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4995 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4996 0 \
4997 -C "bad certificate (usage extensions)" \
4998 -C "Processing of the Certificate handshake message failed" \
4999 -c "Ciphersuite is TLS-"
5000
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5001run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5002 "$O_SRV -key data_files/server5.key \
5003 -cert data_files/server5.eku-cs.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5004 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5005 1 \
5006 -c "bad certificate (usage extensions)" \
5007 -c "Processing of the Certificate handshake message failed" \
5008 -C "Ciphersuite is TLS-"
5009
5010# Tests for extendedKeyUsage, part 3: server-side checking of client cert
5011
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5012run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5013 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5014 "$O_CLI -key data_files/server5.key \
5015 -cert data_files/server5.eku-cli.crt" \
5016 0 \
5017 -S "bad certificate (usage extensions)" \
5018 -S "Processing of the Certificate handshake message failed"
5019
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5020run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5021 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5022 "$O_CLI -key data_files/server5.key \
5023 -cert data_files/server5.eku-srv_cli.crt" \
5024 0 \
5025 -S "bad certificate (usage extensions)" \
5026 -S "Processing of the Certificate handshake message failed"
5027
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5028run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5029 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5030 "$O_CLI -key data_files/server5.key \
5031 -cert data_files/server5.eku-cs_any.crt" \
5032 0 \
5033 -S "bad certificate (usage extensions)" \
5034 -S "Processing of the Certificate handshake message failed"
5035
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5036run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5037 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5038 "$O_CLI -key data_files/server5.key \
5039 -cert data_files/server5.eku-cs.crt" \
5040 0 \
5041 -s "bad certificate (usage extensions)" \
5042 -S "Processing of the Certificate handshake message failed"
5043
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5044run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5045 "$P_SRV debug_level=1 auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5046 "$O_CLI -key data_files/server5.key \
5047 -cert data_files/server5.eku-cs.crt" \
5048 1 \
5049 -s "bad certificate (usage extensions)" \
5050 -s "Processing of the Certificate handshake message failed"
5051
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5052# Tests for DHM parameters loading
5053
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5054run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5055 "$P_SRV" \
5056 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5057 debug_level=3" \
5058 0 \
5059 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]5060 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5061
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5062run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5063 "$P_SRV dhm_file=data_files/dhparams.pem" \
5064 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5065 debug_level=3" \
5066 0 \
5067 -c "value of 'DHM: P ' (1024 bits)" \
5068 -c "value of 'DHM: G ' (2 bits)"
5069
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5070# Tests for DHM client-side size checking
5071
5072run_test "DHM size: server default, client default, OK" \
5073 "$P_SRV" \
5074 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5075 debug_level=1" \
5076 0 \
5077 -C "DHM prime too short:"
5078
5079run_test "DHM size: server default, client 2048, OK" \
5080 "$P_SRV" \
5081 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5082 debug_level=1 dhmlen=2048" \
5083 0 \
5084 -C "DHM prime too short:"
5085
5086run_test "DHM size: server 1024, client default, OK" \
5087 "$P_SRV dhm_file=data_files/dhparams.pem" \
5088 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5089 debug_level=1" \
5090 0 \
5091 -C "DHM prime too short:"
5092
5093run_test "DHM size: server 1000, client default, rejected" \
5094 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5095 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5096 debug_level=1" \
5097 1 \
5098 -c "DHM prime too short:"
5099
5100run_test "DHM size: server default, client 2049, rejected" \
5101 "$P_SRV" \
5102 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5103 debug_level=1 dhmlen=2049" \
5104 1 \
5105 -c "DHM prime too short:"
5106
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5107# Tests for PSK callback
5108
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5109run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5110 "$P_SRV psk=abc123 psk_identity=foo" \
5111 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5112 psk_identity=foo psk=abc123" \
5113 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5114 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5115 -S "SSL - Unknown identity received" \
5116 -S "SSL - Verification of the message MAC failed"
5117
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5118run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5119 "$P_SRV" \
5120 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5121 psk_identity=foo psk=abc123" \
5122 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5123 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5124 -S "SSL - Unknown identity received" \
5125 -S "SSL - Verification of the message MAC failed"
5126
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5127run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5128 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
5129 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5130 psk_identity=foo psk=abc123" \
5131 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5132 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5133 -s "SSL - Unknown identity received" \
5134 -S "SSL - Verification of the message MAC failed"
5135
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5136run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5137 "$P_SRV psk_list=abc,dead,def,beef" \
5138 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5139 psk_identity=abc psk=dead" \
5140 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5141 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5142 -S "SSL - Unknown identity received" \
5143 -S "SSL - Verification of the message MAC failed"
5144
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5145run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5146 "$P_SRV psk_list=abc,dead,def,beef" \
5147 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5148 psk_identity=def psk=beef" \
5149 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5150 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5151 -S "SSL - Unknown identity received" \
5152 -S "SSL - Verification of the message MAC failed"
5153
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5154run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5155 "$P_SRV psk_list=abc,dead,def,beef" \
5156 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5157 psk_identity=ghi psk=beef" \
5158 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5159 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5160 -s "SSL - Unknown identity received" \
5161 -S "SSL - Verification of the message MAC failed"
5162
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5163run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5164 "$P_SRV psk_list=abc,dead,def,beef" \
5165 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5166 psk_identity=abc psk=beef" \
5167 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5168 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5169 -S "SSL - Unknown identity received" \
5170 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5171
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5172# Tests for EC J-PAKE
5173
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5174requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5175run_test "ECJPAKE: client not configured" \
5176 "$P_SRV debug_level=3" \
5177 "$P_CLI debug_level=3" \
5178 0 \
5179 -C "add ciphersuite: c0ff" \
5180 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5181 -S "found ecjpake kkpp extension" \
5182 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5183 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5184 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5185 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5186 -S "None of the common ciphersuites is usable"
5187
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5188requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5189run_test "ECJPAKE: server not configured" \
5190 "$P_SRV debug_level=3" \
5191 "$P_CLI debug_level=3 ecjpake_pw=bla \
5192 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5193 1 \
5194 -c "add ciphersuite: c0ff" \
5195 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5196 -s "found ecjpake kkpp extension" \
5197 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5198 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5199 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5200 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5201 -s "None of the common ciphersuites is usable"
5202
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5203requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5204run_test "ECJPAKE: working, TLS" \
5205 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5206 "$P_CLI debug_level=3 ecjpake_pw=bla \
5207 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]5208 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5209 -c "add ciphersuite: c0ff" \
5210 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5211 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5212 -s "found ecjpake kkpp extension" \
5213 -S "skip ecjpake kkpp extension" \
5214 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5215 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5216 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5217 -S "None of the common ciphersuites is usable" \
5218 -S "SSL - Verification of the message MAC failed"
5219
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5220server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5221requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5222run_test "ECJPAKE: password mismatch, TLS" \
5223 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5224 "$P_CLI debug_level=3 ecjpake_pw=bad \
5225 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5226 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5227 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5228 -s "SSL - Verification of the message MAC failed"
5229
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5230requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5231run_test "ECJPAKE: working, DTLS" \
5232 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5233 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5234 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5235 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5236 -c "re-using cached ecjpake parameters" \
5237 -S "SSL - Verification of the message MAC failed"
5238
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5239requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5240run_test "ECJPAKE: working, DTLS, no cookie" \
5241 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
5242 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5243 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5244 0 \
5245 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5246 -S "SSL - Verification of the message MAC failed"
5247
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5248server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5249requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5250run_test "ECJPAKE: password mismatch, DTLS" \
5251 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5252 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
5253 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5254 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5255 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5256 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5257
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5258# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5259requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5260run_test "ECJPAKE: working, DTLS, nolog" \
5261 "$P_SRV dtls=1 ecjpake_pw=bla" \
5262 "$P_CLI dtls=1 ecjpake_pw=bla \
5263 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5264 0
5265
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5266# Tests for ciphersuites per version
5267
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5268requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5269requires_config_enabled MBEDTLS_CAMELLIA_C
5270requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5271run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5272 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5273 "$P_CLI force_version=ssl3" \
5274 0 \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5275 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5276
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5277requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
5278requires_config_enabled MBEDTLS_CAMELLIA_C
5279requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5280run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5281 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]5282 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5283 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5284 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5285
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5286requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
5287requires_config_enabled MBEDTLS_CAMELLIA_C
5288requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5289run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5290 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5291 "$P_CLI force_version=tls1_1" \
5292 0 \
5293 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
5294
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5295requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
5296requires_config_enabled MBEDTLS_CAMELLIA_C
5297requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5298run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5299 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5300 "$P_CLI force_version=tls1_2" \
5301 0 \
5302 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
5303
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5304# Test for ClientHello without extensions
5305
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]5306requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5307run_test "ClientHello without extensions, SHA-1 allowed" \
Ron Eldorb76e7652019-01-16 23:14:41 +0200[diff] [blame]5308 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5309 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5310 0 \
5311 -s "dumping 'client hello extensions' (0 bytes)"
5312
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5313requires_gnutls
5314run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
5315 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5316 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5317 0 \
5318 -s "dumping 'client hello extensions' (0 bytes)"
5319
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5320# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5322run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5323 "$P_SRV" \
5324 "$P_CLI request_size=100" \
5325 0 \
5326 -s "Read from client: 100 bytes read$"
5327
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5328run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5329 "$P_SRV" \
5330 "$P_CLI request_size=500" \
5331 0 \
5332 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5333
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5334# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5335
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5336requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5337run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5338 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5339 "$P_CLI request_size=1 force_version=ssl3 \
5340 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5341 0 \
5342 -s "Read from client: 1 bytes read"
5343
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5344requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5345run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5346 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5347 "$P_CLI request_size=1 force_version=ssl3 \
5348 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5349 0 \
5350 -s "Read from client: 1 bytes read"
5351
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5352run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5353 "$P_SRV" \
5354 "$P_CLI request_size=1 force_version=tls1 \
5355 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5356 0 \
5357 -s "Read from client: 1 bytes read"
5358
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5359run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5360 "$P_SRV" \
5361 "$P_CLI request_size=1 force_version=tls1 etm=0 \
5362 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5363 0 \
5364 -s "Read from client: 1 bytes read"
5365
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5366requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5367run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5368 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5369 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5370 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5371 0 \
5372 -s "Read from client: 1 bytes read"
5373
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5374requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5375run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5376 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5377 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5378 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5379 0 \
5380 -s "Read from client: 1 bytes read"
5381
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5382run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5383 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5384 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5385 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5386 0 \
5387 -s "Read from client: 1 bytes read"
5388
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5389run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5390 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5391 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5392 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5393 0 \
5394 -s "Read from client: 1 bytes read"
5395
5396requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5397run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5398 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5399 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5400 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5401 0 \
5402 -s "Read from client: 1 bytes read"
5403
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5404requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5405run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5406 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5407 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5408 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5409 0 \
5410 -s "Read from client: 1 bytes read"
5411
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5412run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5413 "$P_SRV" \
5414 "$P_CLI request_size=1 force_version=tls1_1 \
5415 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5416 0 \
5417 -s "Read from client: 1 bytes read"
5418
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5419run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5420 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5421 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5422 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5423 0 \
5424 -s "Read from client: 1 bytes read"
5425
5426requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5427run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5428 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5429 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5430 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5431 0 \
5432 -s "Read from client: 1 bytes read"
5433
5434requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5435run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5436 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5437 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5438 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5439 0 \
5440 -s "Read from client: 1 bytes read"
5441
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5442run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5443 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5444 "$P_CLI request_size=1 force_version=tls1_1 \
5445 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5446 0 \
5447 -s "Read from client: 1 bytes read"
5448
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5449run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5450 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5451 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5452 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5453 0 \
5454 -s "Read from client: 1 bytes read"
5455
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5456requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5457run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5458 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5459 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5460 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5461 0 \
5462 -s "Read from client: 1 bytes read"
5463
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5464requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5465run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5466 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5467 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5468 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5469 0 \
5470 -s "Read from client: 1 bytes read"
5471
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5472run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5473 "$P_SRV" \
5474 "$P_CLI request_size=1 force_version=tls1_2 \
5475 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5476 0 \
5477 -s "Read from client: 1 bytes read"
5478
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5479run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5480 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5481 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5482 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5483 0 \
5484 -s "Read from client: 1 bytes read"
5485
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5486run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5487 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5488 "$P_CLI request_size=1 force_version=tls1_2 \
5489 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5490 0 \
5491 -s "Read from client: 1 bytes read"
5492
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5493requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5494run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5495 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5496 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5497 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5498 0 \
5499 -s "Read from client: 1 bytes read"
5500
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5501requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5502run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5503 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5504 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5505 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5506 0 \
5507 -s "Read from client: 1 bytes read"
5508
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5509run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5510 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5511 "$P_CLI request_size=1 force_version=tls1_2 \
5512 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5513 0 \
5514 -s "Read from client: 1 bytes read"
5515
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5516run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5517 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5518 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5519 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5520 0 \
5521 -s "Read from client: 1 bytes read"
5522
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5523requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5524run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5525 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5526 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5527 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5528 0 \
5529 -s "Read from client: 1 bytes read"
5530
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5531requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5532run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5533 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5534 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5535 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5536 0 \
5537 -s "Read from client: 1 bytes read"
5538
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5539run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5540 "$P_SRV" \
5541 "$P_CLI request_size=1 force_version=tls1_2 \
5542 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5543 0 \
5544 -s "Read from client: 1 bytes read"
5545
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5546run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5547 "$P_SRV" \
5548 "$P_CLI request_size=1 force_version=tls1_2 \
5549 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5550 0 \
5551 -s "Read from client: 1 bytes read"
5552
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5553# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5554
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5555run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5556 "$P_SRV dtls=1 force_version=dtls1" \
5557 "$P_CLI dtls=1 request_size=1 \
5558 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5559 0 \
5560 -s "Read from client: 1 bytes read"
5561
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5562run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5563 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
5564 "$P_CLI dtls=1 request_size=1 \
5565 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5566 0 \
5567 -s "Read from client: 1 bytes read"
5568
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5569requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5570run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5571 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
5572 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5573 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5574 0 \
5575 -s "Read from client: 1 bytes read"
5576
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5577requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5578run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5579 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5580 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5581 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5582 0 \
5583 -s "Read from client: 1 bytes read"
5584
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5585run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5586 "$P_SRV dtls=1 force_version=dtls1_2" \
5587 "$P_CLI dtls=1 request_size=1 \
5588 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5589 0 \
5590 -s "Read from client: 1 bytes read"
5591
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5592run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5593 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5594 "$P_CLI dtls=1 request_size=1 \
5595 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5596 0 \
5597 -s "Read from client: 1 bytes read"
5598
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5599requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5600run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5601 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5602 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5603 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5604 0 \
5605 -s "Read from client: 1 bytes read"
5606
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5607requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5608run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5609 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5610 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5611 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5612 0 \
5613 -s "Read from client: 1 bytes read"
5614
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5615# Tests for small server packets
5616
5617requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5618run_test "Small server packet SSLv3 BlockCipher" \
5619 "$P_SRV response_size=1 min_version=ssl3" \
5620 "$P_CLI force_version=ssl3 \
5621 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5622 0 \
5623 -c "Read from server: 1 bytes read"
5624
5625requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5626run_test "Small server packet SSLv3 StreamCipher" \
5627 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5628 "$P_CLI force_version=ssl3 \
5629 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5630 0 \
5631 -c "Read from server: 1 bytes read"
5632
5633run_test "Small server packet TLS 1.0 BlockCipher" \
5634 "$P_SRV response_size=1" \
5635 "$P_CLI force_version=tls1 \
5636 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5637 0 \
5638 -c "Read from server: 1 bytes read"
5639
5640run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
5641 "$P_SRV response_size=1" \
5642 "$P_CLI force_version=tls1 etm=0 \
5643 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5644 0 \
5645 -c "Read from server: 1 bytes read"
5646
5647requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5648run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
5649 "$P_SRV response_size=1 trunc_hmac=1" \
5650 "$P_CLI force_version=tls1 \
5651 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5652 0 \
5653 -c "Read from server: 1 bytes read"
5654
5655requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5656run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
5657 "$P_SRV response_size=1 trunc_hmac=1" \
5658 "$P_CLI force_version=tls1 \
5659 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5660 0 \
5661 -c "Read from server: 1 bytes read"
5662
5663run_test "Small server packet TLS 1.0 StreamCipher" \
5664 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5665 "$P_CLI force_version=tls1 \
5666 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5667 0 \
5668 -c "Read from server: 1 bytes read"
5669
5670run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
5671 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5672 "$P_CLI force_version=tls1 \
5673 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5674 0 \
5675 -c "Read from server: 1 bytes read"
5676
5677requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5678run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
5679 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5680 "$P_CLI force_version=tls1 \
5681 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5682 0 \
5683 -c "Read from server: 1 bytes read"
5684
5685requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5686run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
5687 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5688 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5689 trunc_hmac=1 etm=0" \
5690 0 \
5691 -c "Read from server: 1 bytes read"
5692
5693run_test "Small server packet TLS 1.1 BlockCipher" \
5694 "$P_SRV response_size=1" \
5695 "$P_CLI force_version=tls1_1 \
5696 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5697 0 \
5698 -c "Read from server: 1 bytes read"
5699
5700run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
5701 "$P_SRV response_size=1" \
5702 "$P_CLI force_version=tls1_1 \
5703 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5704 0 \
5705 -c "Read from server: 1 bytes read"
5706
5707requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5708run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
5709 "$P_SRV response_size=1 trunc_hmac=1" \
5710 "$P_CLI force_version=tls1_1 \
5711 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5712 0 \
5713 -c "Read from server: 1 bytes read"
5714
5715requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5716run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
5717 "$P_SRV response_size=1 trunc_hmac=1" \
5718 "$P_CLI force_version=tls1_1 \
5719 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5720 0 \
5721 -c "Read from server: 1 bytes read"
5722
5723run_test "Small server packet TLS 1.1 StreamCipher" \
5724 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5725 "$P_CLI force_version=tls1_1 \
5726 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5727 0 \
5728 -c "Read from server: 1 bytes read"
5729
5730run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
5731 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5732 "$P_CLI force_version=tls1_1 \
5733 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5734 0 \
5735 -c "Read from server: 1 bytes read"
5736
5737requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5738run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
5739 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5740 "$P_CLI force_version=tls1_1 \
5741 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5742 0 \
5743 -c "Read from server: 1 bytes read"
5744
5745requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5746run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
5747 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5748 "$P_CLI force_version=tls1_1 \
5749 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5750 0 \
5751 -c "Read from server: 1 bytes read"
5752
5753run_test "Small server packet TLS 1.2 BlockCipher" \
5754 "$P_SRV response_size=1" \
5755 "$P_CLI force_version=tls1_2 \
5756 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5757 0 \
5758 -c "Read from server: 1 bytes read"
5759
5760run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
5761 "$P_SRV response_size=1" \
5762 "$P_CLI force_version=tls1_2 \
5763 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5764 0 \
5765 -c "Read from server: 1 bytes read"
5766
5767run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
5768 "$P_SRV response_size=1" \
5769 "$P_CLI force_version=tls1_2 \
5770 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
5771 0 \
5772 -c "Read from server: 1 bytes read"
5773
5774requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5775run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
5776 "$P_SRV response_size=1 trunc_hmac=1" \
5777 "$P_CLI force_version=tls1_2 \
5778 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5779 0 \
5780 -c "Read from server: 1 bytes read"
5781
5782requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5783run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
5784 "$P_SRV response_size=1 trunc_hmac=1" \
5785 "$P_CLI force_version=tls1_2 \
5786 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5787 0 \
5788 -c "Read from server: 1 bytes read"
5789
5790run_test "Small server packet TLS 1.2 StreamCipher" \
5791 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5792 "$P_CLI force_version=tls1_2 \
5793 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5794 0 \
5795 -c "Read from server: 1 bytes read"
5796
5797run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
5798 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5799 "$P_CLI force_version=tls1_2 \
5800 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5801 0 \
5802 -c "Read from server: 1 bytes read"
5803
5804requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5805run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
5806 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5807 "$P_CLI force_version=tls1_2 \
5808 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5809 0 \
5810 -c "Read from server: 1 bytes read"
5811
5812requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5813run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
5814 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5815 "$P_CLI force_version=tls1_2 \
5816 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5817 0 \
5818 -c "Read from server: 1 bytes read"
5819
5820run_test "Small server packet TLS 1.2 AEAD" \
5821 "$P_SRV response_size=1" \
5822 "$P_CLI force_version=tls1_2 \
5823 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5824 0 \
5825 -c "Read from server: 1 bytes read"
5826
5827run_test "Small server packet TLS 1.2 AEAD shorter tag" \
5828 "$P_SRV response_size=1" \
5829 "$P_CLI force_version=tls1_2 \
5830 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5831 0 \
5832 -c "Read from server: 1 bytes read"
5833
5834# Tests for small server packets in DTLS
5835
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5836run_test "Small server packet DTLS 1.0" \
5837 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
5838 "$P_CLI dtls=1 \
5839 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5840 0 \
5841 -c "Read from server: 1 bytes read"
5842
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5843run_test "Small server packet DTLS 1.0, without EtM" \
5844 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
5845 "$P_CLI dtls=1 \
5846 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5847 0 \
5848 -c "Read from server: 1 bytes read"
5849
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5850requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5851run_test "Small server packet DTLS 1.0, truncated hmac" \
5852 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
5853 "$P_CLI dtls=1 trunc_hmac=1 \
5854 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5855 0 \
5856 -c "Read from server: 1 bytes read"
5857
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5858requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5859run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
5860 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
5861 "$P_CLI dtls=1 \
5862 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5863 0 \
5864 -c "Read from server: 1 bytes read"
5865
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5866run_test "Small server packet DTLS 1.2" \
5867 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
5868 "$P_CLI dtls=1 \
5869 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5870 0 \
5871 -c "Read from server: 1 bytes read"
5872
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5873run_test "Small server packet DTLS 1.2, without EtM" \
5874 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
5875 "$P_CLI dtls=1 \
5876 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5877 0 \
5878 -c "Read from server: 1 bytes read"
5879
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5880requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5881run_test "Small server packet DTLS 1.2, truncated hmac" \
5882 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
5883 "$P_CLI dtls=1 \
5884 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5885 0 \
5886 -c "Read from server: 1 bytes read"
5887
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5888requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5889run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
5890 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
5891 "$P_CLI dtls=1 \
5892 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5893 0 \
5894 -c "Read from server: 1 bytes read"
5895
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]5896# A test for extensions in SSLv3
5897
5898requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5899run_test "SSLv3 with extensions, server side" \
5900 "$P_SRV min_version=ssl3 debug_level=3" \
5901 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
5902 0 \
5903 -S "dumping 'client hello extensions'" \
5904 -S "server hello, total extension length:"
5905
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5906# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5907
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5908# How many fragments do we expect to write $1 bytes?
5909fragments_for_write() {
5910 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
5911}
5912
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5913requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5914run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5915 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5916 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5917 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5918 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5919 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5920 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5921
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5922requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5923run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5924 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5925 "$P_CLI request_size=16384 force_version=ssl3 \
5926 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5927 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5928 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5929 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5930
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5931run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5932 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5933 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5934 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5935 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5936 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5937 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5938
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5939run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5940 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5941 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
5942 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5943 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5944 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5945
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5946requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5947run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5948 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5949 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5950 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5951 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5952 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5953 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5954
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5955requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5956run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5957 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5958 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5959 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5960 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5961 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5962
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5963run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5964 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5965 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5966 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5967 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5968 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5969
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5970run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5971 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5972 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5973 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5974 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5975 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5976
5977requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5978run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5979 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5980 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5981 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5982 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5983 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5984
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5985requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5986run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5987 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5988 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5989 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5990 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5991 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5992 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5993
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5994run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5995 "$P_SRV" \
5996 "$P_CLI request_size=16384 force_version=tls1_1 \
5997 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5998 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5999 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6000 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6001
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6002run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6003 "$P_SRV" \
6004 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
6005 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6006 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6007 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6008
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6009requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6010run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6011 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6012 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6013 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6014 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6015 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6016
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6017requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6018run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6019 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6020 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6021 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6022 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6023 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6024
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6025run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6026 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6027 "$P_CLI request_size=16384 force_version=tls1_1 \
6028 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6029 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6030 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6031 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6032
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6033run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6034 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6035 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6036 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6037 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6038 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6039 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6040
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6041requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6042run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6043 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6044 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6045 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6046 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6047 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6048
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6049requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6050run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6051 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6052 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6053 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6054 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6055 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6056 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6057
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6058run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6059 "$P_SRV" \
6060 "$P_CLI request_size=16384 force_version=tls1_2 \
6061 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6062 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6063 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6064 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6065
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6066run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6067 "$P_SRV" \
6068 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
6069 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6070 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6071 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6072
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6073run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6074 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6075 "$P_CLI request_size=16384 force_version=tls1_2 \
6076 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6077 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6078 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6079 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6080
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6081requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6082run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6083 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6084 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6085 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6086 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6087 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6088
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6089requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6090run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6091 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6092 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6093 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6094 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6095 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6096 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6097
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6098run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6099 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6100 "$P_CLI request_size=16384 force_version=tls1_2 \
6101 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6102 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6103 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6104 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6105
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6106run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6107 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6108 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6109 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6110 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6111 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6112
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6113requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6114run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6115 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6116 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6117 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6118 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6119 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6120
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6121requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6122run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6123 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6124 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6125 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6126 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6127 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6128 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6129
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6130run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6131 "$P_SRV" \
6132 "$P_CLI request_size=16384 force_version=tls1_2 \
6133 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6134 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6135 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6136 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6137
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6138run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6139 "$P_SRV" \
6140 "$P_CLI request_size=16384 force_version=tls1_2 \
6141 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6142 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6143 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6144 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6145
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6146# Test for large server packets
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6147requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6148run_test "Large server packet SSLv3 StreamCipher" \
6149 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6150 "$P_CLI force_version=ssl3 \
6151 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6152 0 \
6153 -c "Read from server: 16384 bytes read"
6154
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]6155# Checking next 4 tests logs for 1n-1 split against BEAST too
6156requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6157run_test "Large server packet SSLv3 BlockCipher" \
6158 "$P_SRV response_size=16384 min_version=ssl3" \
6159 "$P_CLI force_version=ssl3 recsplit=0 \
6160 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6161 0 \
6162 -c "Read from server: 1 bytes read"\
6163 -c "16383 bytes read"\
6164 -C "Read from server: 16384 bytes read"
6165
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6166run_test "Large server packet TLS 1.0 BlockCipher" \
6167 "$P_SRV response_size=16384" \
6168 "$P_CLI force_version=tls1 recsplit=0 \
6169 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6170 0 \
6171 -c "Read from server: 1 bytes read"\
6172 -c "16383 bytes read"\
6173 -C "Read from server: 16384 bytes read"
6174
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6175run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
6176 "$P_SRV response_size=16384" \
6177 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
6178 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6179 0 \
6180 -c "Read from server: 1 bytes read"\
6181 -c "16383 bytes read"\
6182 -C "Read from server: 16384 bytes read"
6183
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6184requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6185run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
6186 "$P_SRV response_size=16384" \
6187 "$P_CLI force_version=tls1 recsplit=0 \
6188 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6189 trunc_hmac=1" \
6190 0 \
6191 -c "Read from server: 1 bytes read"\
6192 -c "16383 bytes read"\
6193 -C "Read from server: 16384 bytes read"
6194
6195requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6196run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
6197 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6198 "$P_CLI force_version=tls1 \
6199 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6200 trunc_hmac=1" \
6201 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6202 -s "16384 bytes written in 1 fragments" \
6203 -c "Read from server: 16384 bytes read"
6204
6205run_test "Large server packet TLS 1.0 StreamCipher" \
6206 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6207 "$P_CLI force_version=tls1 \
6208 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6209 0 \
6210 -s "16384 bytes written in 1 fragments" \
6211 -c "Read from server: 16384 bytes read"
6212
6213run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
6214 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6215 "$P_CLI force_version=tls1 \
6216 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6217 0 \
6218 -s "16384 bytes written in 1 fragments" \
6219 -c "Read from server: 16384 bytes read"
6220
6221requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6222run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
6223 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6224 "$P_CLI force_version=tls1 \
6225 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6226 0 \
6227 -s "16384 bytes written in 1 fragments" \
6228 -c "Read from server: 16384 bytes read"
6229
6230requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6231run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6232 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6233 "$P_CLI force_version=tls1 \
6234 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6235 0 \
6236 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6237 -c "Read from server: 16384 bytes read"
6238
6239run_test "Large server packet TLS 1.1 BlockCipher" \
6240 "$P_SRV response_size=16384" \
6241 "$P_CLI force_version=tls1_1 \
6242 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6243 0 \
6244 -c "Read from server: 16384 bytes read"
6245
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6246run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
6247 "$P_SRV response_size=16384" \
6248 "$P_CLI force_version=tls1_1 etm=0 \
6249 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6250 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6251 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6252 -c "Read from server: 16384 bytes read"
6253
6254requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6255run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
6256 "$P_SRV response_size=16384" \
6257 "$P_CLI force_version=tls1_1 \
6258 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6259 trunc_hmac=1" \
6260 0 \
6261 -c "Read from server: 16384 bytes read"
6262
6263requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6264run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6265 "$P_SRV response_size=16384 trunc_hmac=1" \
6266 "$P_CLI force_version=tls1_1 \
6267 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6268 0 \
6269 -s "16384 bytes written in 1 fragments" \
6270 -c "Read from server: 16384 bytes read"
6271
6272run_test "Large server packet TLS 1.1 StreamCipher" \
6273 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6274 "$P_CLI force_version=tls1_1 \
6275 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6276 0 \
6277 -c "Read from server: 16384 bytes read"
6278
6279run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
6280 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6281 "$P_CLI force_version=tls1_1 \
6282 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6283 0 \
6284 -s "16384 bytes written in 1 fragments" \
6285 -c "Read from server: 16384 bytes read"
6286
6287requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6288run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
6289 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6290 "$P_CLI force_version=tls1_1 \
6291 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6292 trunc_hmac=1" \
6293 0 \
6294 -c "Read from server: 16384 bytes read"
6295
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6296run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6297 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6298 "$P_CLI force_version=tls1_1 \
6299 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6300 0 \
6301 -s "16384 bytes written in 1 fragments" \
6302 -c "Read from server: 16384 bytes read"
6303
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6304run_test "Large server packet TLS 1.2 BlockCipher" \
6305 "$P_SRV response_size=16384" \
6306 "$P_CLI force_version=tls1_2 \
6307 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6308 0 \
6309 -c "Read from server: 16384 bytes read"
6310
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6311run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
6312 "$P_SRV response_size=16384" \
6313 "$P_CLI force_version=tls1_2 etm=0 \
6314 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6315 0 \
6316 -s "16384 bytes written in 1 fragments" \
6317 -c "Read from server: 16384 bytes read"
6318
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6319run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
6320 "$P_SRV response_size=16384" \
6321 "$P_CLI force_version=tls1_2 \
6322 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6323 0 \
6324 -c "Read from server: 16384 bytes read"
6325
6326requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6327run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
6328 "$P_SRV response_size=16384" \
6329 "$P_CLI force_version=tls1_2 \
6330 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6331 trunc_hmac=1" \
6332 0 \
6333 -c "Read from server: 16384 bytes read"
6334
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6335run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6336 "$P_SRV response_size=16384 trunc_hmac=1" \
6337 "$P_CLI force_version=tls1_2 \
6338 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6339 0 \
6340 -s "16384 bytes written in 1 fragments" \
6341 -c "Read from server: 16384 bytes read"
6342
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6343run_test "Large server packet TLS 1.2 StreamCipher" \
6344 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6345 "$P_CLI force_version=tls1_2 \
6346 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6347 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6348 -s "16384 bytes written in 1 fragments" \
6349 -c "Read from server: 16384 bytes read"
6350
6351run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
6352 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6353 "$P_CLI force_version=tls1_2 \
6354 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6355 0 \
6356 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6357 -c "Read from server: 16384 bytes read"
6358
6359requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6360run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
6361 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6362 "$P_CLI force_version=tls1_2 \
6363 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6364 trunc_hmac=1" \
6365 0 \
6366 -c "Read from server: 16384 bytes read"
6367
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6368requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6369run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6370 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6371 "$P_CLI force_version=tls1_2 \
6372 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6373 0 \
6374 -s "16384 bytes written in 1 fragments" \
6375 -c "Read from server: 16384 bytes read"
6376
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6377run_test "Large server packet TLS 1.2 AEAD" \
6378 "$P_SRV response_size=16384" \
6379 "$P_CLI force_version=tls1_2 \
6380 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6381 0 \
6382 -c "Read from server: 16384 bytes read"
6383
6384run_test "Large server packet TLS 1.2 AEAD shorter tag" \
6385 "$P_SRV response_size=16384" \
6386 "$P_CLI force_version=tls1_2 \
6387 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6388 0 \
6389 -c "Read from server: 16384 bytes read"
6390
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6391# Tests for restartable ECC
6392
6393requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6394run_test "EC restart: TLS, default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6395 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6396 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6397 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6398 debug_level=1" \
6399 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6400 -C "x509_verify_cert.*4b00" \
6401 -C "mbedtls_pk_verify.*4b00" \
6402 -C "mbedtls_ecdh_make_public.*4b00" \
6403 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6404
6405requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6406run_test "EC restart: TLS, max_ops=0" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6407 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6408 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6409 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6410 debug_level=1 ec_max_ops=0" \
6411 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6412 -C "x509_verify_cert.*4b00" \
6413 -C "mbedtls_pk_verify.*4b00" \
6414 -C "mbedtls_ecdh_make_public.*4b00" \
6415 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6416
6417requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6418run_test "EC restart: TLS, max_ops=65535" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6419 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6420 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6421 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6422 debug_level=1 ec_max_ops=65535" \
6423 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6424 -C "x509_verify_cert.*4b00" \
6425 -C "mbedtls_pk_verify.*4b00" \
6426 -C "mbedtls_ecdh_make_public.*4b00" \
6427 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6428
6429requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6430run_test "EC restart: TLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6431 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6432 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6433 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6434 debug_level=1 ec_max_ops=1000" \
6435 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6436 -c "x509_verify_cert.*4b00" \
6437 -c "mbedtls_pk_verify.*4b00" \
6438 -c "mbedtls_ecdh_make_public.*4b00" \
6439 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6440
6441requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6442requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6443run_test "EC restart: TLS, max_ops=1000, badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6444 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6445 crt_file=data_files/server5-badsign.crt \
6446 key_file=data_files/server5.key" \
6447 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6448 key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \
6449 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6450 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6451 -c "x509_verify_cert.*4b00" \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6452 -c "mbedtls_pk_verify.*4b00" \
6453 -c "mbedtls_ecdh_make_public.*4b00" \
6454 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6455 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6456
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6457requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6458requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6459run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6460 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6461 crt_file=data_files/server5-badsign.crt \
6462 key_file=data_files/server5.key" \
6463 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6464 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6465 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6466 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6467 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6468 -c "x509_verify_cert.*4b00" \
6469 -c "mbedtls_pk_verify.*4b00" \
6470 -c "mbedtls_ecdh_make_public.*4b00" \
6471 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6472 -c "! The certificate is not correctly signed by the trusted CA" \
6473 -C "! mbedtls_ssl_handshake returned" \
6474 -C "X509 - Certificate verification failed"
6475
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6476requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6477requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6478requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6479run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6480 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6481 crt_file=data_files/server5-badsign.crt \
6482 key_file=data_files/server5.key" \
6483 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6484 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6485 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6486 debug_level=1 ec_max_ops=1000 auth_mode=none" \
6487 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6488 -C "x509_verify_cert.*4b00" \
6489 -c "mbedtls_pk_verify.*4b00" \
6490 -c "mbedtls_ecdh_make_public.*4b00" \
6491 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6492 -C "! The certificate is not correctly signed by the trusted CA" \
6493 -C "! mbedtls_ssl_handshake returned" \
6494 -C "X509 - Certificate verification failed"
6495
6496requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6497run_test "EC restart: DTLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6498 "$P_SRV auth_mode=required dtls=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6499 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6500 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6501 dtls=1 debug_level=1 ec_max_ops=1000" \
6502 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6503 -c "x509_verify_cert.*4b00" \
6504 -c "mbedtls_pk_verify.*4b00" \
6505 -c "mbedtls_ecdh_make_public.*4b00" \
6506 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6507
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6508requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6509run_test "EC restart: TLS, max_ops=1000 no client auth" \
6510 "$P_SRV" \
6511 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6512 debug_level=1 ec_max_ops=1000" \
6513 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6514 -c "x509_verify_cert.*4b00" \
6515 -c "mbedtls_pk_verify.*4b00" \
6516 -c "mbedtls_ecdh_make_public.*4b00" \
6517 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6518
6519requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6520run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
6521 "$P_SRV psk=abc123" \
6522 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
6523 psk=abc123 debug_level=1 ec_max_ops=1000" \
6524 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6525 -C "x509_verify_cert.*4b00" \
6526 -C "mbedtls_pk_verify.*4b00" \
6527 -C "mbedtls_ecdh_make_public.*4b00" \
6528 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6529
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6530# Tests of asynchronous private key support in SSL
6531
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6532requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6533run_test "SSL async private: sign, delay=0" \
6534 "$P_SRV \
6535 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6536 "$P_CLI" \
6537 0 \
6538 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6539 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6540
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6541requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6542run_test "SSL async private: sign, delay=1" \
6543 "$P_SRV \
6544 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6545 "$P_CLI" \
6546 0 \
6547 -s "Async sign callback: using key slot " \
6548 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6549 -s "Async resume (slot [0-9]): sign done, status=0"
6550
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]6551requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6552run_test "SSL async private: sign, delay=2" \
6553 "$P_SRV \
6554 async_operations=s async_private_delay1=2 async_private_delay2=2" \
6555 "$P_CLI" \
6556 0 \
6557 -s "Async sign callback: using key slot " \
6558 -U "Async sign callback: using key slot " \
6559 -s "Async resume (slot [0-9]): call 1 more times." \
6560 -s "Async resume (slot [0-9]): call 0 more times." \
6561 -s "Async resume (slot [0-9]): sign done, status=0"
6562
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]6563# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
6564# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
6565requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6566requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6567run_test "SSL async private: sign, RSA, TLS 1.1" \
6568 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
6569 async_operations=s async_private_delay1=0 async_private_delay2=0" \
6570 "$P_CLI force_version=tls1_1" \
6571 0 \
6572 -s "Async sign callback: using key slot " \
6573 -s "Async resume (slot [0-9]): sign done, status=0"
6574
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6575requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]6576requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]6577requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6578requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]6579run_test "SSL async private: sign, SNI" \
6580 "$P_SRV debug_level=3 \
6581 async_operations=s async_private_delay1=0 async_private_delay2=0 \
6582 crt_file=data_files/server5.crt key_file=data_files/server5.key \
6583 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
6584 "$P_CLI server_name=polarssl.example" \
6585 0 \
6586 -s "Async sign callback: using key slot " \
6587 -s "Async resume (slot [0-9]): sign done, status=0" \
6588 -s "parse ServerName extension" \
6589 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6590 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
6591
6592requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6593run_test "SSL async private: decrypt, delay=0" \
6594 "$P_SRV \
6595 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6596 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6597 0 \
6598 -s "Async decrypt callback: using key slot " \
6599 -s "Async resume (slot [0-9]): decrypt done, status=0"
6600
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6601requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6602run_test "SSL async private: decrypt, delay=1" \
6603 "$P_SRV \
6604 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6605 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6606 0 \
6607 -s "Async decrypt callback: using key slot " \
6608 -s "Async resume (slot [0-9]): call 0 more times." \
6609 -s "Async resume (slot [0-9]): decrypt done, status=0"
6610
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6611requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6612run_test "SSL async private: decrypt RSA-PSK, delay=0" \
6613 "$P_SRV psk=abc123 \
6614 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6615 "$P_CLI psk=abc123 \
6616 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6617 0 \
6618 -s "Async decrypt callback: using key slot " \
6619 -s "Async resume (slot [0-9]): decrypt done, status=0"
6620
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6621requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6622run_test "SSL async private: decrypt RSA-PSK, delay=1" \
6623 "$P_SRV psk=abc123 \
6624 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6625 "$P_CLI psk=abc123 \
6626 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6627 0 \
6628 -s "Async decrypt callback: using key slot " \
6629 -s "Async resume (slot [0-9]): call 0 more times." \
6630 -s "Async resume (slot [0-9]): decrypt done, status=0"
6631
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6632requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6633run_test "SSL async private: sign callback not present" \
6634 "$P_SRV \
6635 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6636 "$P_CLI; [ \$? -eq 1 ] &&
6637 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6638 0 \
6639 -S "Async sign callback" \
6640 -s "! mbedtls_ssl_handshake returned" \
6641 -s "The own private key or pre-shared key is not set, but needed" \
6642 -s "Async resume (slot [0-9]): decrypt done, status=0" \
6643 -s "Successful connection"
6644
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6645requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6646run_test "SSL async private: decrypt callback not present" \
6647 "$P_SRV debug_level=1 \
6648 async_operations=s async_private_delay1=1 async_private_delay2=1" \
6649 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
6650 [ \$? -eq 1 ] && $P_CLI" \
6651 0 \
6652 -S "Async decrypt callback" \
6653 -s "! mbedtls_ssl_handshake returned" \
6654 -s "got no RSA private key" \
6655 -s "Async resume (slot [0-9]): sign done, status=0" \
6656 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6657
6658# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6659requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6660run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6661 "$P_SRV \
6662 async_operations=s async_private_delay1=1 \
6663 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6664 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6665 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ca_file=data_files/test-ca2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6666 0 \
6667 -s "Async sign callback: using key slot 0," \
6668 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6669 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6670
6671# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6672requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6673run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6674 "$P_SRV \
6675 async_operations=s async_private_delay2=1 \
6676 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6677 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6678 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6679 0 \
6680 -s "Async sign callback: using key slot 0," \
6681 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6682 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6683
6684# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6685requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]6686run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6687 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]6688 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6689 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6690 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6691 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6692 0 \
6693 -s "Async sign callback: using key slot 1," \
6694 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6695 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6696
6697# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6698requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6699run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6700 "$P_SRV \
6701 async_operations=s async_private_delay1=1 \
6702 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6703 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6704 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6705 0 \
6706 -s "Async sign callback: no key matches this certificate."
6707
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6708requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6709run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6710 "$P_SRV \
6711 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6712 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6713 "$P_CLI" \
6714 1 \
6715 -s "Async sign callback: injected error" \
6716 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6717 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6718 -s "! mbedtls_ssl_handshake returned"
6719
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6720requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6721run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6722 "$P_SRV \
6723 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6724 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6725 "$P_CLI" \
6726 1 \
6727 -s "Async sign callback: using key slot " \
6728 -S "Async resume" \
6729 -s "Async cancel"
6730
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6731requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6732run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6733 "$P_SRV \
6734 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6735 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6736 "$P_CLI" \
6737 1 \
6738 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6739 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6740 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6741 -s "! mbedtls_ssl_handshake returned"
6742
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6743requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6744run_test "SSL async private: decrypt, error in start" \
6745 "$P_SRV \
6746 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6747 async_private_error=1" \
6748 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6749 1 \
6750 -s "Async decrypt callback: injected error" \
6751 -S "Async resume" \
6752 -S "Async cancel" \
6753 -s "! mbedtls_ssl_handshake returned"
6754
6755requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6756run_test "SSL async private: decrypt, cancel after start" \
6757 "$P_SRV \
6758 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6759 async_private_error=2" \
6760 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6761 1 \
6762 -s "Async decrypt callback: using key slot " \
6763 -S "Async resume" \
6764 -s "Async cancel"
6765
6766requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6767run_test "SSL async private: decrypt, error in resume" \
6768 "$P_SRV \
6769 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6770 async_private_error=3" \
6771 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6772 1 \
6773 -s "Async decrypt callback: using key slot " \
6774 -s "Async resume callback: decrypt done but injected error" \
6775 -S "Async cancel" \
6776 -s "! mbedtls_ssl_handshake returned"
6777
6778requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6779run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6780 "$P_SRV \
6781 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6782 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6783 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6784 0 \
6785 -s "Async cancel" \
6786 -s "! mbedtls_ssl_handshake returned" \
6787 -s "Async resume" \
6788 -s "Successful connection"
6789
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6790requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6791run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6792 "$P_SRV \
6793 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6794 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6795 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6796 0 \
6797 -s "! mbedtls_ssl_handshake returned" \
6798 -s "Async resume" \
6799 -s "Successful connection"
6800
6801# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6802requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6803run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6804 "$P_SRV \
6805 async_operations=s async_private_delay1=1 async_private_error=-2 \
6806 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6807 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6808 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6809 [ \$? -eq 1 ] &&
6810 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6811 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]6812 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6813 -S "Async resume" \
6814 -s "Async cancel" \
6815 -s "! mbedtls_ssl_handshake returned" \
6816 -s "Async sign callback: no key matches this certificate." \
6817 -s "Successful connection"
6818
6819# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6820requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6821run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6822 "$P_SRV \
6823 async_operations=s async_private_delay1=1 async_private_error=-3 \
6824 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6825 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6826 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6827 [ \$? -eq 1 ] &&
6828 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6829 0 \
6830 -s "Async resume" \
6831 -s "! mbedtls_ssl_handshake returned" \
6832 -s "Async sign callback: no key matches this certificate." \
6833 -s "Successful connection"
6834
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6835requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6836requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6837run_test "SSL async private: renegotiation: client-initiated; sign" \
6838 "$P_SRV \
6839 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6840 exchanges=2 renegotiation=1" \
6841 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
6842 0 \
6843 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6844 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6845
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6846requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6847requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6848run_test "SSL async private: renegotiation: server-initiated; sign" \
6849 "$P_SRV \
6850 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6851 exchanges=2 renegotiation=1 renegotiate=1" \
6852 "$P_CLI exchanges=2 renegotiation=1" \
6853 0 \
6854 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6855 -s "Async resume (slot [0-9]): sign done, status=0"
6856
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6857requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6858requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6859run_test "SSL async private: renegotiation: client-initiated; decrypt" \
6860 "$P_SRV \
6861 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6862 exchanges=2 renegotiation=1" \
6863 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
6864 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6865 0 \
6866 -s "Async decrypt callback: using key slot " \
6867 -s "Async resume (slot [0-9]): decrypt done, status=0"
6868
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6869requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6870requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6871run_test "SSL async private: renegotiation: server-initiated; decrypt" \
6872 "$P_SRV \
6873 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6874 exchanges=2 renegotiation=1 renegotiate=1" \
6875 "$P_CLI exchanges=2 renegotiation=1 \
6876 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6877 0 \
6878 -s "Async decrypt callback: using key slot " \
6879 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6880
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6881# Tests for ECC extensions (rfc 4492)
6882
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6883requires_config_enabled MBEDTLS_AES_C
6884requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6885requires_config_enabled MBEDTLS_SHA256_C
6886requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6887run_test "Force a non ECC ciphersuite in the client side" \
6888 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6889 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6890 0 \
6891 -C "client hello, adding supported_elliptic_curves extension" \
6892 -C "client hello, adding supported_point_formats extension" \
6893 -S "found supported elliptic curves extension" \
6894 -S "found supported point formats extension"
6895
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6896requires_config_enabled MBEDTLS_AES_C
6897requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6898requires_config_enabled MBEDTLS_SHA256_C
6899requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6900run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6901 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6902 "$P_CLI debug_level=3" \
6903 0 \
6904 -C "found supported_point_formats extension" \
6905 -S "server hello, supported_point_formats extension"
6906
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6907requires_config_enabled MBEDTLS_AES_C
6908requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6909requires_config_enabled MBEDTLS_SHA256_C
6910requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6911run_test "Force an ECC ciphersuite in the client side" \
6912 "$P_SRV debug_level=3" \
6913 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6914 0 \
6915 -c "client hello, adding supported_elliptic_curves extension" \
6916 -c "client hello, adding supported_point_formats extension" \
6917 -s "found supported elliptic curves extension" \
6918 -s "found supported point formats extension"
6919
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6920requires_config_enabled MBEDTLS_AES_C
6921requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6922requires_config_enabled MBEDTLS_SHA256_C
6923requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6924run_test "Force an ECC ciphersuite in the server side" \
6925 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6926 "$P_CLI debug_level=3" \
6927 0 \
6928 -c "found supported_point_formats extension" \
6929 -s "server hello, supported_point_formats extension"
6930
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6931# Tests for DTLS HelloVerifyRequest
6932
6933run_test "DTLS cookie: enabled" \
6934 "$P_SRV dtls=1 debug_level=2" \
6935 "$P_CLI dtls=1 debug_level=2" \
6936 0 \
6937 -s "cookie verification failed" \
6938 -s "cookie verification passed" \
6939 -S "cookie verification skipped" \
6940 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6941 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6942 -S "SSL - The requested feature is not available"
6943
6944run_test "DTLS cookie: disabled" \
6945 "$P_SRV dtls=1 debug_level=2 cookies=0" \
6946 "$P_CLI dtls=1 debug_level=2" \
6947 0 \
6948 -S "cookie verification failed" \
6949 -S "cookie verification passed" \
6950 -s "cookie verification skipped" \
6951 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6952 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6953 -S "SSL - The requested feature is not available"
6954
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6955run_test "DTLS cookie: default (failing)" \
6956 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
6957 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
6958 1 \
6959 -s "cookie verification failed" \
6960 -S "cookie verification passed" \
6961 -S "cookie verification skipped" \
6962 -C "received hello verify request" \
6963 -S "hello verification requested" \
6964 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6965
6966requires_ipv6
6967run_test "DTLS cookie: enabled, IPv6" \
6968 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
6969 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
6970 0 \
6971 -s "cookie verification failed" \
6972 -s "cookie verification passed" \
6973 -S "cookie verification skipped" \
6974 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6975 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6976 -S "SSL - The requested feature is not available"
6977
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6978run_test "DTLS cookie: enabled, nbio" \
6979 "$P_SRV dtls=1 nbio=2 debug_level=2" \
6980 "$P_CLI dtls=1 nbio=2 debug_level=2" \
6981 0 \
6982 -s "cookie verification failed" \
6983 -s "cookie verification passed" \
6984 -S "cookie verification skipped" \
6985 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6986 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6987 -S "SSL - The requested feature is not available"
6988
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6989# Tests for client reconnecting from the same port with DTLS
6990
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6991not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6992run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6993 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
6994 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6995 0 \
6996 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6997 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6998 -S "Client initiated reconnection from same port"
6999
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7000not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7001run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7002 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
7003 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7004 0 \
7005 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7006 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7007 -s "Client initiated reconnection from same port"
7008
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7009not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
7010run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7011 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
7012 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7013 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7014 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7015 -s "Client initiated reconnection from same port"
7016
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7017only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
7018run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
7019 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
7020 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
7021 0 \
7022 -S "The operation timed out" \
7023 -s "Client initiated reconnection from same port"
7024
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7025run_test "DTLS client reconnect from same port: no cookies" \
7026 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]7027 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
7028 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7029 -s "The operation timed out" \
7030 -S "Client initiated reconnection from same port"
7031
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7032# Tests for various cases of client authentication with DTLS
7033# (focused on handshake flows and message parsing)
7034
7035run_test "DTLS client auth: required" \
7036 "$P_SRV dtls=1 auth_mode=required" \
7037 "$P_CLI dtls=1" \
7038 0 \
7039 -s "Verifying peer X.509 certificate... ok"
7040
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7041requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7042requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7043run_test "DTLS client auth: optional, client has no cert" \
7044 "$P_SRV dtls=1 auth_mode=optional" \
7045 "$P_CLI dtls=1 crt_file=none key_file=none" \
7046 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7047 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7048
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7049requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7050requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7051run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7052 "$P_SRV dtls=1 auth_mode=none" \
7053 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
7054 0 \
7055 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7056 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7057
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]7058run_test "DTLS wrong PSK: badmac alert" \
7059 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
7060 "$P_CLI dtls=1 psk=abc124" \
7061 1 \
7062 -s "SSL - Verification of the message MAC failed" \
7063 -c "SSL - A fatal alert message was received from our peer"
7064
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7065# Tests for receiving fragmented handshake messages with DTLS
7066
7067requires_gnutls
7068run_test "DTLS reassembly: no fragmentation (gnutls server)" \
7069 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7070 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7071 0 \
7072 -C "found fragmented DTLS handshake message" \
7073 -C "error"
7074
7075requires_gnutls
7076run_test "DTLS reassembly: some fragmentation (gnutls server)" \
7077 "$G_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7078 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7079 0 \
7080 -c "found fragmented DTLS handshake message" \
7081 -C "error"
7082
7083requires_gnutls
7084run_test "DTLS reassembly: more fragmentation (gnutls server)" \
7085 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7086 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7087 0 \
7088 -c "found fragmented DTLS handshake message" \
7089 -C "error"
7090
7091requires_gnutls
7092run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
7093 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7094 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7095 0 \
7096 -c "found fragmented DTLS handshake message" \
7097 -C "error"
7098
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7099requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7100requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7101run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
7102 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7103 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7104 0 \
7105 -c "found fragmented DTLS handshake message" \
7106 -c "client hello, adding renegotiation extension" \
7107 -c "found renegotiation extension" \
7108 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7109 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7110 -C "error" \
7111 -s "Extra-header:"
7112
7113requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7114requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7115run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
7116 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7117 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7118 0 \
7119 -c "found fragmented DTLS handshake message" \
7120 -c "client hello, adding renegotiation extension" \
7121 -c "found renegotiation extension" \
7122 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7123 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7124 -C "error" \
7125 -s "Extra-header:"
7126
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7127run_test "DTLS reassembly: no fragmentation (openssl server)" \
7128 "$O_SRV -dtls1 -mtu 2048" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7129 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7130 0 \
7131 -C "found fragmented DTLS handshake message" \
7132 -C "error"
7133
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7134run_test "DTLS reassembly: some fragmentation (openssl server)" \
7135 "$O_SRV -dtls1 -mtu 768" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7136 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7137 0 \
7138 -c "found fragmented DTLS handshake message" \
7139 -C "error"
7140
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7141run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7142 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7143 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7144 0 \
7145 -c "found fragmented DTLS handshake message" \
7146 -C "error"
7147
7148run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
7149 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7150 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7151 0 \
7152 -c "found fragmented DTLS handshake message" \
7153 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7154
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7155# Tests for sending fragmented handshake messages with DTLS
7156#
7157# Use client auth when we need the client to send large messages,
7158# and use large cert chains on both sides too (the long chains we have all use
7159# both RSA and ECDSA, but ideally we should have long chains with either).
7160# Sizes reached (UDP payload):
7161# - 2037B for server certificate
7162# - 1542B for client certificate
7163# - 1013B for newsessionticket
7164# - all others below 512B
7165# All those tests assume MAX_CONTENT_LEN is at least 2048
7166
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7167requires_config_enabled MBEDTLS_RSA_C
7168requires_config_enabled MBEDTLS_ECDSA_C
7169requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7170run_test "DTLS fragmenting: none (for reference)" \
7171 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7172 crt_file=data_files/server7_int-ca.crt \
7173 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7174 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7175 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7176 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7177 "$P_CLI dtls=1 debug_level=2 \
7178 crt_file=data_files/server8_int-ca2.crt \
7179 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7180 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7181 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7182 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7183 0 \
7184 -S "found fragmented DTLS handshake message" \
7185 -C "found fragmented DTLS handshake message" \
7186 -C "error"
7187
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7188requires_config_enabled MBEDTLS_RSA_C
7189requires_config_enabled MBEDTLS_ECDSA_C
7190requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7191run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7192 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7193 crt_file=data_files/server7_int-ca.crt \
7194 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7195 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7196 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7197 max_frag_len=1024" \
7198 "$P_CLI dtls=1 debug_level=2 \
7199 crt_file=data_files/server8_int-ca2.crt \
7200 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7201 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7202 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7203 max_frag_len=2048" \
7204 0 \
7205 -S "found fragmented DTLS handshake message" \
7206 -c "found fragmented DTLS handshake message" \
7207 -C "error"
7208
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7209# With the MFL extension, the server has no way of forcing
7210# the client to not exceed a certain MTU; hence, the following
7211# test can't be replicated with an MTU proxy such as the one
7212# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7213requires_config_enabled MBEDTLS_RSA_C
7214requires_config_enabled MBEDTLS_ECDSA_C
7215requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7216run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7217 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7218 crt_file=data_files/server7_int-ca.crt \
7219 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7220 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7221 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7222 max_frag_len=512" \
7223 "$P_CLI dtls=1 debug_level=2 \
7224 crt_file=data_files/server8_int-ca2.crt \
7225 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7226 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7227 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7228 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7229 0 \
7230 -S "found fragmented DTLS handshake message" \
7231 -c "found fragmented DTLS handshake message" \
7232 -C "error"
7233
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7234requires_config_enabled MBEDTLS_RSA_C
7235requires_config_enabled MBEDTLS_ECDSA_C
7236requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7237run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7238 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7239 crt_file=data_files/server7_int-ca.crt \
7240 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7241 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7242 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7243 max_frag_len=2048" \
7244 "$P_CLI dtls=1 debug_level=2 \
7245 crt_file=data_files/server8_int-ca2.crt \
7246 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7247 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7248 hs_timeout=2500-60000 \
7249 max_frag_len=1024" \
7250 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7251 -S "found fragmented DTLS handshake message" \
7252 -c "found fragmented DTLS handshake message" \
7253 -C "error"
7254
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7255# While not required by the standard defining the MFL extension
7256# (according to which it only applies to records, not to datagrams),
7257# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7258# as otherwise there wouldn't be any means to communicate MTU restrictions
7259# to the peer.
7260# The next test checks that no datagrams significantly larger than the
7261# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7262requires_config_enabled MBEDTLS_RSA_C
7263requires_config_enabled MBEDTLS_ECDSA_C
7264requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7265run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7266 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7267 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7268 crt_file=data_files/server7_int-ca.crt \
7269 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7270 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7271 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7272 max_frag_len=2048" \
7273 "$P_CLI dtls=1 debug_level=2 \
7274 crt_file=data_files/server8_int-ca2.crt \
7275 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7276 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7277 hs_timeout=2500-60000 \
7278 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7279 0 \
7280 -S "found fragmented DTLS handshake message" \
7281 -c "found fragmented DTLS handshake message" \
7282 -C "error"
7283
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7284requires_config_enabled MBEDTLS_RSA_C
7285requires_config_enabled MBEDTLS_ECDSA_C
7286requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7287run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7288 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7289 crt_file=data_files/server7_int-ca.crt \
7290 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7291 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7292 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7293 max_frag_len=2048" \
7294 "$P_CLI dtls=1 debug_level=2 \
7295 crt_file=data_files/server8_int-ca2.crt \
7296 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7297 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7298 hs_timeout=2500-60000 \
7299 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7300 0 \
7301 -s "found fragmented DTLS handshake message" \
7302 -c "found fragmented DTLS handshake message" \
7303 -C "error"
7304
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7305# While not required by the standard defining the MFL extension
7306# (according to which it only applies to records, not to datagrams),
7307# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7308# as otherwise there wouldn't be any means to communicate MTU restrictions
7309# to the peer.
7310# The next test checks that no datagrams significantly larger than the
7311# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7312requires_config_enabled MBEDTLS_RSA_C
7313requires_config_enabled MBEDTLS_ECDSA_C
7314requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7315run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7316 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7317 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7318 crt_file=data_files/server7_int-ca.crt \
7319 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7320 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7321 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7322 max_frag_len=2048" \
7323 "$P_CLI dtls=1 debug_level=2 \
7324 crt_file=data_files/server8_int-ca2.crt \
7325 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7326 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7327 hs_timeout=2500-60000 \
7328 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7329 0 \
7330 -s "found fragmented DTLS handshake message" \
7331 -c "found fragmented DTLS handshake message" \
7332 -C "error"
7333
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7334requires_config_enabled MBEDTLS_RSA_C
7335requires_config_enabled MBEDTLS_ECDSA_C
7336run_test "DTLS fragmenting: none (for reference) (MTU)" \
7337 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7338 crt_file=data_files/server7_int-ca.crt \
7339 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7340 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7341 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7342 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7343 "$P_CLI dtls=1 debug_level=2 \
7344 crt_file=data_files/server8_int-ca2.crt \
7345 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7346 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7347 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7348 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7349 0 \
7350 -S "found fragmented DTLS handshake message" \
7351 -C "found fragmented DTLS handshake message" \
7352 -C "error"
7353
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7354requires_config_enabled MBEDTLS_RSA_C
7355requires_config_enabled MBEDTLS_ECDSA_C
7356run_test "DTLS fragmenting: client (MTU)" \
7357 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7358 crt_file=data_files/server7_int-ca.crt \
7359 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7360 ca_file=data_files/test-ca.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7361 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7362 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7363 "$P_CLI dtls=1 debug_level=2 \
7364 crt_file=data_files/server8_int-ca2.crt \
7365 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7366 ca_file=data_files/test-ca2.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7367 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7368 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7369 0 \
7370 -s "found fragmented DTLS handshake message" \
7371 -C "found fragmented DTLS handshake message" \
7372 -C "error"
7373
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7374requires_config_enabled MBEDTLS_RSA_C
7375requires_config_enabled MBEDTLS_ECDSA_C
7376run_test "DTLS fragmenting: server (MTU)" \
7377 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7378 crt_file=data_files/server7_int-ca.crt \
7379 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7380 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7381 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7382 mtu=512" \
7383 "$P_CLI dtls=1 debug_level=2 \
7384 crt_file=data_files/server8_int-ca2.crt \
7385 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7386 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7387 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7388 mtu=2048" \
7389 0 \
7390 -S "found fragmented DTLS handshake message" \
7391 -c "found fragmented DTLS handshake message" \
7392 -C "error"
7393
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7394requires_config_enabled MBEDTLS_RSA_C
7395requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7396run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7397 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7398 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7399 crt_file=data_files/server7_int-ca.crt \
7400 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7401 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7402 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]7403 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7404 "$P_CLI dtls=1 debug_level=2 \
7405 crt_file=data_files/server8_int-ca2.crt \
7406 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7407 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7408 hs_timeout=2500-60000 \
7409 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7410 0 \
7411 -s "found fragmented DTLS handshake message" \
7412 -c "found fragmented DTLS handshake message" \
7413 -C "error"
7414
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7415# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7416requires_config_enabled MBEDTLS_RSA_C
7417requires_config_enabled MBEDTLS_ECDSA_C
7418requires_config_enabled MBEDTLS_SHA256_C
7419requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7420requires_config_enabled MBEDTLS_AES_C
7421requires_config_enabled MBEDTLS_GCM_C
7422run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]7423 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7424 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7425 crt_file=data_files/server7_int-ca.crt \
7426 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7427 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7428 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7429 mtu=512" \
7430 "$P_CLI dtls=1 debug_level=2 \
7431 crt_file=data_files/server8_int-ca2.crt \
7432 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7433 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7434 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7435 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7436 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]7437 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]7438 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7439 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7440 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]7441
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7442# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7443# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7444# The ratio of max/min timeout should ideally equal 4 to accept two
7445# retransmissions, but in some cases (like both the server and client using
7446# fragmentation and auto-reduction) an extra retransmission might occur,
7447# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]7448not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7449requires_config_enabled MBEDTLS_RSA_C
7450requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7451requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7452requires_config_enabled MBEDTLS_AES_C
7453requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7454run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7455 -p "$P_PXY mtu=508" \
7456 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7457 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7458 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7459 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7460 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7461 "$P_CLI dtls=1 debug_level=2 \
7462 crt_file=data_files/server8_int-ca2.crt \
7463 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7464 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7465 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7466 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7467 0 \
7468 -s "found fragmented DTLS handshake message" \
7469 -c "found fragmented DTLS handshake message" \
7470 -C "error"
7471
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7472# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7473only_with_valgrind
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7474requires_config_enabled MBEDTLS_RSA_C
7475requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7476requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7477requires_config_enabled MBEDTLS_AES_C
7478requires_config_enabled MBEDTLS_GCM_C
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7479run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7480 -p "$P_PXY mtu=508" \
7481 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7482 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7483 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7484 ca_file=data_files/test-ca.crt \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7485 hs_timeout=250-10000" \
7486 "$P_CLI dtls=1 debug_level=2 \
7487 crt_file=data_files/server8_int-ca2.crt \
7488 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7489 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7490 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7491 hs_timeout=250-10000" \
7492 0 \
7493 -s "found fragmented DTLS handshake message" \
7494 -c "found fragmented DTLS handshake message" \
7495 -C "error"
7496
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7497# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]7498# OTOH the client might resend if the server is to slow to reset after sending
7499# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7500not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7501requires_config_enabled MBEDTLS_RSA_C
7502requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7503run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7504 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7505 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7506 crt_file=data_files/server7_int-ca.crt \
7507 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7508 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7509 hs_timeout=10000-60000 \
7510 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7511 "$P_CLI dtls=1 debug_level=2 \
7512 crt_file=data_files/server8_int-ca2.crt \
7513 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7514 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7515 hs_timeout=10000-60000 \
7516 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7517 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7518 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7519 -s "found fragmented DTLS handshake message" \
7520 -c "found fragmented DTLS handshake message" \
7521 -C "error"
7522
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7523# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7524# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
7525# OTOH the client might resend if the server is to slow to reset after sending
7526# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7527not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7528requires_config_enabled MBEDTLS_RSA_C
7529requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7530requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7531requires_config_enabled MBEDTLS_AES_C
7532requires_config_enabled MBEDTLS_GCM_C
7533run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7534 -p "$P_PXY mtu=512" \
7535 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7536 crt_file=data_files/server7_int-ca.crt \
7537 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7538 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7539 hs_timeout=10000-60000 \
7540 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7541 "$P_CLI dtls=1 debug_level=2 \
7542 crt_file=data_files/server8_int-ca2.crt \
7543 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7544 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7545 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7546 hs_timeout=10000-60000 \
7547 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7548 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7549 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7550 -s "found fragmented DTLS handshake message" \
7551 -c "found fragmented DTLS handshake message" \
7552 -C "error"
7553
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7554not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7555requires_config_enabled MBEDTLS_RSA_C
7556requires_config_enabled MBEDTLS_ECDSA_C
7557run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7558 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7559 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7560 crt_file=data_files/server7_int-ca.crt \
7561 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7562 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7563 hs_timeout=10000-60000 \
7564 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7565 "$P_CLI dtls=1 debug_level=2 \
7566 crt_file=data_files/server8_int-ca2.crt \
7567 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7568 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7569 hs_timeout=10000-60000 \
7570 mtu=1024 nbio=2" \
7571 0 \
7572 -S "autoreduction" \
7573 -s "found fragmented DTLS handshake message" \
7574 -c "found fragmented DTLS handshake message" \
7575 -C "error"
7576
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7577# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7578not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7579requires_config_enabled MBEDTLS_RSA_C
7580requires_config_enabled MBEDTLS_ECDSA_C
7581requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7582requires_config_enabled MBEDTLS_AES_C
7583requires_config_enabled MBEDTLS_GCM_C
7584run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
7585 -p "$P_PXY mtu=512" \
7586 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7587 crt_file=data_files/server7_int-ca.crt \
7588 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7589 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7590 hs_timeout=10000-60000 \
7591 mtu=512 nbio=2" \
7592 "$P_CLI dtls=1 debug_level=2 \
7593 crt_file=data_files/server8_int-ca2.crt \
7594 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7595 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7596 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7597 hs_timeout=10000-60000 \
7598 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7599 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7600 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7601 -s "found fragmented DTLS handshake message" \
7602 -c "found fragmented DTLS handshake message" \
7603 -C "error"
7604
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7605# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]7606# This ensures things still work after session_reset().
7607# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7608# Since we don't support reading fragmented ClientHello yet,
7609# up the MTU to 1450 (larger than ClientHello with session ticket,
7610# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7611# An autoreduction on the client-side might happen if the server is
7612# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7613# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7614# resumed listening, which would result in a spurious autoreduction.
7615not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7616requires_config_enabled MBEDTLS_RSA_C
7617requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7618requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7619requires_config_enabled MBEDTLS_AES_C
7620requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7621run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
7622 -p "$P_PXY mtu=1450" \
7623 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7624 crt_file=data_files/server7_int-ca.crt \
7625 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7626 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7627 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7628 mtu=1450" \
7629 "$P_CLI dtls=1 debug_level=2 \
7630 crt_file=data_files/server8_int-ca2.crt \
7631 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7632 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7633 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7634 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7635 mtu=1450 reconnect=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7636 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7637 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7638 -s "found fragmented DTLS handshake message" \
7639 -c "found fragmented DTLS handshake message" \
7640 -C "error"
7641
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7642# An autoreduction on the client-side might happen if the server is
7643# slow to reset, therefore omitting '-C "autoreduction"' below.
7644not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7645requires_config_enabled MBEDTLS_RSA_C
7646requires_config_enabled MBEDTLS_ECDSA_C
7647requires_config_enabled MBEDTLS_SHA256_C
7648requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7649requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7650requires_config_enabled MBEDTLS_CHACHAPOLY_C
7651run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
7652 -p "$P_PXY mtu=512" \
7653 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7654 crt_file=data_files/server7_int-ca.crt \
7655 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7656 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7657 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7658 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7659 mtu=512" \
7660 "$P_CLI dtls=1 debug_level=2 \
7661 crt_file=data_files/server8_int-ca2.crt \
7662 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7663 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7664 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7665 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7666 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7667 mtu=512" \
7668 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7669 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7670 -s "found fragmented DTLS handshake message" \
7671 -c "found fragmented DTLS handshake message" \
7672 -C "error"
7673
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7674# An autoreduction on the client-side might happen if the server is
7675# slow to reset, therefore omitting '-C "autoreduction"' below.
7676not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7677requires_config_enabled MBEDTLS_RSA_C
7678requires_config_enabled MBEDTLS_ECDSA_C
7679requires_config_enabled MBEDTLS_SHA256_C
7680requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7681requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7682requires_config_enabled MBEDTLS_AES_C
7683requires_config_enabled MBEDTLS_GCM_C
7684run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
7685 -p "$P_PXY mtu=512" \
7686 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7687 crt_file=data_files/server7_int-ca.crt \
7688 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7689 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7690 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7691 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7692 mtu=512" \
7693 "$P_CLI dtls=1 debug_level=2 \
7694 crt_file=data_files/server8_int-ca2.crt \
7695 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7696 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7697 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7698 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7699 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7700 mtu=512" \
7701 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7702 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7703 -s "found fragmented DTLS handshake message" \
7704 -c "found fragmented DTLS handshake message" \
7705 -C "error"
7706
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7707# An autoreduction on the client-side might happen if the server is
7708# slow to reset, therefore omitting '-C "autoreduction"' below.
7709not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7710requires_config_enabled MBEDTLS_RSA_C
7711requires_config_enabled MBEDTLS_ECDSA_C
7712requires_config_enabled MBEDTLS_SHA256_C
7713requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7714requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7715requires_config_enabled MBEDTLS_AES_C
7716requires_config_enabled MBEDTLS_CCM_C
7717run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7718 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7719 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7720 crt_file=data_files/server7_int-ca.crt \
7721 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7722 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7723 exchanges=2 renegotiation=1 \
7724 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7725 hs_timeout=10000-60000 \
7726 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7727 "$P_CLI dtls=1 debug_level=2 \
7728 crt_file=data_files/server8_int-ca2.crt \
7729 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7730 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7731 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7732 hs_timeout=10000-60000 \
7733 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7734 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7735 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7736 -s "found fragmented DTLS handshake message" \
7737 -c "found fragmented DTLS handshake message" \
7738 -C "error"
7739
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7740# An autoreduction on the client-side might happen if the server is
7741# slow to reset, therefore omitting '-C "autoreduction"' below.
7742not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7743requires_config_enabled MBEDTLS_RSA_C
7744requires_config_enabled MBEDTLS_ECDSA_C
7745requires_config_enabled MBEDTLS_SHA256_C
7746requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7747requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7748requires_config_enabled MBEDTLS_AES_C
7749requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7750requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
7751run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7752 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7753 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7754 crt_file=data_files/server7_int-ca.crt \
7755 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7756 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7757 exchanges=2 renegotiation=1 \
7758 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7759 hs_timeout=10000-60000 \
7760 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7761 "$P_CLI dtls=1 debug_level=2 \
7762 crt_file=data_files/server8_int-ca2.crt \
7763 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7764 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7765 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7766 hs_timeout=10000-60000 \
7767 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7768 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7769 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7770 -s "found fragmented DTLS handshake message" \
7771 -c "found fragmented DTLS handshake message" \
7772 -C "error"
7773
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7774# An autoreduction on the client-side might happen if the server is
7775# slow to reset, therefore omitting '-C "autoreduction"' below.
7776not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7777requires_config_enabled MBEDTLS_RSA_C
7778requires_config_enabled MBEDTLS_ECDSA_C
7779requires_config_enabled MBEDTLS_SHA256_C
7780requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7781requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7782requires_config_enabled MBEDTLS_AES_C
7783requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7784run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7785 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7786 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7787 crt_file=data_files/server7_int-ca.crt \
7788 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7789 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7790 exchanges=2 renegotiation=1 \
7791 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7792 hs_timeout=10000-60000 \
7793 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7794 "$P_CLI dtls=1 debug_level=2 \
7795 crt_file=data_files/server8_int-ca2.crt \
7796 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7797 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7798 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7799 hs_timeout=10000-60000 \
7800 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7801 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7802 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7803 -s "found fragmented DTLS handshake message" \
7804 -c "found fragmented DTLS handshake message" \
7805 -C "error"
7806
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7807# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7808requires_config_enabled MBEDTLS_RSA_C
7809requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7810requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7811requires_config_enabled MBEDTLS_AES_C
7812requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7813client_needs_more_time 2
7814run_test "DTLS fragmenting: proxy MTU + 3d" \
7815 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7816 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7817 crt_file=data_files/server7_int-ca.crt \
7818 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7819 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7820 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7821 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7822 crt_file=data_files/server8_int-ca2.crt \
7823 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7824 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7825 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7826 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7827 0 \
7828 -s "found fragmented DTLS handshake message" \
7829 -c "found fragmented DTLS handshake message" \
7830 -C "error"
7831
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7832# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7833requires_config_enabled MBEDTLS_RSA_C
7834requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7835requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7836requires_config_enabled MBEDTLS_AES_C
7837requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7838client_needs_more_time 2
7839run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
7840 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
7841 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7842 crt_file=data_files/server7_int-ca.crt \
7843 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7844 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7845 hs_timeout=250-10000 mtu=512 nbio=2" \
7846 "$P_CLI dtls=1 debug_level=2 \
7847 crt_file=data_files/server8_int-ca2.crt \
7848 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7849 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7850 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7851 hs_timeout=250-10000 mtu=512 nbio=2" \
7852 0 \
7853 -s "found fragmented DTLS handshake message" \
7854 -c "found fragmented DTLS handshake message" \
7855 -C "error"
7856
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7857# interop tests for DTLS fragmentating with reliable connection
7858#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7859# here and below we just want to test that the we fragment in a way that
7860# pleases other implementations, so we don't need the peer to fragment
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7861requires_config_enabled MBEDTLS_RSA_C
7862requires_config_enabled MBEDTLS_ECDSA_C
7863requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7864requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7865run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
7866 "$G_SRV -u" \
7867 "$P_CLI dtls=1 debug_level=2 \
7868 crt_file=data_files/server8_int-ca2.crt \
7869 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7870 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7871 mtu=512 force_version=dtls1_2" \
7872 0 \
7873 -c "fragmenting handshake message" \
7874 -C "error"
7875
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7876requires_config_enabled MBEDTLS_RSA_C
7877requires_config_enabled MBEDTLS_ECDSA_C
7878requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7879requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7880run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
7881 "$G_SRV -u" \
7882 "$P_CLI dtls=1 debug_level=2 \
7883 crt_file=data_files/server8_int-ca2.crt \
7884 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7885 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7886 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7887 0 \
7888 -c "fragmenting handshake message" \
7889 -C "error"
7890
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7891# We use --insecure for the GnuTLS client because it expects
7892# the hostname / IP it connects to to be the name used in the
7893# certificate obtained from the server. Here, however, it
7894# connects to 127.0.0.1 while our test certificates use 'localhost'
7895# as the server name in the certificate. This will make the
7896# certifiate validation fail, but passing --insecure makes
7897# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7898requires_config_enabled MBEDTLS_RSA_C
7899requires_config_enabled MBEDTLS_ECDSA_C
7900requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7901requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7902requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7903run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7904 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7905 crt_file=data_files/server7_int-ca.crt \
7906 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7907 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7908 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7909 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7910 0 \
7911 -s "fragmenting handshake message"
7912
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7913# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7914requires_config_enabled MBEDTLS_RSA_C
7915requires_config_enabled MBEDTLS_ECDSA_C
7916requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7917requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7918requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7919run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7920 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7921 crt_file=data_files/server7_int-ca.crt \
7922 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7923 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7924 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7925 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7926 0 \
7927 -s "fragmenting handshake message"
7928
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7929requires_config_enabled MBEDTLS_RSA_C
7930requires_config_enabled MBEDTLS_ECDSA_C
7931requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7932run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
7933 "$O_SRV -dtls1_2 -verify 10" \
7934 "$P_CLI dtls=1 debug_level=2 \
7935 crt_file=data_files/server8_int-ca2.crt \
7936 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7937 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7938 mtu=512 force_version=dtls1_2" \
7939 0 \
7940 -c "fragmenting handshake message" \
7941 -C "error"
7942
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7943requires_config_enabled MBEDTLS_RSA_C
7944requires_config_enabled MBEDTLS_ECDSA_C
7945requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7946run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
7947 "$O_SRV -dtls1 -verify 10" \
7948 "$P_CLI dtls=1 debug_level=2 \
7949 crt_file=data_files/server8_int-ca2.crt \
7950 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7951 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7952 mtu=512 force_version=dtls1" \
7953 0 \
7954 -c "fragmenting handshake message" \
7955 -C "error"
7956
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7957requires_config_enabled MBEDTLS_RSA_C
7958requires_config_enabled MBEDTLS_ECDSA_C
7959requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7960run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
7961 "$P_SRV dtls=1 debug_level=2 \
7962 crt_file=data_files/server7_int-ca.crt \
7963 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7964 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7965 mtu=512 force_version=dtls1_2" \
7966 "$O_CLI -dtls1_2" \
7967 0 \
7968 -s "fragmenting handshake message"
7969
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7970requires_config_enabled MBEDTLS_RSA_C
7971requires_config_enabled MBEDTLS_ECDSA_C
7972requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7973run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
7974 "$P_SRV dtls=1 debug_level=2 \
7975 crt_file=data_files/server7_int-ca.crt \
7976 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7977 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7978 mtu=512 force_version=dtls1" \
7979 "$O_CLI -dtls1" \
7980 0 \
7981 -s "fragmenting handshake message"
7982
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7983# interop tests for DTLS fragmentating with unreliable connection
7984#
7985# again we just want to test that the we fragment in a way that
7986# pleases other implementations, so we don't need the peer to fragment
7987requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7988requires_config_enabled MBEDTLS_RSA_C
7989requires_config_enabled MBEDTLS_ECDSA_C
7990requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7991client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7992run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
7993 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7994 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7995 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7996 crt_file=data_files/server8_int-ca2.crt \
7997 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7998 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7999 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8000 0 \
8001 -c "fragmenting handshake message" \
8002 -C "error"
8003
8004requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8005requires_config_enabled MBEDTLS_RSA_C
8006requires_config_enabled MBEDTLS_ECDSA_C
8007requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8008client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8009run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
8010 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8011 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8012 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8013 crt_file=data_files/server8_int-ca2.crt \
8014 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8015 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8016 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8017 0 \
8018 -c "fragmenting handshake message" \
8019 -C "error"
8020
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8021requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8022requires_config_enabled MBEDTLS_RSA_C
8023requires_config_enabled MBEDTLS_ECDSA_C
8024requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8025client_needs_more_time 4
8026run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
8027 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8028 "$P_SRV dtls=1 debug_level=2 \
8029 crt_file=data_files/server7_int-ca.crt \
8030 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8031 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8032 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8033 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8034 0 \
8035 -s "fragmenting handshake message"
8036
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8037requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8038requires_config_enabled MBEDTLS_RSA_C
8039requires_config_enabled MBEDTLS_ECDSA_C
8040requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8041client_needs_more_time 4
8042run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
8043 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8044 "$P_SRV dtls=1 debug_level=2 \
8045 crt_file=data_files/server7_int-ca.crt \
8046 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8047 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8048 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8049 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8050 0 \
8051 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8052
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8053## Interop test with OpenSSL might trigger a bug in recent versions (including
8054## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8055## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8056## They should be re-enabled once a fixed version of OpenSSL is available
8057## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8058skip_next_test
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8059requires_config_enabled MBEDTLS_RSA_C
8060requires_config_enabled MBEDTLS_ECDSA_C
8061requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8062client_needs_more_time 4
8063run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
8064 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8065 "$O_SRV -dtls1_2 -verify 10" \
8066 "$P_CLI dtls=1 debug_level=2 \
8067 crt_file=data_files/server8_int-ca2.crt \
8068 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8069 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8070 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8071 0 \
8072 -c "fragmenting handshake message" \
8073 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8074
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8075skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8076requires_config_enabled MBEDTLS_RSA_C
8077requires_config_enabled MBEDTLS_ECDSA_C
8078requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8079client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8080run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
8081 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8082 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8083 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8084 crt_file=data_files/server8_int-ca2.crt \
8085 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8086 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8087 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8088 0 \
8089 -c "fragmenting handshake message" \
8090 -C "error"
8091
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8092skip_next_test
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8093requires_config_enabled MBEDTLS_RSA_C
8094requires_config_enabled MBEDTLS_ECDSA_C
8095requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8096client_needs_more_time 4
8097run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
8098 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8099 "$P_SRV dtls=1 debug_level=2 \
8100 crt_file=data_files/server7_int-ca.crt \
8101 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8102 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8103 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8104 "$O_CLI -dtls1_2" \
8105 0 \
8106 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8107
8108# -nbio is added to prevent s_client from blocking in case of duplicated
8109# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8110skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8111requires_config_enabled MBEDTLS_RSA_C
8112requires_config_enabled MBEDTLS_ECDSA_C
8113requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8114client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8115run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
8116 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8117 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8118 crt_file=data_files/server7_int-ca.crt \
8119 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8120 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8121 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8122 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8123 0 \
8124 -s "fragmenting handshake message"
8125
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8126# Tests for specific things with "unreliable" UDP connection
8127
8128not_with_valgrind # spurious resend due to timeout
8129run_test "DTLS proxy: reference" \
8130 -p "$P_PXY" \
8131 "$P_SRV dtls=1 debug_level=2" \
8132 "$P_CLI dtls=1 debug_level=2" \
8133 0 \
8134 -C "replayed record" \
8135 -S "replayed record" \
Hanno Beckere03eb7b2019-07-19 15:43:09 +0100[diff] [blame]8136 -C "Buffer record from epoch" \
8137 -S "Buffer record from epoch" \
8138 -C "ssl_buffer_message" \
8139 -S "ssl_buffer_message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8140 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8141 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8142 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8143 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8144 -c "HTTP/1.0 200 OK"
8145
8146not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8147run_test "DTLS proxy: duplicate every packet" \
8148 -p "$P_PXY duplicate=1" \
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]8149 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8150 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8151 0 \
8152 -c "replayed record" \
8153 -s "replayed record" \
8154 -c "record from another epoch" \
8155 -s "record from another epoch" \
8156 -S "resend" \
8157 -s "Extra-header:" \
8158 -c "HTTP/1.0 200 OK"
8159
8160run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
8161 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8162 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
8163 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8164 0 \
8165 -c "replayed record" \
8166 -S "replayed record" \
8167 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8168 -s "record from another epoch" \
8169 -c "resend" \
8170 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8171 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8172 -c "HTTP/1.0 200 OK"
8173
8174run_test "DTLS proxy: multiple records in same datagram" \
8175 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8176 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8177 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8178 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8179 -c "next record in same datagram" \
8180 -s "next record in same datagram"
8181
8182run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
8183 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8184 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8185 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8186 0 \
8187 -c "next record in same datagram" \
8188 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8189
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8190run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
8191 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8192 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
8193 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8194 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8195 -c "discarding invalid record (mac)" \
8196 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8197 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8198 -c "HTTP/1.0 200 OK" \
8199 -S "too many records with bad MAC" \
8200 -S "Verification of the message MAC failed"
8201
8202run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
8203 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8204 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
8205 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8206 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8207 -C "discarding invalid record (mac)" \
8208 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8209 -S "Extra-header:" \
8210 -C "HTTP/1.0 200 OK" \
8211 -s "too many records with bad MAC" \
8212 -s "Verification of the message MAC failed"
8213
8214run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
8215 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8216 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
8217 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8218 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8219 -c "discarding invalid record (mac)" \
8220 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8221 -s "Extra-header:" \
8222 -c "HTTP/1.0 200 OK" \
8223 -S "too many records with bad MAC" \
8224 -S "Verification of the message MAC failed"
8225
8226run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
8227 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8228 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
8229 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8230 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8231 -c "discarding invalid record (mac)" \
8232 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8233 -s "Extra-header:" \
8234 -c "HTTP/1.0 200 OK" \
8235 -s "too many records with bad MAC" \
8236 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8237
8238run_test "DTLS proxy: delay ChangeCipherSpec" \
8239 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]8240 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
8241 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8242 0 \
8243 -c "record from another epoch" \
8244 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8245 -s "Extra-header:" \
8246 -c "HTTP/1.0 200 OK"
8247
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8248# Tests for reordering support with DTLS
8249
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8250run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
8251 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8252 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8253 hs_timeout=2500-60000" \
8254 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8255 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8256 0 \
8257 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8258 -c "Next handshake message has been buffered - load"\
8259 -S "Buffering HS message" \
8260 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8261 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8262 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8263 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8264 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8265
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8266run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
8267 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8268 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8269 hs_timeout=2500-60000" \
8270 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8271 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8272 0 \
8273 -c "Buffering HS message" \
8274 -c "found fragmented DTLS handshake message"\
8275 -c "Next handshake message 1 not or only partially bufffered" \
8276 -c "Next handshake message has been buffered - load"\
8277 -S "Buffering HS message" \
8278 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8279 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8280 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8281 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8282 -S "Remember CCS message"
8283
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8284# The client buffers the ServerKeyExchange before receiving the fragmented
8285# Certificate message; at the time of writing, together these are aroudn 1200b
8286# in size, so that the bound below ensures that the certificate can be reassembled
8287# while keeping the ServerKeyExchange.
8288requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
8289run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8290 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8291 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8292 hs_timeout=2500-60000" \
8293 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8294 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8295 0 \
8296 -c "Buffering HS message" \
8297 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8298 -C "attempt to make space by freeing buffered messages" \
8299 -S "Buffering HS message" \
8300 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8301 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8302 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8303 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8304 -S "Remember CCS message"
8305
8306# The size constraints ensure that the delayed certificate message can't
8307# be reassembled while keeping the ServerKeyExchange message, but it can
8308# when dropping it first.
8309requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
8310requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
8311run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
8312 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8313 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8314 hs_timeout=2500-60000" \
8315 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8316 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8317 0 \
8318 -c "Buffering HS message" \
8319 -c "attempt to make space by freeing buffered future messages" \
8320 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8321 -S "Buffering HS message" \
8322 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8323 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8324 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8325 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8326 -S "Remember CCS message"
8327
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8328run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
8329 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8330 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
8331 hs_timeout=2500-60000" \
8332 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8333 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8334 0 \
8335 -C "Buffering HS message" \
8336 -C "Next handshake message has been buffered - load"\
8337 -s "Buffering HS message" \
8338 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8339 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8340 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8341 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8342 -S "Remember CCS message"
8343
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]8344# This needs session tickets; otherwise CCS is the first message in its flight
8345requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8346run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
8347 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8348 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8349 hs_timeout=2500-60000" \
8350 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8351 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8352 0 \
8353 -C "Buffering HS message" \
8354 -C "Next handshake message has been buffered - load"\
8355 -S "Buffering HS message" \
8356 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8357 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8358 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8359 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8360 -S "Remember CCS message"
8361
8362run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
8363 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8364 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8365 hs_timeout=2500-60000" \
8366 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8367 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8368 0 \
8369 -C "Buffering HS message" \
8370 -C "Next handshake message has been buffered - load"\
8371 -S "Buffering HS message" \
8372 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8373 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8374 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8375 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8376 -s "Remember CCS message"
8377
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8378run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8379 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8380 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8381 hs_timeout=2500-60000" \
8382 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8383 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]8384 0 \
8385 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8386 -s "Found buffered record from current epoch - load" \
8387 -c "Buffer record from epoch 1" \
8388 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8389
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8390# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
8391# from the server are delayed, so that the encrypted Finished message
8392# is received and buffered. When the fragmented NewSessionTicket comes
8393# in afterwards, the encrypted Finished message must be freed in order
8394# to make space for the NewSessionTicket to be reassembled.
8395# This works only in very particular circumstances:
8396# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
8397# of the NewSessionTicket, but small enough to also allow buffering of
8398# the encrypted Finished message.
8399# - The MTU setting on the server must be so small that the NewSessionTicket
8400# needs to be fragmented.
8401# - All messages sent by the server must be small enough to be either sent
8402# without fragmentation or be reassembled within the bounds of
8403# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
8404# handshake, omitting CRTs.
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8405requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
8406requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8407run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
8408 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8409 "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8410 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
8411 0 \
8412 -s "Buffer record from epoch 1" \
8413 -s "Found buffered record from current epoch - load" \
8414 -c "Buffer record from epoch 1" \
8415 -C "Found buffered record from current epoch - load" \
8416 -c "Enough space available after freeing future epoch record"
8417
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]8418# Tests for "randomly unreliable connection": try a variety of flows and peers
8419
8420client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8421run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
8422 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8423 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8424 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8425 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8426 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8427 0 \
8428 -s "Extra-header:" \
8429 -c "HTTP/1.0 200 OK"
8430
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8431client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8432run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
8433 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8434 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8435 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8436 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
8437 0 \
8438 -s "Extra-header:" \
8439 -c "HTTP/1.0 200 OK"
8440
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8441client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8442run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
8443 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8444 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8445 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8446 0 \
8447 -s "Extra-header:" \
8448 -c "HTTP/1.0 200 OK"
8449
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8450client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8451run_test "DTLS proxy: 3d, FS, client auth" \
8452 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8453 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
8454 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8455 0 \
8456 -s "Extra-header:" \
8457 -c "HTTP/1.0 200 OK"
8458
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8459client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8460run_test "DTLS proxy: 3d, FS, ticket" \
8461 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8462 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
8463 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8464 0 \
8465 -s "Extra-header:" \
8466 -c "HTTP/1.0 200 OK"
8467
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8468client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8469run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
8470 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8471 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
8472 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8473 0 \
8474 -s "Extra-header:" \
8475 -c "HTTP/1.0 200 OK"
8476
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8477client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8478run_test "DTLS proxy: 3d, max handshake, nbio" \
8479 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8480 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8481 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8482 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8483 0 \
8484 -s "Extra-header:" \
8485 -c "HTTP/1.0 200 OK"
8486
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8487client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8488requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8489requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8490requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8491run_test "DTLS proxy: 3d, min handshake, resumption" \
8492 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8493 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8494 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8495 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8496 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8497 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8498 0 \
8499 -s "a session has been resumed" \
8500 -c "a session has been resumed" \
8501 -s "Extra-header:" \
8502 -c "HTTP/1.0 200 OK"
8503
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8504client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8505requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8506requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8507requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8508run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
8509 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8510 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8511 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8512 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8513 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8514 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
8515 0 \
8516 -s "a session has been resumed" \
8517 -c "a session has been resumed" \
8518 -s "Extra-header:" \
8519 -c "HTTP/1.0 200 OK"
8520
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8521client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8522requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8523run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8524 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8525 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8526 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8527 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8528 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8529 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8530 0 \
8531 -c "=> renegotiate" \
8532 -s "=> renegotiate" \
8533 -s "Extra-header:" \
8534 -c "HTTP/1.0 200 OK"
8535
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8536client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8537requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8538run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
8539 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8540 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8541 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8542 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8543 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8544 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8545 0 \
8546 -c "=> renegotiate" \
8547 -s "=> renegotiate" \
8548 -s "Extra-header:" \
8549 -c "HTTP/1.0 200 OK"
8550
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8551client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8552requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8553run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8554 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8555 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8556 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8557 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8558 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8559 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8560 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8561 0 \
8562 -c "=> renegotiate" \
8563 -s "=> renegotiate" \
8564 -s "Extra-header:" \
8565 -c "HTTP/1.0 200 OK"
8566
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8567client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8568requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8569run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8570 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8571 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8572 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8573 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8574 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8575 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8576 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8577 0 \
8578 -c "=> renegotiate" \
8579 -s "=> renegotiate" \
8580 -s "Extra-header:" \
8581 -c "HTTP/1.0 200 OK"
8582
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8583## Interop tests with OpenSSL might trigger a bug in recent versions (including
8584## all versions installed on the CI machines), reported here:
8585## Bug report: https://github.com/openssl/openssl/issues/6902
8586## They should be re-enabled once a fixed version of OpenSSL is available
8587## (this should happen in some 1.1.1_ release according to the ticket).
8588skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8589client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8590not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8591run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8592 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8593 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8594 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8595 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8596 -c "HTTP/1.0 200 OK"
8597
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8598skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8599client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8600not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8601run_test "DTLS proxy: 3d, openssl server, fragmentation" \
8602 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8603 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8604 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8605 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8606 -c "HTTP/1.0 200 OK"
8607
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8608skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8609client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8610not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8611run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
8612 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8613 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8614 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8615 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8616 -c "HTTP/1.0 200 OK"
8617
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]8618requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8619client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8620not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8621run_test "DTLS proxy: 3d, gnutls server" \
8622 -p "$P_PXY drop=5 delay=5 duplicate=5" \
8623 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8624 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8625 0 \
8626 -s "Extra-header:" \
8627 -c "Extra-header:"
8628
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8629requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8630client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8631not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8632run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
8633 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8634 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8635 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8636 0 \
8637 -s "Extra-header:" \
8638 -c "Extra-header:"
8639
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8640requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8641client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8642not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8643run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
8644 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8645 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8646 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8647 0 \
8648 -s "Extra-header:" \
8649 -c "Extra-header:"
8650
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]8651# Final report
8652
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8653echo "------------------------------------------------------------------------"
8654
8655if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8656 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8657else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8658 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8659fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]8660PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]8661echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8662
8663exit $FAILS