TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ab9a29bd2cc33ca22badc7cc4b0465cf30bf7865 / . / tests / ssl-opt.sh
blob: 38b1b69fd19fd16cf1a89b5227874a7bd2645a92 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Jaeden Ameroa258ccd2019-07-03 13:51:04 +0100[diff] [blame]24# Limit the size of each log to 10 GiB, in case of failures with this script
25# where it may output seemingly unlimited length error logs.
26ulimit -f 20971520
27
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]28if cd $( dirname $0 ); then :; else
29 echo "cd $( dirname $0 ) failed" >&2
30 exit 1
31fi
32
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]33# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]34: ${P_SRV:=../programs/ssl/ssl_server2}
35: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]36: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]37: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]38: ${GNUTLS_CLI:=gnutls-cli}
39: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]40: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]41
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]42O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]43O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]44G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]45G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]46TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]47
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]48# alternative versions of OpenSSL and GnuTLS (no default path)
49
50if [ -n "${OPENSSL_LEGACY:-}" ]; then
51 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
52 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
53else
54 O_LEGACY_SRV=false
55 O_LEGACY_CLI=false
56fi
57
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]58if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]59 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
60else
61 G_NEXT_SRV=false
62fi
63
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]64if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]65 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
66else
67 G_NEXT_CLI=false
68fi
69
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]70TESTS=0
71FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]72SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]73
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]74MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]75FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]76EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]77
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]78SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]79RUN_TEST_NUMBER=''
80
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]81PRESERVE_LOGS=0
82
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]83# Pick a "unique" server port in the range 10000-19999, and a proxy
84# port which is this plus 10000. Each port number may be independently
85# overridden by a command line option.
86SRV_PORT=$(($$ % 10000 + 10000))
87PXY_PORT=$((SRV_PORT + 10000))
88
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]89print_usage() {
90 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]91 printf " -h|--help\tPrint this help.\n"
92 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]93 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
94 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]95 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]96 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]97 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]98 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
99 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]100 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]101}
102
103get_options() {
104 while [ $# -gt 0 ]; do
105 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]106 -f|--filter)
107 shift; FILTER=$1
108 ;;
109 -e|--exclude)
110 shift; EXCLUDE=$1
111 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]112 -m|--memcheck)
113 MEMCHECK=1
114 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]115 -n|--number)
116 shift; RUN_TEST_NUMBER=$1
117 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]118 -s|--show-numbers)
119 SHOW_TEST_NUMBER=1
120 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]121 -p|--preserve-logs)
122 PRESERVE_LOGS=1
123 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]124 --port)
125 shift; SRV_PORT=$1
126 ;;
127 --proxy-port)
128 shift; PXY_PORT=$1
129 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]130 --seed)
131 shift; SEED="$1"
132 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]133 -h|--help)
134 print_usage
135 exit 0
136 ;;
137 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]138 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]139 print_usage
140 exit 1
141 ;;
142 esac
143 shift
144 done
145}
146
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]147# Skip next test; use this macro to skip tests which are legitimate
148# in theory and expected to be re-introduced at some point, but
149# aren't expected to succeed at the moment due to problems outside
150# our control (such as bugs in other TLS implementations).
151skip_next_test() {
152 SKIP_NEXT="YES"
153}
154
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]155requires_ciphersuite_enabled() {
156 if [ -z "$($P_CLI --help | grep "$1")" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]161get_config_value_or_default() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]162 # This function uses the query_config command line option to query the
163 # required Mbed TLS compile time configuration from the ssl_server2
164 # program. The command will always return a success value if the
165 # configuration is defined and the value will be printed to stdout.
166 #
167 # Note that if the configuration is not defined or is defined to nothing,
168 # the output of this function will be an empty string.
169 ${P_SRV} "query_config=${1}"
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]170}
171
Hanno Beckerab9a29b2019-09-24 16:14:39 +0100[diff] [blame^]172# skip next test if the flag is enabled in config.h
173requires_config_disabled() {
174 if get_config_value_or_default $1; then
175 SKIP_NEXT="YES"
176 fi
177}
178
179requires_config_enabled() {
180 if ! get_config_value_or_default $1; then
181 SKIP_NEXT="YES"
182 fi
183}
184
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]185requires_config_value_at_least() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]186 VAL="$( get_config_value_or_default "$1" )"
187 if [ -z "$VAL" ]; then
188 # Should never happen
189 echo "Mbed TLS configuration $1 is not defined"
190 exit 1
191 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]192 SKIP_NEXT="YES"
193 fi
194}
195
196requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]197 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]198 if [ -z "$VAL" ]; then
199 # Should never happen
200 echo "Mbed TLS configuration $1 is not defined"
201 exit 1
202 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]203 SKIP_NEXT="YES"
204 fi
205}
206
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]207# skip next test if OpenSSL doesn't support FALLBACK_SCSV
208requires_openssl_with_fallback_scsv() {
209 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
210 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
211 then
212 OPENSSL_HAS_FBSCSV="YES"
213 else
214 OPENSSL_HAS_FBSCSV="NO"
215 fi
216 fi
217 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
218 SKIP_NEXT="YES"
219 fi
220}
221
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]222# skip next test if GnuTLS isn't available
223requires_gnutls() {
224 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]225 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]226 GNUTLS_AVAILABLE="YES"
227 else
228 GNUTLS_AVAILABLE="NO"
229 fi
230 fi
231 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
232 SKIP_NEXT="YES"
233 fi
234}
235
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]236# skip next test if GnuTLS-next isn't available
237requires_gnutls_next() {
238 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
239 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
240 GNUTLS_NEXT_AVAILABLE="YES"
241 else
242 GNUTLS_NEXT_AVAILABLE="NO"
243 fi
244 fi
245 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
246 SKIP_NEXT="YES"
247 fi
248}
249
250# skip next test if OpenSSL-legacy isn't available
251requires_openssl_legacy() {
252 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
253 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
254 OPENSSL_LEGACY_AVAILABLE="YES"
255 else
256 OPENSSL_LEGACY_AVAILABLE="NO"
257 fi
258 fi
259 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
260 SKIP_NEXT="YES"
261 fi
262}
263
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]264# skip next test if IPv6 isn't available on this host
265requires_ipv6() {
266 if [ -z "${HAS_IPV6:-}" ]; then
267 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
268 SRV_PID=$!
269 sleep 1
270 kill $SRV_PID >/dev/null 2>&1
271 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
272 HAS_IPV6="NO"
273 else
274 HAS_IPV6="YES"
275 fi
276 rm -r $SRV_OUT
277 fi
278
279 if [ "$HAS_IPV6" = "NO" ]; then
280 SKIP_NEXT="YES"
281 fi
282}
283
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]284# skip next test if it's i686 or uname is not available
285requires_not_i686() {
286 if [ -z "${IS_I686:-}" ]; then
287 IS_I686="YES"
288 if which "uname" >/dev/null 2>&1; then
289 if [ -z "$(uname -a | grep i686)" ]; then
290 IS_I686="NO"
291 fi
292 fi
293 fi
294 if [ "$IS_I686" = "YES" ]; then
295 SKIP_NEXT="YES"
296 fi
297}
298
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]299# Calculate the input & output maximum content lengths set in the config
300MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
301MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
302MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
303
304if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
305 MAX_CONTENT_LEN="$MAX_IN_LEN"
306fi
307if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
308 MAX_CONTENT_LEN="$MAX_OUT_LEN"
309fi
310
311# skip the next test if the SSL output buffer is less than 16KB
312requires_full_size_output_buffer() {
313 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
314 SKIP_NEXT="YES"
315 fi
316}
317
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]318# skip the next test if valgrind is in use
319not_with_valgrind() {
320 if [ "$MEMCHECK" -gt 0 ]; then
321 SKIP_NEXT="YES"
322 fi
323}
324
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]325# skip the next test if valgrind is NOT in use
326only_with_valgrind() {
327 if [ "$MEMCHECK" -eq 0 ]; then
328 SKIP_NEXT="YES"
329 fi
330}
331
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]332# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]333client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]334 CLI_DELAY_FACTOR=$1
335}
336
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]337# wait for the given seconds after the client finished in the next test
338server_needs_more_time() {
339 SRV_DELAY_SECONDS=$1
340}
341
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]342# print_name <name>
343print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]344 TESTS=$(( $TESTS + 1 ))
345 LINE=""
346
347 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
348 LINE="$TESTS "
349 fi
350
351 LINE="$LINE$1"
352 printf "$LINE "
353 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]354 for i in `seq 1 $LEN`; do printf '.'; done
355 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]356
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]357}
358
359# fail <message>
360fail() {
361 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]362 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]363
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]364 mv $SRV_OUT o-srv-${TESTS}.log
365 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]366 if [ -n "$PXY_CMD" ]; then
367 mv $PXY_OUT o-pxy-${TESTS}.log
368 fi
369 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]370
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]371 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]372 echo " ! server output:"
373 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]374 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]375 echo " ! client output:"
376 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]377 if [ -n "$PXY_CMD" ]; then
378 echo " ! ========================================================"
379 echo " ! proxy output:"
380 cat o-pxy-${TESTS}.log
381 fi
382 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]383 fi
384
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]385 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]386}
387
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]388# is_polar <cmd_line>
389is_polar() {
390 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
391}
392
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]393# openssl s_server doesn't have -www with DTLS
394check_osrv_dtls() {
395 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
396 NEEDS_INPUT=1
397 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
398 else
399 NEEDS_INPUT=0
400 fi
401}
402
403# provide input to commands that need it
404provide_input() {
405 if [ $NEEDS_INPUT -eq 0 ]; then
406 return
407 fi
408
409 while true; do
410 echo "HTTP/1.0 200 OK"
411 sleep 1
412 done
413}
414
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]415# has_mem_err <log_file_name>
416has_mem_err() {
417 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
418 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
419 then
420 return 1 # false: does not have errors
421 else
422 return 0 # true: has errors
423 fi
424}
425
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]426# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]427if type lsof >/dev/null 2>/dev/null; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]428 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]429 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]430 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]431 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]432 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]433 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]434 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]435 # Make a tight loop, server normally takes less than 1s to start.
436 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
437 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]438 echo "$3 START TIMEOUT"
439 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]440 break
441 fi
442 # Linux and *BSD support decimal arguments to sleep. On other
443 # OSes this may be a tight loop.
444 sleep 0.1 2>/dev/null || true
445 done
446 }
447else
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]448 echo "Warning: lsof not available, wait_app_start = sleep"
449 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]450 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]451 }
452fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]453
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]454# Wait for server process $2 to be listening on port $1.
455wait_server_start() {
456 wait_app_start $1 $2 "SERVER" $SRV_OUT
457}
458
459# Wait for proxy process $2 to be listening on port $1.
460wait_proxy_start() {
461 wait_app_start $1 $2 "PROXY" $PXY_OUT
462}
463
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]464# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]465# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]466# acceptable bounds
467check_server_hello_time() {
468 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]469 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]470 # Get the Unix timestamp for now
471 CUR_TIME=$(date +'%s')
472 THRESHOLD_IN_SECS=300
473
474 # Check if the ServerHello time was printed
475 if [ -z "$SERVER_HELLO_TIME" ]; then
476 return 1
477 fi
478
479 # Check the time in ServerHello is within acceptable bounds
480 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
481 # The time in ServerHello is at least 5 minutes before now
482 return 1
483 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]484 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]485 return 1
486 else
487 return 0
488 fi
489}
490
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]491# wait for client to terminate and set CLI_EXIT
492# must be called right after starting the client
493wait_client_done() {
494 CLI_PID=$!
495
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]496 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
497 CLI_DELAY_FACTOR=1
498
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]499 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]500 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]501
502 wait $CLI_PID
503 CLI_EXIT=$?
504
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]505 kill $DOG_PID >/dev/null 2>&1
506 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]507
508 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]509
510 sleep $SRV_DELAY_SECONDS
511 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]512}
513
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]514# check if the given command uses dtls and sets global variable DTLS
515detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]516 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]517 DTLS=1
518 else
519 DTLS=0
520 fi
521}
522
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]523# Strip off a particular parameter from the command line
524# and return its value.
525# Parameter 1: Command line parameter to strip off
526# ENV I/O: CMD command line to search and modify
527extract_cmdline_argument() {
528 __ARG=$(echo "$CMD" | sed -n "s/^.* $1=\([^ ]*\).*$/\1/p")
529 CMD=$(echo "$CMD" | sed "s/$1=\([^ ]*\)//")
530}
531
532# Check compatibility of the ssl_client2/ssl_server2 command-line
533# with a particular compile-time configurable option.
534# Parameter 1: Command-line argument (e.g. extended_ms)
535# Parameter 2: Corresponding compile-time configuration
536# (e.g. MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
537# ENV I/O: CMD command line to search and modify
538# SKIP_NEXT set to "YES" on a mismatch
539check_cmdline_param_compat() {
540 __VAL="$( get_config_value_or_default "$2" )"
541 if [ ! -z "$__VAL" ]; then
542 extract_cmdline_argument "$1"
543 if [ ! -z "$__ARG" ] && [ "$__ARG" != "$__VAL" ]; then
544 SKIP_NEXT="YES"
545 fi
546 fi
547}
548
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]549check_cmdline_check_tls_dtls() {
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]550 detect_dtls "$CMD"
551 if [ "$DTLS" = "0" ]; then
552 requires_config_disabled MBEDTLS_SSL_PROTO_NO_TLS
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]553 elif [ "$DTLS" = "1" ]; then
554 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]555 fi
556}
557
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]558check_cmdline_authmode_compat() {
559 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_AUTHMODE" )"
560 if [ ! -z "$__VAL" ]; then
561 extract_cmdline_argument "auth_mode"
562 if [ "$__ARG" = "none" ] && [ "$__VAL" != "0" ]; then
563 SKIP_NEXT="YES";
564 elif [ "$__ARG" = "optional" ] && [ "$__VAL" != "1" ]; then
565 SKIP_NEXT="YES"
566 elif [ "$__ARG" = "required" ] && [ "$__VAL" != "2" ]; then
567 SKIP_NEXT="YES"
568 fi
569 fi
570}
571
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]572check_cmdline_legacy_renego_compat() {
573 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )"
574 if [ ! -z "$__VAL" ]; then
575 extract_cmdline_argument "allow_legacy"
576 if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then
577 SKIP_NEXT="YES";
578 elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then
579 SKIP_NEXT="YES"
580 elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then
581 SKIP_NEXT="YES"
582 fi
583 fi
584}
585
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]586check_cmdline_min_minor_version_compat() {
587 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
588 if [ ! -z "$__VAL" ]; then
589 extract_cmdline_argument "min_version"
590 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
591 SKIP_NEXT="YES";
592 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
593 SKIP_NEXT="YES"
594 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
595 SKIP_NEXT="YES"
596 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
597 SKIP_NEXT="YES"
598 fi
599 fi
600}
601
602check_cmdline_max_minor_version_compat() {
603 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
604 if [ ! -z "$__VAL" ]; then
605 extract_cmdline_argument "max_version"
606 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
607 SKIP_NEXT="YES";
608 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
609 SKIP_NEXT="YES"
610 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
611 SKIP_NEXT="YES"
612 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
613 SKIP_NEXT="YES"
614 fi
615 fi
616}
617
618check_cmdline_force_version_compat() {
619 __VAL_MAX="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
620 __VAL_MIN="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
621 if [ ! -z "$__VAL_MIN" ]; then
622
623 # SSL cli/srv cmd line
624
625 extract_cmdline_argument "force_version"
626 if [ "$__ARG" = "ssl3" ] && \
627 ( [ "$__VAL_MIN" != "0" ] || [ "$__VAL_MAX" != "0" ] ); then
628 SKIP_NEXT="YES";
629 elif [ "$__ARG" = "tls1" ] && \
630 ( [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ] ); then
631 SKIP_NEXT="YES"
632 elif ( [ "$__ARG" = "tls1_1" ] || [ "$__ARG" = "dtls1" ] ) && \
633 ( [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ] ); then
634 SKIP_NEXT="YES"
635 elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
636 ( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
637 echo "FORCE SKIP"
638 SKIP_NEXT="YES"
639 fi
640
641 # OpenSSL cmd line
642
643 if echo "$CMD" | grep -e "-tls1\($\|[^_]\)" > /dev/null; then
644 if [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ]; then
645 SKIP_NEXT="YES"
646 fi
647 fi
648
649 if echo "$CMD" | grep -e "-\(dtls1\($\|[^_]\)\|tls1_1\)" > /dev/null; then
650 if [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ]; then
651 SKIP_NEXT="YES"
652 fi
653 fi
654
655 if echo "$CMD" | grep -e "-\(dtls1_2\($\|[^_]\)\|tls1_2\)" > /dev/null; then
656 if [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ]; then
657 SKIP_NEXT="YES"
658 fi
659 fi
660
661 fi
662}
663
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]664check_cmdline_crt_key_files_compat() {
665
666 # test-ca2.crt
667 if echo "$CMD" | grep -e "test-ca2" > /dev/null; then
668 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
669 fi
670
671 # Variants of server5.key and server5.crt
672 if echo "$CMD" | grep -e "server5" > /dev/null; then
673 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
674 fi
675
676 # Variants of server6.key and server6.crt
677 if echo "$CMD" | grep -e "server6" > /dev/null; then
678 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
679 fi
680
681}
682
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]683# Go through all options that can be hardcoded at compile-time and
684# detect whether the command line configures them in a conflicting
685# way. If so, skip the test. Otherwise, remove the corresponding
686# entry.
687# Parameter 1: Command line to inspect
688# Output: Modified command line
689# ENV I/O: SKIP_TEST set to 1 on mismatch.
690check_cmdline_compat() {
691 CMD="$1"
692
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]693 # Check that if we're specifying particular certificate and/or
694 # ECC key files, the corresponding curve is enabled.
695 check_cmdline_crt_key_files_compat
696
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]697 # ExtendedMasterSecret configuration
698 check_cmdline_param_compat "extended_ms" \
699 "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET"
700 check_cmdline_param_compat "enforce_extended_master_secret" \
701 "MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET"
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]702
703 # DTLS anti replay protection configuration
704 check_cmdline_param_compat "anti_replay" \
705 "MBEDTLS_SSL_CONF_ANTI_REPLAY"
706
Hanno Beckerde671542019-06-12 16:30:46 +0100[diff] [blame]707 # DTLS bad MAC limit
708 check_cmdline_param_compat "badmac_limit" \
709 "MBEDTLS_SSL_CONF_BADMAC_LIMIT"
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]710
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]711 # Skip tests relying on TLS/DTLS in configs that disable it.
712 check_cmdline_check_tls_dtls
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]713
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]714 # Authentication mode
715 check_cmdline_authmode_compat
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]716
717 # Legacy renegotiation
718 check_cmdline_legacy_renego_compat
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]719
720 # Version configuration
721 check_cmdline_min_minor_version_compat
722 check_cmdline_max_minor_version_compat
723 check_cmdline_force_version_compat
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]724}
725
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]726# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]727# Options: -s pattern pattern that must be present in server output
728# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]729# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]730# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]731# -S pattern pattern that must be absent in server output
732# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]733# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]734# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]735run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]736 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]737 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]738
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]739 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
740 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]741 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]742 return
743 fi
744
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]745 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]746
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]747 # Do we only run numbered tests?
748 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
749 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
750 else
751 SKIP_NEXT="YES"
752 fi
753
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]754 # does this test use a proxy?
755 if [ "X$1" = "X-p" ]; then
756 PXY_CMD="$2"
757 shift 2
758 else
759 PXY_CMD=""
760 fi
761
762 # get commands and client output
763 SRV_CMD="$1"
764 CLI_CMD="$2"
765 CLI_EXPECT="$3"
766 shift 3
767
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]768 check_cmdline_compat "$SRV_CMD"
769 SRV_CMD="$CMD"
770
771 check_cmdline_compat "$CLI_CMD"
772 CLI_CMD="$CMD"
773
Hanno Becker7a11e722019-05-10 14:38:42 +0100[diff] [blame]774 # Check if test uses files
775 TEST_USES_FILES=$(echo "$SRV_CMD $CLI_CMD" | grep "\.\(key\|crt\|pem\)" )
776 if [ ! -z "$TEST_USES_FILES" ]; then
777 requires_config_enabled MBEDTLS_FS_IO
778 fi
779
780 # should we skip?
781 if [ "X$SKIP_NEXT" = "XYES" ]; then
782 SKIP_NEXT="NO"
783 echo "SKIP"
784 SKIPS=$(( $SKIPS + 1 ))
785 return
786 fi
787
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]788 # fix client port
789 if [ -n "$PXY_CMD" ]; then
790 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
791 else
792 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
793 fi
794
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]795 # update DTLS variable
796 detect_dtls "$SRV_CMD"
797
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]798 # prepend valgrind to our commands if active
799 if [ "$MEMCHECK" -gt 0 ]; then
800 if is_polar "$SRV_CMD"; then
801 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
802 fi
803 if is_polar "$CLI_CMD"; then
804 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
805 fi
806 fi
807
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]808 TIMES_LEFT=2
809 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]810 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]811
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]812 # run the commands
813 if [ -n "$PXY_CMD" ]; then
814 echo "$PXY_CMD" > $PXY_OUT
815 $PXY_CMD >> $PXY_OUT 2>&1 &
816 PXY_PID=$!
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]817 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]818 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]819
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]820 check_osrv_dtls
821 echo "$SRV_CMD" > $SRV_OUT
822 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
823 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]824 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]825
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]826 echo "$CLI_CMD" > $CLI_OUT
827 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
828 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]829
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]830 sleep 0.05
831
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]832 # terminate the server (and the proxy)
833 kill $SRV_PID
834 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]835
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]836 if [ -n "$PXY_CMD" ]; then
837 kill $PXY_PID >/dev/null 2>&1
838 wait $PXY_PID
839 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]840
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]841 # retry only on timeouts
842 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
843 printf "RETRY "
844 else
845 TIMES_LEFT=0
846 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]847 done
848
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]849 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]850 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]851 # expected client exit to incorrectly succeed in case of catastrophic
852 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]853 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]854 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]855 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]856 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]857 return
858 fi
859 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]860 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]861 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]862 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]863 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]864 return
865 fi
866 fi
867
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]868 # check server exit code
869 if [ $? != 0 ]; then
870 fail "server fail"
871 return
872 fi
873
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]874 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]875 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
876 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]877 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]878 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]879 return
880 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]881
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]882 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]883 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]884 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]885 while [ $# -gt 0 ]
886 do
887 case $1 in
888 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]889 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]890 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]891 return
892 fi
893 ;;
894
895 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]896 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]897 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]898 return
899 fi
900 ;;
901
902 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]903 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]904 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]905 return
906 fi
907 ;;
908
909 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]910 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]911 fail "pattern '$2' MUST NOT be present in the Client output"
912 return
913 fi
914 ;;
915
916 # The filtering in the following two options (-u and -U) do the following
917 # - ignore valgrind output
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]918 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]919 # - keep one of each non-unique line
920 # - count how many lines remain
921 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
922 # if there were no duplicates.
923 "-U")
924 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
925 fail "lines following pattern '$2' must be unique in Server output"
926 return
927 fi
928 ;;
929
930 "-u")
931 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
932 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]933 return
934 fi
935 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]936 "-F")
937 if ! $2 "$SRV_OUT"; then
938 fail "function call to '$2' failed on Server output"
939 return
940 fi
941 ;;
942 "-f")
943 if ! $2 "$CLI_OUT"; then
944 fail "function call to '$2' failed on Client output"
945 return
946 fi
947 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]948
949 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]950 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]951 exit 1
952 esac
953 shift 2
954 done
955
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]956 # check valgrind's results
957 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]958 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]959 fail "Server has memory errors"
960 return
961 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]962 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]963 fail "Client has memory errors"
964 return
965 fi
966 fi
967
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]968 # if we're here, everything is ok
969 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]970 if [ "$PRESERVE_LOGS" -gt 0 ]; then
971 mv $SRV_OUT o-srv-${TESTS}.log
972 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]973 if [ -n "$PXY_CMD" ]; then
974 mv $PXY_OUT o-pxy-${TESTS}.log
975 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]976 fi
977
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]978 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]979}
980
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]981cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]982 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]983 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
984 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
985 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
986 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]987 exit 1
988}
989
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]990#
991# MAIN
992#
993
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]994get_options "$@"
995
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]996# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]997P_SRV_BIN="${P_SRV%%[ ]*}"
998P_CLI_BIN="${P_CLI%%[ ]*}"
999P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1000if [ ! -x "$P_SRV_BIN" ]; then
1001 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1002 exit 1
1003fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1004if [ ! -x "$P_CLI_BIN" ]; then
1005 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1006 exit 1
1007fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1008if [ ! -x "$P_PXY_BIN" ]; then
1009 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1010 exit 1
1011fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]1012if [ "$MEMCHECK" -gt 0 ]; then
1013 if which valgrind >/dev/null 2>&1; then :; else
1014 echo "Memcheck not possible. Valgrind not found"
1015 exit 1
1016 fi
1017fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1018if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
1019 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1020 exit 1
1021fi
1022
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]1023# used by watchdog
1024MAIN_PID="$$"
1025
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1026# We use somewhat arbitrary delays for tests:
1027# - how long do we wait for the server to start (when lsof not available)?
1028# - how long do we allow for the client to finish?
1029# (not to check performance, just to avoid waiting indefinitely)
1030# Things are slower with valgrind, so give extra time here.
1031#
1032# Note: without lsof, there is a trade-off between the running time of this
1033# script and the risk of spurious errors because we didn't wait long enough.
1034# The watchdog delay on the other hand doesn't affect normal running time of
1035# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1036if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1037 START_DELAY=6
1038 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1039else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1040 START_DELAY=2
1041 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1042fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1043
1044# some particular tests need more time:
1045# - for the client, we multiply the usual watchdog limit by a factor
1046# - for the server, we sleep for a number of seconds after the client exits
1047# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]1048CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]1049SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1050
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1051# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]1052# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1053P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
1054P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]1055P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]1056O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1057O_CLI="$O_CLI -connect localhost:+SRV_PORT"
1058G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1059G_CLI="$G_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1060
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1061if [ -n "${OPENSSL_LEGACY:-}" ]; then
1062 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
1063 O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
1064fi
1065
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1066if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1067 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
1068fi
1069
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1070if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1071 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1072fi
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1073
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]1074# Allow SHA-1, because many of our test certificates use it
1075P_SRV="$P_SRV allow_sha1=1"
1076P_CLI="$P_CLI allow_sha1=1"
1077
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1078# Also pick a unique name for intermediate files
1079SRV_OUT="srv_out.$$"
1080CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1081PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1082SESSION="session.$$"
1083
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]1084SKIP_NEXT="NO"
1085
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1086trap cleanup INT TERM HUP
1087
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1088# Basic test
1089
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1090run_test "Default" \
1091 "$P_SRV debug_level=3" \
1092 "$P_CLI" \
1093 0
1094
1095run_test "Default, DTLS" \
1096 "$P_SRV dtls=1" \
1097 "$P_CLI dtls=1" \
1098 0
1099
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1100# Checks that:
1101# - things work with all ciphersuites active (used with config-full in all.sh)
1102# - the expected (highest security) parameters are selected
1103# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1104requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1105requires_config_enabled MBEDTLS_SHA512_C
1106requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1107requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1108run_test "Default, choose highest security suite and hash" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1109 "$P_SRV debug_level=3" \
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1110 "$P_CLI" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1111 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1112 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1113 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1114 -s "client hello v3, signature_algorithm ext: 6" \
1115 -s "ECDHE curve: secp521r1" \
1116 -S "error" \
1117 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1118
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1119requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1120requires_config_enabled MBEDTLS_SHA512_C
1121requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1122requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1123run_test "Default, choose highest security suite and hash, DTLS" \
1124 "$P_SRV debug_level=3 dtls=1" \
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1125 "$P_CLI dtls=1" \
1126 0 \
1127 -s "Protocol is DTLSv1.2" \
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1128 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
1129 -s "client hello v3, signature_algorithm ext: 6" \
1130 -s "ECDHE curve: secp521r1"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1131
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1132# Test current time in ServerHello
1133requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1134run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1135 "$P_SRV debug_level=3" \
1136 "$P_CLI debug_level=3" \
1137 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1138 -f "check_server_hello_time" \
1139 -F "check_server_hello_time"
1140
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1141# Test for uniqueness of IVs in AEAD ciphersuites
1142run_test "Unique IV in GCM" \
1143 "$P_SRV exchanges=20 debug_level=4" \
1144 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1145 0 \
1146 -u "IV used" \
1147 -U "IV used"
1148
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1149# Tests for rc4 option
1150
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1151requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1152run_test "RC4: server disabled, client enabled" \
1153 "$P_SRV" \
1154 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1155 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1156 -s "SSL - The server has no ciphersuites in common"
1157
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1158requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1159run_test "RC4: server half, client enabled" \
1160 "$P_SRV arc4=1" \
1161 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1162 1 \
1163 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1164
1165run_test "RC4: server enabled, client disabled" \
1166 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1167 "$P_CLI" \
1168 1 \
1169 -s "SSL - The server has no ciphersuites in common"
1170
1171run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1172 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1173 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1174 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1175 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1176 -S "SSL - The server has no ciphersuites in common"
1177
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1178# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
1179
1180requires_gnutls
1181requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
1182run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
1183 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1184 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1185 0
1186
1187requires_gnutls
1188requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
1189run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
1190 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1191 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1192 0
1193
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1194# Tests for SHA-1 support
1195
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1196requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1197requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1198requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1199run_test "SHA-1 forbidden by default in server certificate" \
1200 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1201 "$P_CLI debug_level=2 allow_sha1=0" \
1202 1 \
1203 -c "The certificate is signed with an unacceptable hash"
1204
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1205requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1206run_test "SHA-1 forbidden by default in server certificate" \
1207 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1208 "$P_CLI debug_level=2 allow_sha1=0" \
1209 0
1210
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1211run_test "SHA-1 explicitly allowed in server certificate" \
1212 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1213 "$P_CLI allow_sha1=1" \
1214 0
1215
1216run_test "SHA-256 allowed by default in server certificate" \
1217 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
1218 "$P_CLI allow_sha1=0" \
1219 0
1220
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1221requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1222requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1223requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1224run_test "SHA-1 forbidden by default in client certificate" \
1225 "$P_SRV auth_mode=required allow_sha1=0" \
1226 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1227 1 \
1228 -s "The certificate is signed with an unacceptable hash"
1229
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1230requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1231run_test "SHA-1 forbidden by default in client certificate" \
1232 "$P_SRV auth_mode=required allow_sha1=0" \
1233 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1234 0
1235
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1236run_test "SHA-1 explicitly allowed in client certificate" \
1237 "$P_SRV auth_mode=required allow_sha1=1" \
1238 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1239 0
1240
1241run_test "SHA-256 allowed by default in client certificate" \
1242 "$P_SRV auth_mode=required allow_sha1=0" \
1243 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
1244 0
1245
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1246# Tests for datagram packing
1247run_test "DTLS: multiple records in same datagram, client and server" \
1248 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1249 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1250 0 \
1251 -c "next record in same datagram" \
1252 -s "next record in same datagram"
1253
1254run_test "DTLS: multiple records in same datagram, client only" \
1255 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1256 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1257 0 \
1258 -s "next record in same datagram" \
1259 -C "next record in same datagram"
1260
1261run_test "DTLS: multiple records in same datagram, server only" \
1262 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1263 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1264 0 \
1265 -S "next record in same datagram" \
1266 -c "next record in same datagram"
1267
1268run_test "DTLS: multiple records in same datagram, neither client nor server" \
1269 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1270 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1271 0 \
1272 -S "next record in same datagram" \
1273 -C "next record in same datagram"
1274
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1275# Tests for Truncated HMAC extension
1276
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1277run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1278 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1279 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1280 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1281 -s "dumping 'expected mac' (20 bytes)" \
1282 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1283
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1284requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1285run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1286 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1287 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1288 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1289 -s "dumping 'expected mac' (20 bytes)" \
1290 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1291
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1292requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1293run_test "Truncated HMAC: client enabled, server default" \
1294 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1295 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1296 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1297 -s "dumping 'expected mac' (20 bytes)" \
1298 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1299
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1300requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1301run_test "Truncated HMAC: client enabled, server disabled" \
1302 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1303 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1304 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1305 -s "dumping 'expected mac' (20 bytes)" \
1306 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1307
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1308requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1309run_test "Truncated HMAC: client disabled, server enabled" \
1310 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1311 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1312 0 \
1313 -s "dumping 'expected mac' (20 bytes)" \
1314 -S "dumping 'expected mac' (10 bytes)"
1315
1316requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1317run_test "Truncated HMAC: client enabled, server enabled" \
1318 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1319 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1320 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1321 -S "dumping 'expected mac' (20 bytes)" \
1322 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1323
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1324run_test "Truncated HMAC, DTLS: client default, server default" \
1325 "$P_SRV dtls=1 debug_level=4" \
1326 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1327 0 \
1328 -s "dumping 'expected mac' (20 bytes)" \
1329 -S "dumping 'expected mac' (10 bytes)"
1330
1331requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1332run_test "Truncated HMAC, DTLS: client disabled, server default" \
1333 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1334 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1335 0 \
1336 -s "dumping 'expected mac' (20 bytes)" \
1337 -S "dumping 'expected mac' (10 bytes)"
1338
1339requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1340run_test "Truncated HMAC, DTLS: client enabled, server default" \
1341 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1342 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1343 0 \
1344 -s "dumping 'expected mac' (20 bytes)" \
1345 -S "dumping 'expected mac' (10 bytes)"
1346
1347requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1348run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1349 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1350 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1351 0 \
1352 -s "dumping 'expected mac' (20 bytes)" \
1353 -S "dumping 'expected mac' (10 bytes)"
1354
1355requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1356run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1357 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1358 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1359 0 \
1360 -s "dumping 'expected mac' (20 bytes)" \
1361 -S "dumping 'expected mac' (10 bytes)"
1362
1363requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1364run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1365 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1366 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1367 0 \
1368 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1369 -s "dumping 'expected mac' (10 bytes)"
1370
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1371# Tests for Context serialization
1372
1373requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1374run_test "Context serialization, client serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1375 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1376 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1377 0 \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1378 -c "Deserializing connection..." \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1379 -S "Deserializing connection..."
1380
1381requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1382run_test "Context serialization, client serializes, ChaChaPoly" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1383 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1384 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1385 0 \
1386 -c "Deserializing connection..." \
1387 -S "Deserializing connection..."
1388
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1389requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1390run_test "Context serialization, client serializes, GCM" \
1391 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1392 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1393 0 \
1394 -c "Deserializing connection..." \
1395 -S "Deserializing connection..."
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1396
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1397requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1398requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1399run_test "Context serialization, client serializes, with CID" \
1400 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1401 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1402 0 \
1403 -c "Deserializing connection..." \
1404 -S "Deserializing connection..."
1405
1406requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1407run_test "Context serialization, server serializes, CCM" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1408 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1409 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1410 0 \
1411 -C "Deserializing connection..." \
1412 -s "Deserializing connection..."
1413
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1414requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1415run_test "Context serialization, server serializes, ChaChaPoly" \
1416 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1417 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1418 0 \
1419 -C "Deserializing connection..." \
1420 -s "Deserializing connection..."
1421
1422requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1423run_test "Context serialization, server serializes, GCM" \
1424 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1425 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1426 0 \
1427 -C "Deserializing connection..." \
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1428 -s "Deserializing connection..."
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1429
1430requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1431requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1432run_test "Context serialization, server serializes, with CID" \
1433 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1434 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1435 0 \
1436 -C "Deserializing connection..." \
1437 -s "Deserializing connection..."
1438
1439requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1440run_test "Context serialization, both serialize, CCM" \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1441 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1442 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1443 0 \
1444 -c "Deserializing connection..." \
1445 -s "Deserializing connection..."
1446
1447requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1448run_test "Context serialization, both serialize, ChaChaPoly" \
1449 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1450 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1451 0 \
1452 -c "Deserializing connection..." \
1453 -s "Deserializing connection..."
1454
1455requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1456run_test "Context serialization, both serialize, GCM" \
1457 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1458 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1459 0 \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1460 -c "Deserializing connection..." \
1461 -s "Deserializing connection..."
1462
1463requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1464requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1465run_test "Context serialization, both serialize, with CID" \
1466 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1467 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1468 0 \
1469 -c "Deserializing connection..." \
1470 -s "Deserializing connection..."
1471
1472requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1473run_test "Context serialization, re-init, client serializes, CCM" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1474 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1475 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1476 0 \
1477 -c "Deserializing connection..." \
1478 -S "Deserializing connection..."
1479
1480requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1481run_test "Context serialization, re-init, client serializes, ChaChaPoly" \
1482 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1483 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1484 0 \
1485 -c "Deserializing connection..." \
1486 -S "Deserializing connection..."
1487
1488requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1489run_test "Context serialization, re-init, client serializes, GCM" \
1490 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1491 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1492 0 \
1493 -c "Deserializing connection..." \
1494 -S "Deserializing connection..."
1495
1496requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1497requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1498run_test "Context serialization, re-init, client serializes, with CID" \
1499 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1500 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1501 0 \
1502 -c "Deserializing connection..." \
1503 -S "Deserializing connection..."
1504
1505requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1506run_test "Context serialization, re-init, server serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1507 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1508 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1509 0 \
1510 -C "Deserializing connection..." \
1511 -s "Deserializing connection..."
1512
1513requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1514run_test "Context serialization, re-init, server serializes, ChaChaPoly" \
1515 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1516 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1517 0 \
1518 -C "Deserializing connection..." \
1519 -s "Deserializing connection..."
1520
1521requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1522run_test "Context serialization, re-init, server serializes, GCM" \
1523 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1524 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1525 0 \
1526 -C "Deserializing connection..." \
1527 -s "Deserializing connection..."
1528
1529requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1530requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1531run_test "Context serialization, re-init, server serializes, with CID" \
1532 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1533 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1534 0 \
1535 -C "Deserializing connection..." \
1536 -s "Deserializing connection..."
1537
1538requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1539run_test "Context serialization, re-init, both serialize, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1540 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1541 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1542 0 \
1543 -c "Deserializing connection..." \
1544 -s "Deserializing connection..."
1545
1546requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1547run_test "Context serialization, re-init, both serialize, ChaChaPoly" \
1548 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1549 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1550 0 \
1551 -c "Deserializing connection..." \
1552 -s "Deserializing connection..."
1553
1554requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1555run_test "Context serialization, re-init, both serialize, GCM" \
1556 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1557 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1558 0 \
1559 -c "Deserializing connection..." \
1560 -s "Deserializing connection..."
1561
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1562requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1563requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1564run_test "Context serialization, re-init, both serialize, with CID" \
1565 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1566 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1567 0 \
1568 -c "Deserializing connection..." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1569 -s "Deserializing connection..."
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1570
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1571# Tests for DTLS Connection ID extension
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1572
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1573# So far, the CID API isn't implemented, so we can't
1574# grep for output witnessing its use. This needs to be
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1575# changed once the CID extension is implemented.
Hanno Beckerad8e2c92019-05-08 13:19:53 +0100[diff] [blame]1576
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1577requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1578run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1579 "$P_SRV debug_level=3 dtls=1 cid=0" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1580 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1581 0 \
1582 -s "Disable use of CID extension." \
1583 -s "found CID extension" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1584 -s "Client sent CID extension, but CID disabled" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1585 -c "Enable use of CID extension." \
1586 -c "client hello, adding CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1587 -S "server hello, adding CID extension" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1588 -C "found CID extension" \
1589 -S "Copy CIDs into SSL transform" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1590 -C "Copy CIDs into SSL transform" \
1591 -c "Use of Connection ID was rejected by the server"
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1592
1593requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1594run_test "Connection ID: Cli disabled, Srv enabled" \
1595 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1596 "$P_CLI debug_level=3 dtls=1 cid=0" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1597 0 \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1598 -c "Disable use of CID extension." \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1599 -C "client hello, adding CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1600 -S "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1601 -s "Enable use of CID extension." \
1602 -S "server hello, adding CID extension" \
1603 -C "found CID extension" \
1604 -S "Copy CIDs into SSL transform" \
1605 -C "Copy CIDs into SSL transform" \
1606 -s "Use of Connection ID was not offered by client"
1607
1608requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1609run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
1610 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1611 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
1612 0 \
1613 -c "Enable use of CID extension." \
1614 -s "Enable use of CID extension." \
1615 -c "client hello, adding CID extension" \
1616 -s "found CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1617 -s "Use of CID extension negotiated" \
1618 -s "server hello, adding CID extension" \
1619 -c "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1620 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1621 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1622 -c "Copy CIDs into SSL transform" \
1623 -c "Peer CID (length 2 Bytes): de ad" \
1624 -s "Peer CID (length 2 Bytes): be ef" \
1625 -s "Use of Connection ID has been negotiated" \
1626 -c "Use of Connection ID has been negotiated"
1627
1628requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1629run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
1630 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
1631 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
1632 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
1633 0 \
1634 -c "Enable use of CID extension." \
1635 -s "Enable use of CID extension." \
1636 -c "client hello, adding CID extension" \
1637 -s "found CID extension" \
1638 -s "Use of CID extension negotiated" \
1639 -s "server hello, adding CID extension" \
1640 -c "found CID extension" \
1641 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1642 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1643 -c "Copy CIDs into SSL transform" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1644 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1645 -s "Peer CID (length 2 Bytes): be ef" \
1646 -s "Use of Connection ID has been negotiated" \
1647 -c "Use of Connection ID has been negotiated" \
1648 -c "ignoring unexpected CID" \
1649 -s "ignoring unexpected CID"
1650
1651requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1652run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
1653 -p "$P_PXY mtu=800" \
1654 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1655 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1656 0 \
1657 -c "Enable use of CID extension." \
1658 -s "Enable use of CID extension." \
1659 -c "client hello, adding CID extension" \
1660 -s "found CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1661 -s "Use of CID extension negotiated" \
1662 -s "server hello, adding CID extension" \
1663 -c "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1664 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1665 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1666 -c "Copy CIDs into SSL transform" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1667 -c "Peer CID (length 2 Bytes): de ad" \
1668 -s "Peer CID (length 2 Bytes): be ef" \
1669 -s "Use of Connection ID has been negotiated" \
1670 -c "Use of Connection ID has been negotiated"
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1671
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1672requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1673run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1674 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1675 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1676 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1677 0 \
1678 -c "Enable use of CID extension." \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1679 -s "Enable use of CID extension." \
1680 -c "client hello, adding CID extension" \
1681 -s "found CID extension" \
1682 -s "Use of CID extension negotiated" \
1683 -s "server hello, adding CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1684 -c "found CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1685 -c "Use of CID extension negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1686 -s "Copy CIDs into SSL transform" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1687 -c "Copy CIDs into SSL transform" \
1688 -c "Peer CID (length 2 Bytes): de ad" \
1689 -s "Peer CID (length 2 Bytes): be ef" \
1690 -s "Use of Connection ID has been negotiated" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1691 -c "Use of Connection ID has been negotiated" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1692 -c "ignoring unexpected CID" \
1693 -s "ignoring unexpected CID"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1694
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1695requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1696run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1697 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1698 "$P_CLI debug_level=3 dtls=1 cid=1" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1699 0 \
1700 -c "Enable use of CID extension." \
1701 -s "Enable use of CID extension." \
1702 -c "client hello, adding CID extension" \
1703 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1704 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1705 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1706 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1707 -c "Use of CID extension negotiated" \
1708 -s "Copy CIDs into SSL transform" \
1709 -c "Copy CIDs into SSL transform" \
1710 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1711 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1712 -s "Use of Connection ID has been negotiated" \
1713 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1714
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1715requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1716run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1717 "$P_SRV debug_level=3 dtls=1 cid=1" \
1718 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1719 0 \
1720 -c "Enable use of CID extension." \
1721 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1722 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1723 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1724 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1725 -s "server hello, adding CID extension" \
1726 -c "found CID extension" \
1727 -c "Use of CID extension negotiated" \
1728 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1729 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1730 -s "Peer CID (length 4 Bytes): de ad be ef" \
1731 -c "Peer CID (length 0 Bytes):" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1732 -s "Use of Connection ID has been negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1733 -c "Use of Connection ID has been negotiated"
1734
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1735requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1736run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1737 "$P_SRV debug_level=3 dtls=1 cid=1" \
1738 "$P_CLI debug_level=3 dtls=1 cid=1" \
1739 0 \
1740 -c "Enable use of CID extension." \
1741 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1742 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1743 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1744 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1745 -s "server hello, adding CID extension" \
1746 -c "found CID extension" \
1747 -c "Use of CID extension negotiated" \
1748 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1749 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1750 -S "Use of Connection ID has been negotiated" \
1751 -C "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1752
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1753requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1754run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1755 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1756 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1757 0 \
1758 -c "Enable use of CID extension." \
1759 -s "Enable use of CID extension." \
1760 -c "client hello, adding CID extension" \
1761 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1762 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1763 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1764 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1765 -c "Use of CID extension negotiated" \
1766 -s "Copy CIDs into SSL transform" \
1767 -c "Copy CIDs into SSL transform" \
1768 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1769 -s "Peer CID (length 2 Bytes): be ef" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1770 -s "Use of Connection ID has been negotiated" \
1771 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1772
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1773requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1774run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1775 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1776 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1777 0 \
1778 -c "Enable use of CID extension." \
1779 -s "Enable use of CID extension." \
1780 -c "client hello, adding CID extension" \
1781 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1782 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1783 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1784 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1785 -c "Use of CID extension negotiated" \
1786 -s "Copy CIDs into SSL transform" \
1787 -c "Copy CIDs into SSL transform" \
1788 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1789 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1790 -s "Use of Connection ID has been negotiated" \
1791 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1792
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1793requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1794run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1795 "$P_SRV debug_level=3 dtls=1 cid=1" \
1796 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1797 0 \
1798 -c "Enable use of CID extension." \
1799 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1800 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1801 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1802 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1803 -s "server hello, adding CID extension" \
1804 -c "found CID extension" \
1805 -c "Use of CID extension negotiated" \
1806 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1807 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1808 -s "Peer CID (length 4 Bytes): de ad be ef" \
1809 -c "Peer CID (length 0 Bytes):" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1810 -s "Use of Connection ID has been negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1811 -c "Use of Connection ID has been negotiated"
1812
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1813requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1814run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1815 "$P_SRV debug_level=3 dtls=1 cid=1" \
1816 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1817 0 \
1818 -c "Enable use of CID extension." \
1819 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1820 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1821 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1822 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1823 -s "server hello, adding CID extension" \
1824 -c "found CID extension" \
1825 -c "Use of CID extension negotiated" \
1826 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1827 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1828 -S "Use of Connection ID has been negotiated" \
1829 -C "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1830
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1831requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1832run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1833 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1834 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1835 0 \
1836 -c "Enable use of CID extension." \
1837 -s "Enable use of CID extension." \
1838 -c "client hello, adding CID extension" \
1839 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1840 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1841 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1842 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1843 -c "Use of CID extension negotiated" \
1844 -s "Copy CIDs into SSL transform" \
1845 -c "Copy CIDs into SSL transform" \
1846 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1847 -s "Peer CID (length 2 Bytes): be ef" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1848 -s "Use of Connection ID has been negotiated" \
1849 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1850
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1851requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1852run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1853 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1854 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1855 0 \
1856 -c "Enable use of CID extension." \
1857 -s "Enable use of CID extension." \
1858 -c "client hello, adding CID extension" \
1859 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1860 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1861 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1862 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1863 -c "Use of CID extension negotiated" \
1864 -s "Copy CIDs into SSL transform" \
1865 -c "Copy CIDs into SSL transform" \
1866 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1867 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1868 -s "Use of Connection ID has been negotiated" \
1869 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1870
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1871requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1872run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1873 "$P_SRV debug_level=3 dtls=1 cid=1" \
1874 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1875 0 \
1876 -c "Enable use of CID extension." \
1877 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1878 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1879 -s "found CID extension" \
Hanno Becker963cb352019-04-23 11:52:44 +0100[diff] [blame]1880 -s "Use of CID extension negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1881 -s "server hello, adding CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1882 -c "found CID extension" \
1883 -c "Use of CID extension negotiated" \
1884 -s "Copy CIDs into SSL transform" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1885 -c "Copy CIDs into SSL transform" \
1886 -s "Peer CID (length 4 Bytes): de ad be ef" \
1887 -c "Peer CID (length 0 Bytes):" \
1888 -s "Use of Connection ID has been negotiated" \
1889 -c "Use of Connection ID has been negotiated"
1890
1891requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1892run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
1893 "$P_SRV debug_level=3 dtls=1 cid=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1894 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1895 0 \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1896 -c "Enable use of CID extension." \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1897 -s "Enable use of CID extension." \
1898 -c "client hello, adding CID extension" \
1899 -s "found CID extension" \
1900 -s "Use of CID extension negotiated" \
1901 -s "server hello, adding CID extension" \
1902 -c "found CID extension" \
1903 -c "Use of CID extension negotiated" \
1904 -s "Copy CIDs into SSL transform" \
1905 -c "Copy CIDs into SSL transform" \
1906 -S "Use of Connection ID has been negotiated" \
1907 -C "Use of Connection ID has been negotiated"
1908
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1909requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1910requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1911run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
1912 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
1913 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
1914 0 \
1915 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1916 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1917 -s "(initial handshake) Use of Connection ID has been negotiated" \
1918 -c "(initial handshake) Use of Connection ID has been negotiated" \
1919 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1920 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1921 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1922 -c "(after renegotiation) Use of Connection ID has been negotiated"
1923
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1924requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1925requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1926run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1927 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1928 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1929 0 \
1930 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1931 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1932 -s "(initial handshake) Use of Connection ID has been negotiated" \
1933 -c "(initial handshake) Use of Connection ID has been negotiated" \
1934 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1935 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1936 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1937 -c "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1938
1939requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1940requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1941run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1942 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1943 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1944 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1945 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1946 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1947 -s "(initial handshake) Use of Connection ID has been negotiated" \
1948 -c "(initial handshake) Use of Connection ID has been negotiated" \
1949 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1950 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1951 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1952 -c "(after renegotiation) Use of Connection ID has been negotiated"
1953
1954requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1955requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1956run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1957 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1958 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1959 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1960 0 \
1961 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1962 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1963 -s "(initial handshake) Use of Connection ID has been negotiated" \
1964 -c "(initial handshake) Use of Connection ID has been negotiated" \
1965 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1966 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1967 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1968 -c "(after renegotiation) Use of Connection ID has been negotiated" \
1969 -c "ignoring unexpected CID" \
1970 -s "ignoring unexpected CID"
1971
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1972requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1973requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1974run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1975 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1976 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1977 0 \
1978 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1979 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1980 -s "(initial handshake) Use of Connection ID has been negotiated" \
1981 -c "(initial handshake) Use of Connection ID has been negotiated" \
1982 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1983 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1984 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1985 -S "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1986
1987requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1988requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1989run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1990 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1991 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1992 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1993 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1994 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1995 -s "(initial handshake) Use of Connection ID has been negotiated" \
1996 -c "(initial handshake) Use of Connection ID has been negotiated" \
1997 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1998 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1999 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2000 -S "(after renegotiation) Use of Connection ID has been negotiated"
2001
2002requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2003requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2004run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2005 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
2006 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2007 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2008 0 \
2009 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2010 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2011 -s "(initial handshake) Use of Connection ID has been negotiated" \
2012 -c "(initial handshake) Use of Connection ID has been negotiated" \
2013 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2014 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2015 -C "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2016 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2017 -c "ignoring unexpected CID" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2018 -s "ignoring unexpected CID"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2019
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2020requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2021requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2022run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
2023 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2024 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2025 0 \
2026 -S "(initial handshake) Use of Connection ID has been negotiated" \
2027 -C "(initial handshake) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2028 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2029 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2030 -c "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2031 -s "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2032
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2033requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2034requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2035run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
2036 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2037 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2038 0 \
2039 -S "(initial handshake) Use of Connection ID has been negotiated" \
2040 -C "(initial handshake) Use of Connection ID has been negotiated" \
2041 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2042 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2043 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2044 -s "(after renegotiation) Use of Connection ID has been negotiated"
2045
2046requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2047requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2048run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2049 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2050 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2051 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2052 0 \
2053 -S "(initial handshake) Use of Connection ID has been negotiated" \
2054 -C "(initial handshake) Use of Connection ID has been negotiated" \
2055 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2056 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2057 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2058 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2059 -c "ignoring unexpected CID" \
2060 -s "ignoring unexpected CID"
2061
2062requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2063requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2064run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
2065 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2066 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2067 0 \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2068 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2069 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2070 -s "(initial handshake) Use of Connection ID has been negotiated" \
2071 -c "(initial handshake) Use of Connection ID has been negotiated" \
2072 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2073 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2074 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2075 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2076 -s "(after renegotiation) Use of Connection ID was not offered by client"
2077
2078requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2079requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2080run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
2081 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
2082 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2083 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2084 0 \
2085 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2086 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2087 -s "(initial handshake) Use of Connection ID has been negotiated" \
2088 -c "(initial handshake) Use of Connection ID has been negotiated" \
2089 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2090 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2091 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2092 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2093 -s "(after renegotiation) Use of Connection ID was not offered by client" \
2094 -c "ignoring unexpected CID" \
2095 -s "ignoring unexpected CID"
2096
2097requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2098requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2099run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
2100 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]2101 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2102 0 \
2103 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2104 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2105 -s "(initial handshake) Use of Connection ID has been negotiated" \
2106 -c "(initial handshake) Use of Connection ID has been negotiated" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2107 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2108 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2109 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2110 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2111 -c "(after renegotiation) Use of Connection ID was rejected by the server"
2112
2113requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2114requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2115run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
2116 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2117 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2118 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2119 0 \
2120 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2121 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2122 -s "(initial handshake) Use of Connection ID has been negotiated" \
2123 -c "(initial handshake) Use of Connection ID has been negotiated" \
2124 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2125 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2126 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2127 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2128 -c "(after renegotiation) Use of Connection ID was rejected by the server" \
2129 -c "ignoring unexpected CID" \
2130 -s "ignoring unexpected CID"
2131
2132# Tests for Encrypt-then-MAC extension
2133
2134run_test "Encrypt then MAC: default" \
2135 "$P_SRV debug_level=3 \
2136 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2137 "$P_CLI debug_level=3" \
2138 0 \
2139 -c "client hello, adding encrypt_then_mac extension" \
2140 -s "found encrypt then mac extension" \
2141 -s "server hello, adding encrypt then mac extension" \
2142 -c "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2143 -c "using encrypt then mac" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2144 -s "using encrypt then mac"
2145
2146run_test "Encrypt then MAC: client enabled, server disabled" \
2147 "$P_SRV debug_level=3 etm=0 \
2148 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2149 "$P_CLI debug_level=3 etm=1" \
2150 0 \
2151 -c "client hello, adding encrypt_then_mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2152 -s "found encrypt then mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2153 -S "server hello, adding encrypt then mac extension" \
2154 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2155 -C "using encrypt then mac" \
2156 -S "using encrypt then mac"
2157
2158run_test "Encrypt then MAC: client enabled, aead cipher" \
2159 "$P_SRV debug_level=3 etm=1 \
2160 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
2161 "$P_CLI debug_level=3 etm=1" \
2162 0 \
2163 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2164 -s "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2165 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2166 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2167 -C "using encrypt then mac" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2168 -S "using encrypt then mac"
2169
2170run_test "Encrypt then MAC: client enabled, stream cipher" \
2171 "$P_SRV debug_level=3 etm=1 \
2172 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2173 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2174 0 \
2175 -c "client hello, adding encrypt_then_mac extension" \
2176 -s "found encrypt then mac extension" \
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2177 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2178 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2179 -C "using encrypt then mac" \
2180 -S "using encrypt then mac"
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2181
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2182run_test "Encrypt then MAC: client disabled, server enabled" \
2183 "$P_SRV debug_level=3 etm=1 \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2184 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2185 "$P_CLI debug_level=3 etm=0" \
2186 0 \
2187 -C "client hello, adding encrypt_then_mac extension" \
2188 -S "found encrypt then mac extension" \
2189 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2190 -C "found encrypt_then_mac extension" \
2191 -C "using encrypt then mac" \
Jarno Lamsa31d940b2019-06-12 10:21:33 +0300[diff] [blame]2192 -S "using encrypt then mac"
2193
2194requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2195run_test "Encrypt then MAC: client SSLv3, server enabled" \
2196 "$P_SRV debug_level=3 min_version=ssl3 \
2197 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2198 "$P_CLI debug_level=3 force_version=ssl3" \
2199 0 \
2200 -C "client hello, adding encrypt_then_mac extension" \
2201 -S "found encrypt then mac extension" \
2202 -S "server hello, adding encrypt then mac extension" \
2203 -C "found encrypt_then_mac extension" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2204 -C "using encrypt then mac" \
2205 -S "using encrypt then mac"
2206
2207requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2208run_test "Encrypt then MAC: client enabled, server SSLv3" \
2209 "$P_SRV debug_level=3 force_version=ssl3 \
2210 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2211 "$P_CLI debug_level=3 min_version=ssl3" \
2212 0 \
2213 -c "client hello, adding encrypt_then_mac extension" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2214 -S "found encrypt then mac extension" \
2215 -S "server hello, adding encrypt then mac extension" \
2216 -C "found encrypt_then_mac extension" \
2217 -C "using encrypt then mac" \
2218 -S "using encrypt then mac"
2219
2220# Tests for Extended Master Secret extension
2221
2222run_test "Extended Master Secret: default (not enforcing)" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2223 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0 " \
2224 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]2225 0 \
2226 -c "client hello, adding extended_master_secret extension" \
2227 -s "found extended master secret extension" \
2228 -s "server hello, adding extended master secret extension" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2229 -c "found extended_master_secret extension" \
2230 -c "session hash for extended master secret" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2231 -s "session hash for extended master secret"
2232
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2233run_test "Extended Master Secret: both enabled, both enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2234 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2235 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2236 0 \
2237 -c "client hello, adding extended_master_secret extension" \
2238 -s "found extended master secret extension" \
2239 -s "server hello, adding extended master secret extension" \
2240 -c "found extended_master_secret extension" \
2241 -c "session hash for extended master secret" \
2242 -s "session hash for extended master secret"
2243
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2244run_test "Extended Master Secret: both enabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2245 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2246 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2247 0 \
2248 -c "client hello, adding extended_master_secret extension" \
2249 -s "found extended master secret extension" \
2250 -s "server hello, adding extended master secret extension" \
2251 -c "found extended_master_secret extension" \
2252 -c "session hash for extended master secret" \
2253 -s "session hash for extended master secret"
2254
2255run_test "Extended Master Secret: both enabled, server enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2256 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2257 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2258 0 \
2259 -c "client hello, adding extended_master_secret extension" \
2260 -s "found extended master secret extension" \
2261 -s "server hello, adding extended master secret extension" \
2262 -c "found extended_master_secret extension" \
2263 -c "session hash for extended master secret" \
2264 -s "session hash for extended master secret"
2265
2266run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2267 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2268 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2269 1 \
2270 -c "client hello, adding extended_master_secret extension" \
2271 -s "found extended master secret extension" \
2272 -S "server hello, adding extended master secret extension" \
2273 -C "found extended_master_secret extension" \
2274 -c "Peer not offering extended master secret, while it is enforced"
2275
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2276run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2277 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2278 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2279 1 \
2280 -C "client hello, adding extended_master_secret extension" \
2281 -S "found extended master secret extension" \
2282 -S "server hello, adding extended master secret extension" \
2283 -C "found extended_master_secret extension" \
2284 -s "Peer not offering extended master secret, while it is enforced"
2285
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2286run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2287 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2288 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2289 0 \
2290 -c "client hello, adding extended_master_secret extension" \
2291 -s "found extended master secret extension" \
2292 -S "server hello, adding extended master secret extension" \
2293 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2294 -C "session hash for extended master secret" \
2295 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2296
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2297run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2298 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2299 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2300 0 \
2301 -C "client hello, adding extended_master_secret extension" \
2302 -S "found extended master secret extension" \
2303 -S "server hello, adding extended master secret extension" \
2304 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2305 -C "session hash for extended master secret" \
2306 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2307
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2308run_test "Extended Master Secret: client disabled, server disabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2309 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2310 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2311 0 \
2312 -C "client hello, adding extended_master_secret extension" \
2313 -S "found extended master secret extension" \
2314 -S "server hello, adding extended master secret extension" \
2315 -C "found extended_master_secret extension" \
2316 -C "session hash for extended master secret" \
2317 -S "session hash for extended master secret"
2318
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2319requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2320run_test "Extended Master Secret: client SSLv3, server enabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2321 "$P_SRV debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2322 "$P_CLI debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2323 0 \
2324 -C "client hello, adding extended_master_secret extension" \
2325 -S "found extended master secret extension" \
2326 -S "server hello, adding extended master secret extension" \
2327 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2328 -C "session hash for extended master secret" \
2329 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2330
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2331requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2332run_test "Extended Master Secret: client enabled, server SSLv3" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2333 "$P_SRV debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2334 "$P_CLI debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2335 0 \
2336 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2337 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2338 -S "server hello, adding extended master secret extension" \
2339 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2340 -C "session hash for extended master secret" \
2341 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2342
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2343# Tests for FALLBACK_SCSV
2344
2345run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2346 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2347 "$P_CLI debug_level=3 force_version=tls1_1" \
2348 0 \
2349 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2350 -S "received FALLBACK_SCSV" \
2351 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2352 -C "is a fatal alert message (msg 86)"
2353
2354run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2355 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2356 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2357 0 \
2358 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2359 -S "received FALLBACK_SCSV" \
2360 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2361 -C "is a fatal alert message (msg 86)"
2362
2363run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2364 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2365 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2366 1 \
2367 -c "adding FALLBACK_SCSV" \
2368 -s "received FALLBACK_SCSV" \
2369 -s "inapropriate fallback" \
2370 -c "is a fatal alert message (msg 86)"
2371
2372run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2373 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2374 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2375 0 \
2376 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2377 -s "received FALLBACK_SCSV" \
2378 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2379 -C "is a fatal alert message (msg 86)"
2380
2381requires_openssl_with_fallback_scsv
2382run_test "Fallback SCSV: default, openssl server" \
2383 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2384 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2385 0 \
2386 -C "adding FALLBACK_SCSV" \
2387 -C "is a fatal alert message (msg 86)"
2388
2389requires_openssl_with_fallback_scsv
2390run_test "Fallback SCSV: enabled, openssl server" \
2391 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2392 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2393 1 \
2394 -c "adding FALLBACK_SCSV" \
2395 -c "is a fatal alert message (msg 86)"
2396
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2397requires_openssl_with_fallback_scsv
2398run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2399 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2400 "$O_CLI -tls1_1" \
2401 0 \
2402 -S "received FALLBACK_SCSV" \
2403 -S "inapropriate fallback"
2404
2405requires_openssl_with_fallback_scsv
2406run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2407 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2408 "$O_CLI -tls1_1 -fallback_scsv" \
2409 1 \
2410 -s "received FALLBACK_SCSV" \
2411 -s "inapropriate fallback"
2412
2413requires_openssl_with_fallback_scsv
2414run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2415 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2416 "$O_CLI -fallback_scsv" \
2417 0 \
2418 -s "received FALLBACK_SCSV" \
2419 -S "inapropriate fallback"
2420
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2421# Test sending and receiving empty application data records
2422
2423run_test "Encrypt then MAC: empty application data record" \
2424 "$P_SRV auth_mode=none debug_level=4 etm=1" \
2425 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
2426 0 \
2427 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2428 -s "dumping 'input payload after decrypt' (0 bytes)" \
2429 -c "0 bytes written in 1 fragments"
2430
2431run_test "Default, no Encrypt then MAC: empty application data record" \
2432 "$P_SRV auth_mode=none debug_level=4 etm=0" \
2433 "$P_CLI auth_mode=none etm=0 request_size=0" \
2434 0 \
2435 -s "dumping 'input payload after decrypt' (0 bytes)" \
2436 -c "0 bytes written in 1 fragments"
2437
2438run_test "Encrypt then MAC, DTLS: empty application data record" \
2439 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
2440 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
2441 0 \
2442 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2443 -s "dumping 'input payload after decrypt' (0 bytes)" \
2444 -c "0 bytes written in 1 fragments"
2445
2446run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
2447 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
2448 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
2449 0 \
2450 -s "dumping 'input payload after decrypt' (0 bytes)" \
2451 -c "0 bytes written in 1 fragments"
2452
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2453## ClientHello generated with
2454## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
2455## then manually twiddling the ciphersuite list.
2456## The ClientHello content is spelled out below as a hex string as
2457## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
2458## The expected response is an inappropriate_fallback alert.
2459requires_openssl_with_fallback_scsv
2460run_test "Fallback SCSV: beginning of list" \
2461 "$P_SRV debug_level=2" \
2462 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
2463 0 \
2464 -s "received FALLBACK_SCSV" \
2465 -s "inapropriate fallback"
2466
2467requires_openssl_with_fallback_scsv
2468run_test "Fallback SCSV: end of list" \
2469 "$P_SRV debug_level=2" \
2470 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
2471 0 \
2472 -s "received FALLBACK_SCSV" \
2473 -s "inapropriate fallback"
2474
2475## Here the expected response is a valid ServerHello prefix, up to the random.
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]2476## Due to the way the clienthello was generated, this currently needs the
2477## server to have support for session tickets.
2478requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2479requires_openssl_with_fallback_scsv
2480run_test "Fallback SCSV: not in list" \
2481 "$P_SRV debug_level=2" \
2482 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
2483 0 \
2484 -S "received FALLBACK_SCSV" \
2485 -S "inapropriate fallback"
2486
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2487# Tests for CBC 1/n-1 record splitting
2488
2489run_test "CBC Record splitting: TLS 1.2, no splitting" \
2490 "$P_SRV" \
2491 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2492 request_size=123 force_version=tls1_2" \
2493 0 \
2494 -s "Read from client: 123 bytes read" \
2495 -S "Read from client: 1 bytes read" \
2496 -S "122 bytes read"
2497
2498run_test "CBC Record splitting: TLS 1.1, no splitting" \
2499 "$P_SRV" \
2500 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2501 request_size=123 force_version=tls1_1" \
2502 0 \
2503 -s "Read from client: 123 bytes read" \
2504 -S "Read from client: 1 bytes read" \
2505 -S "122 bytes read"
2506
2507run_test "CBC Record splitting: TLS 1.0, splitting" \
2508 "$P_SRV" \
2509 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2510 request_size=123 force_version=tls1" \
2511 0 \
2512 -S "Read from client: 123 bytes read" \
2513 -s "Read from client: 1 bytes read" \
2514 -s "122 bytes read"
2515
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2516requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2517run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2518 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2519 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2520 request_size=123 force_version=ssl3" \
2521 0 \
2522 -S "Read from client: 123 bytes read" \
2523 -s "Read from client: 1 bytes read" \
2524 -s "122 bytes read"
2525
2526run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2527 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2528 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2529 request_size=123 force_version=tls1" \
2530 0 \
2531 -s "Read from client: 123 bytes read" \
2532 -S "Read from client: 1 bytes read" \
2533 -S "122 bytes read"
2534
2535run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
2536 "$P_SRV" \
2537 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2538 request_size=123 force_version=tls1 recsplit=0" \
2539 0 \
2540 -s "Read from client: 123 bytes read" \
2541 -S "Read from client: 1 bytes read" \
2542 -S "122 bytes read"
2543
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]2544run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
2545 "$P_SRV nbio=2" \
2546 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2547 request_size=123 force_version=tls1" \
2548 0 \
2549 -S "Read from client: 123 bytes read" \
2550 -s "Read from client: 1 bytes read" \
2551 -s "122 bytes read"
2552
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2553# Tests for Session Tickets
2554
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2555requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2556requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2557run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2558 "$P_SRV debug_level=3 tickets=1" \
2559 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2560 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2561 -c "client hello, adding session ticket extension" \
2562 -s "found session ticket extension" \
2563 -s "server hello, adding session ticket extension" \
2564 -c "found session_ticket extension" \
2565 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2566 -S "session successfully restored from cache" \
2567 -s "session successfully restored from ticket" \
2568 -s "a session has been resumed" \
2569 -c "a session has been resumed"
2570
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2571requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2572requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2573run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2574 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2575 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2576 0 \
2577 -c "client hello, adding session ticket extension" \
2578 -s "found session ticket extension" \
2579 -s "server hello, adding session ticket extension" \
2580 -c "found session_ticket extension" \
2581 -c "parse new session ticket" \
2582 -S "session successfully restored from cache" \
2583 -s "session successfully restored from ticket" \
2584 -s "a session has been resumed" \
2585 -c "a session has been resumed"
2586
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2587requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2588requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2589run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2590 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
2591 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2592 0 \
2593 -c "client hello, adding session ticket extension" \
2594 -s "found session ticket extension" \
2595 -s "server hello, adding session ticket extension" \
2596 -c "found session_ticket extension" \
2597 -c "parse new session ticket" \
2598 -S "session successfully restored from cache" \
2599 -S "session successfully restored from ticket" \
2600 -S "a session has been resumed" \
2601 -C "a session has been resumed"
2602
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2603requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2604requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2605run_test "Session resume using tickets: session copy" \
2606 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2607 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
2608 0 \
2609 -c "client hello, adding session ticket extension" \
2610 -s "found session ticket extension" \
2611 -s "server hello, adding session ticket extension" \
2612 -c "found session_ticket extension" \
2613 -c "parse new session ticket" \
2614 -S "session successfully restored from cache" \
2615 -s "session successfully restored from ticket" \
2616 -s "a session has been resumed" \
2617 -c "a session has been resumed"
2618
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2619requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2620requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2621run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2622 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2623 "$P_CLI debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2624 0 \
2625 -c "client hello, adding session ticket extension" \
2626 -c "found session_ticket extension" \
2627 -c "parse new session ticket" \
2628 -c "a session has been resumed"
2629
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2630requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2631requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2632run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2633 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2634 "( $O_CLI -sess_out $SESSION; \
2635 $O_CLI -sess_in $SESSION; \
2636 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2637 0 \
2638 -s "found session ticket extension" \
2639 -s "server hello, adding session ticket extension" \
2640 -S "session successfully restored from cache" \
2641 -s "session successfully restored from ticket" \
2642 -s "a session has been resumed"
2643
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2644# Tests for Session Tickets with DTLS
2645
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2646requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2647requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2648run_test "Session resume using tickets, DTLS: basic" \
2649 "$P_SRV debug_level=3 dtls=1 tickets=1" \
2650 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2651 0 \
2652 -c "client hello, adding session ticket extension" \
2653 -s "found session ticket extension" \
2654 -s "server hello, adding session ticket extension" \
2655 -c "found session_ticket extension" \
2656 -c "parse new session ticket" \
2657 -S "session successfully restored from cache" \
2658 -s "session successfully restored from ticket" \
2659 -s "a session has been resumed" \
2660 -c "a session has been resumed"
2661
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2662requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2663requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2664run_test "Session resume using tickets, DTLS: cache disabled" \
2665 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2666 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2667 0 \
2668 -c "client hello, adding session ticket extension" \
2669 -s "found session ticket extension" \
2670 -s "server hello, adding session ticket extension" \
2671 -c "found session_ticket extension" \
2672 -c "parse new session ticket" \
2673 -S "session successfully restored from cache" \
2674 -s "session successfully restored from ticket" \
2675 -s "a session has been resumed" \
2676 -c "a session has been resumed"
2677
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2678requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2679requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2680run_test "Session resume using tickets, DTLS: timeout" \
2681 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
2682 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
2683 0 \
2684 -c "client hello, adding session ticket extension" \
2685 -s "found session ticket extension" \
2686 -s "server hello, adding session ticket extension" \
2687 -c "found session_ticket extension" \
2688 -c "parse new session ticket" \
2689 -S "session successfully restored from cache" \
2690 -S "session successfully restored from ticket" \
2691 -S "a session has been resumed" \
2692 -C "a session has been resumed"
2693
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2694requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2695requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2696run_test "Session resume using tickets, DTLS: session copy" \
2697 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2698 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_mode=0" \
2699 0 \
2700 -c "client hello, adding session ticket extension" \
2701 -s "found session ticket extension" \
2702 -s "server hello, adding session ticket extension" \
2703 -c "found session_ticket extension" \
2704 -c "parse new session ticket" \
2705 -S "session successfully restored from cache" \
2706 -s "session successfully restored from ticket" \
2707 -s "a session has been resumed" \
2708 -c "a session has been resumed"
2709
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2710requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2711requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2712run_test "Session resume using tickets, DTLS: openssl server" \
2713 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2714 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2715 0 \
2716 -c "client hello, adding session ticket extension" \
2717 -c "found session_ticket extension" \
2718 -c "parse new session ticket" \
2719 -c "a session has been resumed"
2720
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2721requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2722requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2723run_test "Session resume using tickets, DTLS: openssl client" \
2724 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2725 "( $O_CLI -dtls1 -sess_out $SESSION; \
2726 $O_CLI -dtls1 -sess_in $SESSION; \
2727 rm -f $SESSION )" \
2728 0 \
2729 -s "found session ticket extension" \
2730 -s "server hello, adding session ticket extension" \
2731 -S "session successfully restored from cache" \
2732 -s "session successfully restored from ticket" \
2733 -s "a session has been resumed"
2734
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2735# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2736
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2737requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2738requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2739requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2740run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2741 "$P_SRV debug_level=3 tickets=0" \
2742 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2743 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2744 -c "client hello, adding session ticket extension" \
2745 -s "found session ticket extension" \
2746 -S "server hello, adding session ticket extension" \
2747 -C "found session_ticket extension" \
2748 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2749 -s "session successfully restored from cache" \
2750 -S "session successfully restored from ticket" \
2751 -s "a session has been resumed" \
2752 -c "a session has been resumed"
2753
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2754requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2755requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2756requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2757run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2758 "$P_SRV debug_level=3 tickets=1" \
2759 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2760 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2761 -C "client hello, adding session ticket extension" \
2762 -S "found session ticket extension" \
2763 -S "server hello, adding session ticket extension" \
2764 -C "found session_ticket extension" \
2765 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2766 -s "session successfully restored from cache" \
2767 -S "session successfully restored from ticket" \
2768 -s "a session has been resumed" \
2769 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2770
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2771requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2772requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2773run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2774 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
2775 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2776 0 \
2777 -S "session successfully restored from cache" \
2778 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2779 -S "a session has been resumed" \
2780 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2781
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2782requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2783requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2784run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2785 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
2786 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2787 0 \
2788 -s "session successfully restored from cache" \
2789 -S "session successfully restored from ticket" \
2790 -s "a session has been resumed" \
2791 -c "a session has been resumed"
2792
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2793requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2794requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]2795run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2796 "$P_SRV debug_level=3 tickets=0" \
2797 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2798 0 \
2799 -s "session successfully restored from cache" \
2800 -S "session successfully restored from ticket" \
2801 -s "a session has been resumed" \
2802 -c "a session has been resumed"
2803
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2804requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2805requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2806run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2807 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
2808 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2809 0 \
2810 -S "session successfully restored from cache" \
2811 -S "session successfully restored from ticket" \
2812 -S "a session has been resumed" \
2813 -C "a session has been resumed"
2814
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2815requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2816requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2817run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2818 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
2819 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2820 0 \
2821 -s "session successfully restored from cache" \
2822 -S "session successfully restored from ticket" \
2823 -s "a session has been resumed" \
2824 -c "a session has been resumed"
2825
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2826requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2827requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2828run_test "Session resume using cache: session copy" \
2829 "$P_SRV debug_level=3 tickets=0" \
2830 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
2831 0 \
2832 -s "session successfully restored from cache" \
2833 -S "session successfully restored from ticket" \
2834 -s "a session has been resumed" \
2835 -c "a session has been resumed"
2836
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2837requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2838requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2839run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2840 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2841 "( $O_CLI -sess_out $SESSION; \
2842 $O_CLI -sess_in $SESSION; \
2843 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2844 0 \
2845 -s "found session ticket extension" \
2846 -S "server hello, adding session ticket extension" \
2847 -s "session successfully restored from cache" \
2848 -S "session successfully restored from ticket" \
2849 -s "a session has been resumed"
2850
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2851requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2852requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2853run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2854 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2855 "$P_CLI debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2856 0 \
2857 -C "found session_ticket extension" \
2858 -C "parse new session ticket" \
2859 -c "a session has been resumed"
2860
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2861# Tests for Session Resume based on session-ID and cache, DTLS
2862
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2863requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2864requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2865requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2866run_test "Session resume using cache, DTLS: tickets enabled on client" \
2867 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2868 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
2869 0 \
2870 -c "client hello, adding session ticket extension" \
2871 -s "found session ticket extension" \
2872 -S "server hello, adding session ticket extension" \
2873 -C "found session_ticket extension" \
2874 -C "parse new session ticket" \
2875 -s "session successfully restored from cache" \
2876 -S "session successfully restored from ticket" \
2877 -s "a session has been resumed" \
2878 -c "a session has been resumed"
2879
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2880requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2881requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2882requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2883run_test "Session resume using cache, DTLS: tickets enabled on server" \
2884 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2885 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2886 0 \
2887 -C "client hello, adding session ticket extension" \
2888 -S "found session ticket extension" \
2889 -S "server hello, adding session ticket extension" \
2890 -C "found session_ticket extension" \
2891 -C "parse new session ticket" \
2892 -s "session successfully restored from cache" \
2893 -S "session successfully restored from ticket" \
2894 -s "a session has been resumed" \
2895 -c "a session has been resumed"
2896
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2897requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2898requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2899run_test "Session resume using cache, DTLS: cache_max=0" \
2900 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
2901 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2902 0 \
2903 -S "session successfully restored from cache" \
2904 -S "session successfully restored from ticket" \
2905 -S "a session has been resumed" \
2906 -C "a session has been resumed"
2907
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2908requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2909requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2910run_test "Session resume using cache, DTLS: cache_max=1" \
2911 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
2912 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2913 0 \
2914 -s "session successfully restored from cache" \
2915 -S "session successfully restored from ticket" \
2916 -s "a session has been resumed" \
2917 -c "a session has been resumed"
2918
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2919requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2920requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2921run_test "Session resume using cache, DTLS: timeout > delay" \
2922 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2923 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
2924 0 \
2925 -s "session successfully restored from cache" \
2926 -S "session successfully restored from ticket" \
2927 -s "a session has been resumed" \
2928 -c "a session has been resumed"
2929
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2930requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2931requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2932run_test "Session resume using cache, DTLS: timeout < delay" \
2933 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
2934 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2935 0 \
2936 -S "session successfully restored from cache" \
2937 -S "session successfully restored from ticket" \
2938 -S "a session has been resumed" \
2939 -C "a session has been resumed"
2940
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2941requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2942requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2943run_test "Session resume using cache, DTLS: no timeout" \
2944 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
2945 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2946 0 \
2947 -s "session successfully restored from cache" \
2948 -S "session successfully restored from ticket" \
2949 -s "a session has been resumed" \
2950 -c "a session has been resumed"
2951
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2952requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2953requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2954run_test "Session resume using cache, DTLS: session copy" \
2955 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2956 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
2957 0 \
2958 -s "session successfully restored from cache" \
2959 -S "session successfully restored from ticket" \
2960 -s "a session has been resumed" \
2961 -c "a session has been resumed"
2962
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2963requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2964requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2965run_test "Session resume using cache, DTLS: openssl client" \
2966 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2967 "( $O_CLI -dtls1 -sess_out $SESSION; \
2968 $O_CLI -dtls1 -sess_in $SESSION; \
2969 rm -f $SESSION )" \
2970 0 \
2971 -s "found session ticket extension" \
2972 -S "server hello, adding session ticket extension" \
2973 -s "session successfully restored from cache" \
2974 -S "session successfully restored from ticket" \
2975 -s "a session has been resumed"
2976
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2977requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2978requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2979run_test "Session resume using cache, DTLS: openssl server" \
2980 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2981 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2982 0 \
2983 -C "found session_ticket extension" \
2984 -C "parse new session ticket" \
2985 -c "a session has been resumed"
2986
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2987# Tests for Max Fragment Length extension
2988
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2989if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
Hanno Beckerab9a29b2019-09-24 16:14:39 +0100[diff] [blame^]2990 printf "The configuration defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n"
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]2991 exit 1
2992fi
2993
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2994if [ $MAX_CONTENT_LEN -ne 16384 ]; then
2995 printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
2996fi
2997
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]2998requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2999run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3000 "$P_SRV debug_level=3" \
3001 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3002 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3003 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3004 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3005 -C "client hello, adding max_fragment_length extension" \
3006 -S "found max fragment length extension" \
3007 -S "server hello, max_fragment_length extension" \
3008 -C "found max_fragment_length extension"
3009
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3010requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3011run_test "Max fragment length: enabled, default, larger message" \
3012 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3013 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3014 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3015 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3016 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3017 -C "client hello, adding max_fragment_length extension" \
3018 -S "found max fragment length extension" \
3019 -S "server hello, max_fragment_length extension" \
3020 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3021 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3022 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3023 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3024
3025requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3026run_test "Max fragment length, DTLS: enabled, default, larger message" \
3027 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3028 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3029 1 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3030 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3031 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3032 -C "client hello, adding max_fragment_length extension" \
3033 -S "found max fragment length extension" \
3034 -S "server hello, max_fragment_length extension" \
3035 -C "found max_fragment_length extension" \
3036 -c "fragment larger than.*maximum "
3037
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3038# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
3039# (session fragment length will be 16384 regardless of mbedtls
3040# content length configuration.)
3041
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3042requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3043run_test "Max fragment length: disabled, larger message" \
3044 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3045 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3046 0 \
3047 -C "Maximum fragment length is 16384" \
3048 -S "Maximum fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3049 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3050 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3051 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3052
3053requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3054run_test "Max fragment length DTLS: disabled, larger message" \
3055 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3056 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3057 1 \
3058 -C "Maximum fragment length is 16384" \
3059 -S "Maximum fragment length is 16384" \
3060 -c "fragment larger than.*maximum "
3061
3062requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3063run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3064 "$P_SRV debug_level=3" \
3065 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3066 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3067 -c "Maximum fragment length is 4096" \
3068 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3069 -c "client hello, adding max_fragment_length extension" \
3070 -s "found max fragment length extension" \
3071 -s "server hello, max_fragment_length extension" \
3072 -c "found max_fragment_length extension"
3073
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3074requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3075run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3076 "$P_SRV debug_level=3 max_frag_len=4096" \
3077 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3078 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3079 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3080 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3081 -C "client hello, adding max_fragment_length extension" \
3082 -S "found max fragment length extension" \
3083 -S "server hello, max_fragment_length extension" \
3084 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3085
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3086requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3087requires_gnutls
3088run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3089 "$G_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3090 "$P_CLI debug_level=3 max_frag_len=4096 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3091 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3092 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3093 -c "client hello, adding max_fragment_length extension" \
3094 -c "found max_fragment_length extension"
3095
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3096requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3097run_test "Max fragment length: client, message just fits" \
3098 "$P_SRV debug_level=3" \
3099 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
3100 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3101 -c "Maximum fragment length is 2048" \
3102 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3103 -c "client hello, adding max_fragment_length extension" \
3104 -s "found max fragment length extension" \
3105 -s "server hello, max_fragment_length extension" \
3106 -c "found max_fragment_length extension" \
3107 -c "2048 bytes written in 1 fragments" \
3108 -s "2048 bytes read"
3109
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3110requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3111run_test "Max fragment length: client, larger message" \
3112 "$P_SRV debug_level=3" \
3113 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
3114 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3115 -c "Maximum fragment length is 2048" \
3116 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3117 -c "client hello, adding max_fragment_length extension" \
3118 -s "found max fragment length extension" \
3119 -s "server hello, max_fragment_length extension" \
3120 -c "found max_fragment_length extension" \
3121 -c "2345 bytes written in 2 fragments" \
3122 -s "2048 bytes read" \
3123 -s "297 bytes read"
3124
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3125requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]3126run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3127 "$P_SRV debug_level=3 dtls=1" \
3128 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
3129 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3130 -c "Maximum fragment length is 2048" \
3131 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3132 -c "client hello, adding max_fragment_length extension" \
3133 -s "found max fragment length extension" \
3134 -s "server hello, max_fragment_length extension" \
3135 -c "found max_fragment_length extension" \
3136 -c "fragment larger than.*maximum"
3137
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3138# Tests for renegotiation
3139
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3140# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3141run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3142 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3143 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3144 0 \
3145 -C "client hello, adding renegotiation extension" \
3146 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3147 -S "found renegotiation extension" \
3148 -s "server hello, secure renegotiation extension" \
3149 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3150 -C "=> renegotiate" \
3151 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3152 -S "write hello request"
3153
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3154requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3155run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3156 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3157 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3158 0 \
3159 -c "client hello, adding renegotiation extension" \
3160 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3161 -s "found renegotiation extension" \
3162 -s "server hello, secure renegotiation extension" \
3163 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3164 -c "=> renegotiate" \
3165 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3166 -S "write hello request"
3167
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3168requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3169run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3170 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3171 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3172 0 \
3173 -c "client hello, adding renegotiation extension" \
3174 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3175 -s "found renegotiation extension" \
3176 -s "server hello, secure renegotiation extension" \
3177 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3178 -c "=> renegotiate" \
3179 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3180 -s "write hello request"
3181
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3182# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3183# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3184# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3185requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3186run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
3187 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
3188 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
3189 0 \
3190 -c "client hello, adding renegotiation extension" \
3191 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3192 -s "found renegotiation extension" \
3193 -s "server hello, secure renegotiation extension" \
3194 -c "found renegotiation extension" \
3195 -c "=> renegotiate" \
3196 -s "=> renegotiate" \
3197 -S "write hello request" \
3198 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3199
3200# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3201# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3202# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3203requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3204run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
3205 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
3206 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3207 0 \
3208 -c "client hello, adding renegotiation extension" \
3209 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3210 -s "found renegotiation extension" \
3211 -s "server hello, secure renegotiation extension" \
3212 -c "found renegotiation extension" \
3213 -c "=> renegotiate" \
3214 -s "=> renegotiate" \
3215 -s "write hello request" \
3216 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3217
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3218requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3219run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3220 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3221 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3222 0 \
3223 -c "client hello, adding renegotiation extension" \
3224 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3225 -s "found renegotiation extension" \
3226 -s "server hello, secure renegotiation extension" \
3227 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3228 -c "=> renegotiate" \
3229 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3230 -s "write hello request"
3231
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3232requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3233run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3234 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3235 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3236 1 \
3237 -c "client hello, adding renegotiation extension" \
3238 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3239 -S "found renegotiation extension" \
3240 -s "server hello, secure renegotiation extension" \
3241 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3242 -c "=> renegotiate" \
3243 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3244 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]3245 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3246 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3247
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3248requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3249run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3250 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3251 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3252 0 \
3253 -C "client hello, adding renegotiation extension" \
3254 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3255 -S "found renegotiation extension" \
3256 -s "server hello, secure renegotiation extension" \
3257 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3258 -C "=> renegotiate" \
3259 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3260 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]3261 -S "SSL - An unexpected message was received from our peer" \
3262 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3263
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3264requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3265run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3266 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3267 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3268 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3269 0 \
3270 -C "client hello, adding renegotiation extension" \
3271 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3272 -S "found renegotiation extension" \
3273 -s "server hello, secure renegotiation extension" \
3274 -c "found renegotiation extension" \
3275 -C "=> renegotiate" \
3276 -S "=> renegotiate" \
3277 -s "write hello request" \
3278 -S "SSL - An unexpected message was received from our peer" \
3279 -S "failed"
3280
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3281# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3282requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3283run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3284 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3285 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3286 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3287 0 \
3288 -C "client hello, adding renegotiation extension" \
3289 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3290 -S "found renegotiation extension" \
3291 -s "server hello, secure renegotiation extension" \
3292 -c "found renegotiation extension" \
3293 -C "=> renegotiate" \
3294 -S "=> renegotiate" \
3295 -s "write hello request" \
3296 -S "SSL - An unexpected message was received from our peer" \
3297 -S "failed"
3298
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3299requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3300run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3301 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3302 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3303 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3304 0 \
3305 -C "client hello, adding renegotiation extension" \
3306 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3307 -S "found renegotiation extension" \
3308 -s "server hello, secure renegotiation extension" \
3309 -c "found renegotiation extension" \
3310 -C "=> renegotiate" \
3311 -S "=> renegotiate" \
3312 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3313 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3314
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3315requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3316run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3317 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3318 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3319 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3320 0 \
3321 -c "client hello, adding renegotiation extension" \
3322 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3323 -s "found renegotiation extension" \
3324 -s "server hello, secure renegotiation extension" \
3325 -c "found renegotiation extension" \
3326 -c "=> renegotiate" \
3327 -s "=> renegotiate" \
3328 -s "write hello request" \
3329 -S "SSL - An unexpected message was received from our peer" \
3330 -S "failed"
3331
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3332requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3333run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3334 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3335 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3336 0 \
3337 -C "client hello, adding renegotiation extension" \
3338 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3339 -S "found renegotiation extension" \
3340 -s "server hello, secure renegotiation extension" \
3341 -c "found renegotiation extension" \
3342 -S "record counter limit reached: renegotiate" \
3343 -C "=> renegotiate" \
3344 -S "=> renegotiate" \
3345 -S "write hello request" \
3346 -S "SSL - An unexpected message was received from our peer" \
3347 -S "failed"
3348
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3349# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3350requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3351run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3352 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3353 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3354 0 \
3355 -c "client hello, adding renegotiation extension" \
3356 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3357 -s "found renegotiation extension" \
3358 -s "server hello, secure renegotiation extension" \
3359 -c "found renegotiation extension" \
3360 -s "record counter limit reached: renegotiate" \
3361 -c "=> renegotiate" \
3362 -s "=> renegotiate" \
3363 -s "write hello request" \
3364 -S "SSL - An unexpected message was received from our peer" \
3365 -S "failed"
3366
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3367requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3368run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3369 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3370 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3371 0 \
3372 -c "client hello, adding renegotiation extension" \
3373 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3374 -s "found renegotiation extension" \
3375 -s "server hello, secure renegotiation extension" \
3376 -c "found renegotiation extension" \
3377 -s "record counter limit reached: renegotiate" \
3378 -c "=> renegotiate" \
3379 -s "=> renegotiate" \
3380 -s "write hello request" \
3381 -S "SSL - An unexpected message was received from our peer" \
3382 -S "failed"
3383
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3384requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3385run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3386 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3387 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
3388 0 \
3389 -C "client hello, adding renegotiation extension" \
3390 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3391 -S "found renegotiation extension" \
3392 -s "server hello, secure renegotiation extension" \
3393 -c "found renegotiation extension" \
3394 -S "record counter limit reached: renegotiate" \
3395 -C "=> renegotiate" \
3396 -S "=> renegotiate" \
3397 -S "write hello request" \
3398 -S "SSL - An unexpected message was received from our peer" \
3399 -S "failed"
3400
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3401requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3402run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3403 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3404 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3405 0 \
3406 -c "client hello, adding renegotiation extension" \
3407 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3408 -s "found renegotiation extension" \
3409 -s "server hello, secure renegotiation extension" \
3410 -c "found renegotiation extension" \
3411 -c "=> renegotiate" \
3412 -s "=> renegotiate" \
3413 -S "write hello request"
3414
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3415requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3416run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3417 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3418 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3419 0 \
3420 -c "client hello, adding renegotiation extension" \
3421 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3422 -s "found renegotiation extension" \
3423 -s "server hello, secure renegotiation extension" \
3424 -c "found renegotiation extension" \
3425 -c "=> renegotiate" \
3426 -s "=> renegotiate" \
3427 -s "write hello request"
3428
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3429requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3430run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3431 "$O_SRV -www" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3432 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3433 0 \
3434 -c "client hello, adding renegotiation extension" \
3435 -c "found renegotiation extension" \
3436 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3437 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3438 -C "error" \
3439 -c "HTTP/1.0 200 [Oo][Kk]"
3440
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3441requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3442requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3443run_test "Renegotiation: gnutls server strict, client-initiated" \
3444 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3445 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3446 0 \
3447 -c "client hello, adding renegotiation extension" \
3448 -c "found renegotiation extension" \
3449 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3450 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3451 -C "error" \
3452 -c "HTTP/1.0 200 [Oo][Kk]"
3453
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3454requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3455requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3456run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
3457 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3458 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3459 1 \
3460 -c "client hello, adding renegotiation extension" \
3461 -C "found renegotiation extension" \
3462 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3463 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3464 -c "error" \
3465 -C "HTTP/1.0 200 [Oo][Kk]"
3466
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3467requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3468requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3469run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
3470 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3471 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3472 allow_legacy=0" \
3473 1 \
3474 -c "client hello, adding renegotiation extension" \
3475 -C "found renegotiation extension" \
3476 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3477 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3478 -c "error" \
3479 -C "HTTP/1.0 200 [Oo][Kk]"
3480
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3481requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3482requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3483run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
3484 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3485 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3486 allow_legacy=1" \
3487 0 \
3488 -c "client hello, adding renegotiation extension" \
3489 -C "found renegotiation extension" \
3490 -c "=> renegotiate" \
3491 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3492 -C "error" \
3493 -c "HTTP/1.0 200 [Oo][Kk]"
3494
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3495requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]3496run_test "Renegotiation: DTLS, client-initiated" \
3497 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
3498 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
3499 0 \
3500 -c "client hello, adding renegotiation extension" \
3501 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3502 -s "found renegotiation extension" \
3503 -s "server hello, secure renegotiation extension" \
3504 -c "found renegotiation extension" \
3505 -c "=> renegotiate" \
3506 -s "=> renegotiate" \
3507 -S "write hello request"
3508
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3509requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3510run_test "Renegotiation: DTLS, server-initiated" \
3511 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]3512 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
3513 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3514 0 \
3515 -c "client hello, adding renegotiation extension" \
3516 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3517 -s "found renegotiation extension" \
3518 -s "server hello, secure renegotiation extension" \
3519 -c "found renegotiation extension" \
3520 -c "=> renegotiate" \
3521 -s "=> renegotiate" \
3522 -s "write hello request"
3523
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3524requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3525run_test "Renegotiation: DTLS, renego_period overflow" \
3526 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
3527 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
3528 0 \
3529 -c "client hello, adding renegotiation extension" \
3530 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3531 -s "found renegotiation extension" \
3532 -s "server hello, secure renegotiation extension" \
3533 -s "record counter limit reached: renegotiate" \
3534 -c "=> renegotiate" \
3535 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3536 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3537
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3538requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3539requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3540run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
3541 "$G_SRV -u --mtu 4096" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3542 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3543 0 \
3544 -c "client hello, adding renegotiation extension" \
3545 -c "found renegotiation extension" \
3546 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3547 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3548 -C "error" \
3549 -s "Extra-header:"
3550
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3551# Test for the "secure renegotation" extension only (no actual renegotiation)
3552
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3553requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3554run_test "Renego ext: gnutls server strict, client default" \
3555 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3556 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3557 0 \
3558 -c "found renegotiation extension" \
3559 -C "error" \
3560 -c "HTTP/1.0 200 [Oo][Kk]"
3561
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3562requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3563run_test "Renego ext: gnutls server unsafe, client default" \
3564 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3565 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3566 0 \
3567 -C "found renegotiation extension" \
3568 -C "error" \
3569 -c "HTTP/1.0 200 [Oo][Kk]"
3570
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3571requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3572run_test "Renego ext: gnutls server unsafe, client break legacy" \
3573 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3574 "$P_CLI debug_level=3 allow_legacy=-1" \
3575 1 \
3576 -C "found renegotiation extension" \
3577 -c "error" \
3578 -C "HTTP/1.0 200 [Oo][Kk]"
3579
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3580requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3581run_test "Renego ext: gnutls client strict, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3582 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3583 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3584 0 \
3585 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3586 -s "server hello, secure renegotiation extension"
3587
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3588requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3589run_test "Renego ext: gnutls client unsafe, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3590 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3591 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3592 0 \
3593 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3594 -S "server hello, secure renegotiation extension"
3595
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3596requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3597run_test "Renego ext: gnutls client unsafe, server break legacy" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3598 "$P_SRV debug_level=3 allow_legacy=-1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3599 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3600 1 \
3601 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3602 -S "server hello, secure renegotiation extension"
3603
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3604# Tests for silently dropping trailing extra bytes in .der certificates
3605
3606requires_gnutls
3607run_test "DER format: no trailing bytes" \
3608 "$P_SRV crt_file=data_files/server5-der0.crt \
3609 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3610 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3611 0 \
3612 -c "Handshake was completed" \
3613
3614requires_gnutls
3615run_test "DER format: with a trailing zero byte" \
3616 "$P_SRV crt_file=data_files/server5-der1a.crt \
3617 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3618 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3619 0 \
3620 -c "Handshake was completed" \
3621
3622requires_gnutls
3623run_test "DER format: with a trailing random byte" \
3624 "$P_SRV crt_file=data_files/server5-der1b.crt \
3625 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3626 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3627 0 \
3628 -c "Handshake was completed" \
3629
3630requires_gnutls
3631run_test "DER format: with 2 trailing random bytes" \
3632 "$P_SRV crt_file=data_files/server5-der2.crt \
3633 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3634 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3635 0 \
3636 -c "Handshake was completed" \
3637
3638requires_gnutls
3639run_test "DER format: with 4 trailing random bytes" \
3640 "$P_SRV crt_file=data_files/server5-der4.crt \
3641 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3642 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3643 0 \
3644 -c "Handshake was completed" \
3645
3646requires_gnutls
3647run_test "DER format: with 8 trailing random bytes" \
3648 "$P_SRV crt_file=data_files/server5-der8.crt \
3649 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3650 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3651 0 \
3652 -c "Handshake was completed" \
3653
3654requires_gnutls
3655run_test "DER format: with 9 trailing random bytes" \
3656 "$P_SRV crt_file=data_files/server5-der9.crt \
3657 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3658 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3659 0 \
3660 -c "Handshake was completed" \
3661
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3662# Tests for auth_mode
3663
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3664requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3665requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3666run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3667 "$P_SRV crt_file=data_files/server5-badsign.crt \
3668 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3669 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3670 1 \
3671 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3672 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3673 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3674 -c "X509 - Certificate verification failed"
3675
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3676requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3677requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3678run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3679 "$P_SRV crt_file=data_files/server5-badsign.crt \
3680 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3681 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3682 0 \
3683 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3684 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3685 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3686 -C "X509 - Certificate verification failed"
3687
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3688requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3689requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3690run_test "Authentication: server goodcert, client optional, no trusted CA" \
3691 "$P_SRV" \
3692 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
3693 0 \
3694 -c "x509_verify_cert() returned" \
3695 -c "! The certificate is not correctly signed by the trusted CA" \
3696 -c "! Certificate verification flags"\
3697 -C "! mbedtls_ssl_handshake returned" \
3698 -C "X509 - Certificate verification failed" \
3699 -C "SSL - No CA Chain is set, but required to operate"
3700
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3701requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3702requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3703run_test "Authentication: server goodcert, client required, no trusted CA" \
3704 "$P_SRV" \
3705 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
3706 1 \
3707 -c "x509_verify_cert() returned" \
3708 -c "! The certificate is not correctly signed by the trusted CA" \
3709 -c "! Certificate verification flags"\
3710 -c "! mbedtls_ssl_handshake returned" \
3711 -c "SSL - No CA Chain is set, but required to operate"
3712
3713# The purpose of the next two tests is to test the client's behaviour when receiving a server
3714# certificate with an unsupported elliptic curve. This should usually not happen because
3715# the client informs the server about the supported curves - it does, though, in the
3716# corner case of a static ECDH suite, because the server doesn't check the curve on that
3717# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
3718# different means to have the server ignoring the client's supported curve list.
3719
3720requires_config_enabled MBEDTLS_ECP_C
3721run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
3722 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3723 crt_file=data_files/server5.ku-ka.crt" \
3724 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
3725 1 \
3726 -c "bad certificate (EC key curve)"\
3727 -c "! Certificate verification flags"\
3728 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
3729
3730requires_config_enabled MBEDTLS_ECP_C
3731run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
3732 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3733 crt_file=data_files/server5.ku-ka.crt" \
3734 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
3735 1 \
3736 -c "bad certificate (EC key curve)"\
3737 -c "! Certificate verification flags"\
3738 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
3739
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3740run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]3741 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3742 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3743 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3744 0 \
3745 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3746 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3747 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3748 -C "X509 - Certificate verification failed"
3749
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3750run_test "Authentication: client SHA256, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3751 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3752 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3753 key_file=data_files/server6.key \
3754 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
3755 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3756 -c "Supported Signature Algorithm found: 5,"
3757
3758run_test "Authentication: client SHA384, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3759 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3760 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3761 key_file=data_files/server6.key \
3762 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
3763 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3764 -c "Supported Signature Algorithm found: 5,"
3765
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3766requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3767run_test "Authentication: client has no cert, server required (SSLv3)" \
3768 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
3769 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
3770 key_file=data_files/server5.key" \
3771 1 \
3772 -S "skip write certificate request" \
3773 -C "skip parse certificate request" \
3774 -c "got a certificate request" \
3775 -c "got no certificate to send" \
3776 -S "x509_verify_cert() returned" \
3777 -s "client has no certificate" \
3778 -s "! mbedtls_ssl_handshake returned" \
3779 -c "! mbedtls_ssl_handshake returned" \
3780 -s "No client certification received from the client, but required by the authentication mode"
3781
3782run_test "Authentication: client has no cert, server required (TLS)" \
3783 "$P_SRV debug_level=3 auth_mode=required" \
3784 "$P_CLI debug_level=3 crt_file=none \
3785 key_file=data_files/server5.key" \
3786 1 \
3787 -S "skip write certificate request" \
3788 -C "skip parse certificate request" \
3789 -c "got a certificate request" \
3790 -c "= write certificate$" \
3791 -C "skip write certificate$" \
3792 -S "x509_verify_cert() returned" \
3793 -s "client has no certificate" \
3794 -s "! mbedtls_ssl_handshake returned" \
3795 -c "! mbedtls_ssl_handshake returned" \
3796 -s "No client certification received from the client, but required by the authentication mode"
3797
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3798requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3799requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3800run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3801 "$P_SRV debug_level=3 auth_mode=required" \
3802 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3803 key_file=data_files/server5.key" \
3804 1 \
3805 -S "skip write certificate request" \
3806 -C "skip parse certificate request" \
3807 -c "got a certificate request" \
3808 -C "skip write certificate" \
3809 -C "skip write certificate verify" \
3810 -S "skip parse certificate verify" \
3811 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3812 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3813 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3814 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3815 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3816 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3817# We don't check that the client receives the alert because it might
3818# detect that its write end of the connection is closed and abort
3819# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3820
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3821requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3822requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]3823run_test "Authentication: client cert not trusted, server required" \
3824 "$P_SRV debug_level=3 auth_mode=required" \
3825 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
3826 key_file=data_files/server5.key" \
3827 1 \
3828 -S "skip write certificate request" \
3829 -C "skip parse certificate request" \
3830 -c "got a certificate request" \
3831 -C "skip write certificate" \
3832 -C "skip write certificate verify" \
3833 -S "skip parse certificate verify" \
3834 -s "x509_verify_cert() returned" \
3835 -s "! The certificate is not correctly signed by the trusted CA" \
3836 -s "! mbedtls_ssl_handshake returned" \
3837 -c "! mbedtls_ssl_handshake returned" \
3838 -s "X509 - Certificate verification failed"
3839
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3840requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3841requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3842run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3843 "$P_SRV debug_level=3 auth_mode=optional" \
3844 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3845 key_file=data_files/server5.key" \
3846 0 \
3847 -S "skip write certificate request" \
3848 -C "skip parse certificate request" \
3849 -c "got a certificate request" \
3850 -C "skip write certificate" \
3851 -C "skip write certificate verify" \
3852 -S "skip parse certificate verify" \
3853 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3854 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3855 -S "! mbedtls_ssl_handshake returned" \
3856 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3857 -S "X509 - Certificate verification failed"
3858
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3859run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3860 "$P_SRV debug_level=3 auth_mode=none" \
3861 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3862 key_file=data_files/server5.key" \
3863 0 \
3864 -s "skip write certificate request" \
3865 -C "skip parse certificate request" \
3866 -c "got no certificate request" \
3867 -c "skip write certificate" \
3868 -c "skip write certificate verify" \
3869 -s "skip parse certificate verify" \
3870 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3871 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3872 -S "! mbedtls_ssl_handshake returned" \
3873 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3874 -S "X509 - Certificate verification failed"
3875
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3876requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3877requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3878run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3879 "$P_SRV debug_level=3 auth_mode=optional" \
3880 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3881 0 \
3882 -S "skip write certificate request" \
3883 -C "skip parse certificate request" \
3884 -c "got a certificate request" \
3885 -C "skip write certificate$" \
3886 -C "got no certificate to send" \
3887 -S "SSLv3 client has no certificate" \
3888 -c "skip write certificate verify" \
3889 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3890 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3891 -S "! mbedtls_ssl_handshake returned" \
3892 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3893 -S "X509 - Certificate verification failed"
3894
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3895requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3896requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3897run_test "Authentication: openssl client no cert, server optional" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3898 "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3899 "$O_CLI" \
3900 0 \
3901 -S "skip write certificate request" \
3902 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3903 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3904 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3905 -S "X509 - Certificate verification failed"
3906
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3907run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3908 "$O_SRV -verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3909 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3910 0 \
3911 -C "skip parse certificate request" \
3912 -c "got a certificate request" \
3913 -C "skip write certificate$" \
3914 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3915 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3916
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3917run_test "Authentication: client no cert, openssl server required" \
3918 "$O_SRV -Verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3919 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3920 1 \
3921 -C "skip parse certificate request" \
3922 -c "got a certificate request" \
3923 -C "skip write certificate$" \
3924 -c "skip write certificate verify" \
3925 -c "! mbedtls_ssl_handshake returned"
3926
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3927requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]3928requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3929requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3930run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3931 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3932 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3933 0 \
3934 -S "skip write certificate request" \
3935 -C "skip parse certificate request" \
3936 -c "got a certificate request" \
3937 -C "skip write certificate$" \
3938 -c "skip write certificate verify" \
3939 -c "got no certificate to send" \
3940 -s "SSLv3 client has no certificate" \
3941 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3942 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3943 -S "! mbedtls_ssl_handshake returned" \
3944 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3945 -S "X509 - Certificate verification failed"
3946
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]3947# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
3948# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3949
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3950MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3951MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3952
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3953if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Hanno Beckerab9a29b2019-09-24 16:14:39 +0100[diff] [blame^]3954 printf "The configuration file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3955 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3956 printf "test value of ${MAX_IM_CA}. \n"
3957 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3958 printf "The tests assume this value and if it changes, the tests in this\n"
3959 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3960 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3961
3962 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3963fi
3964
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3965requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3966run_test "Authentication: server max_int chain, client default" \
3967 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
3968 key_file=data_files/dir-maxpath/09.key" \
3969 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
3970 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3971 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3972
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3973requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3974run_test "Authentication: server max_int+1 chain, client default" \
3975 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3976 key_file=data_files/dir-maxpath/10.key" \
3977 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
3978 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3979 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3980
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3981requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3982run_test "Authentication: server max_int+1 chain, client optional" \
3983 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3984 key_file=data_files/dir-maxpath/10.key" \
3985 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
3986 auth_mode=optional" \
3987 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3988 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3989
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3990requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3991run_test "Authentication: server max_int+1 chain, client none" \
3992 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3993 key_file=data_files/dir-maxpath/10.key" \
3994 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
3995 auth_mode=none" \
3996 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3997 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3998
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3999requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4000run_test "Authentication: client max_int+1 chain, server default" \
4001 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
4002 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4003 key_file=data_files/dir-maxpath/10.key" \
4004 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4005 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4006
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4007requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4008run_test "Authentication: client max_int+1 chain, server optional" \
4009 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4010 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4011 key_file=data_files/dir-maxpath/10.key" \
4012 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4013 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4014
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4015requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4016run_test "Authentication: client max_int+1 chain, server required" \
4017 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4018 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4019 key_file=data_files/dir-maxpath/10.key" \
4020 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4021 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4022
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4023requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4024run_test "Authentication: client max_int chain, server required" \
4025 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4026 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4027 key_file=data_files/dir-maxpath/09.key" \
4028 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4029 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4030
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4031# Tests for CA list in CertificateRequest messages
4032
4033run_test "Authentication: send CA list in CertificateRequest (default)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4034 "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4035 "$P_CLI crt_file=data_files/server6.crt \
4036 key_file=data_files/server6.key" \
4037 0 \
4038 -s "requested DN"
4039
4040run_test "Authentication: do not send CA list in CertificateRequest" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4041 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0 ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4042 "$P_CLI crt_file=data_files/server6.crt \
4043 key_file=data_files/server6.key" \
4044 0 \
4045 -S "requested DN"
4046
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4047requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4048requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4049run_test "Authentication: send CA list in CertificateRequest, client self signed" \
4050 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4051 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4052 key_file=data_files/server5.key" \
4053 1 \
4054 -S "requested DN" \
4055 -s "x509_verify_cert() returned" \
4056 -s "! The certificate is not correctly signed by the trusted CA" \
4057 -s "! mbedtls_ssl_handshake returned" \
4058 -c "! mbedtls_ssl_handshake returned" \
4059 -s "X509 - Certificate verification failed"
4060
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4061# Tests for certificate selection based on SHA verson
4062
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4063requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4064requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4065run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
4066 "$P_SRV crt_file=data_files/server5.crt \
4067 key_file=data_files/server5.key \
4068 crt_file2=data_files/server5-sha1.crt \
4069 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4070 "$P_CLI force_version=tls1_2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4071 0 \
4072 -c "signed using.*ECDSA with SHA256" \
4073 -C "signed using.*ECDSA with SHA1"
4074
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4075requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4076requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4077run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
4078 "$P_SRV crt_file=data_files/server5.crt \
4079 key_file=data_files/server5.key \
4080 crt_file2=data_files/server5-sha1.crt \
4081 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4082 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4083 0 \
4084 -C "signed using.*ECDSA with SHA256" \
4085 -c "signed using.*ECDSA with SHA1"
4086
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4087requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4088requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4089run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
4090 "$P_SRV crt_file=data_files/server5.crt \
4091 key_file=data_files/server5.key \
4092 crt_file2=data_files/server5-sha1.crt \
4093 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4094 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4095 0 \
4096 -C "signed using.*ECDSA with SHA256" \
4097 -c "signed using.*ECDSA with SHA1"
4098
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4099requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4100requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4101run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
4102 "$P_SRV crt_file=data_files/server5.crt \
4103 key_file=data_files/server5.key \
4104 crt_file2=data_files/server6.crt \
4105 key_file2=data_files/server6.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4106 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4107 0 \
4108 -c "serial number.*09" \
4109 -c "signed using.*ECDSA with SHA256" \
4110 -C "signed using.*ECDSA with SHA1"
4111
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4112requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4113requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4114run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
4115 "$P_SRV crt_file=data_files/server6.crt \
4116 key_file=data_files/server6.key \
4117 crt_file2=data_files/server5.crt \
4118 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4119 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4120 0 \
4121 -c "serial number.*0A" \
4122 -c "signed using.*ECDSA with SHA256" \
4123 -C "signed using.*ECDSA with SHA1"
4124
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4125# tests for SNI
4126
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4127requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4128requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4129run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4130 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4131 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4132 "$P_CLI server_name=localhost ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4133 0 \
4134 -S "parse ServerName extension" \
4135 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4136 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4137
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4138requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4139requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4140requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4141run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4142 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4143 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4144 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4145 "$P_CLI server_name=localhost ca_file=data_files/test-ca.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4146 0 \
4147 -s "parse ServerName extension" \
4148 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4149 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4150
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4151requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4152requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4153requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4154run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4155 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4156 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4157 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4158 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4159 0 \
4160 -s "parse ServerName extension" \
4161 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4162 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4163
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4164requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4165run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4166 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4167 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4168 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4169 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4170 1 \
4171 -s "parse ServerName extension" \
4172 -s "ssl_sni_wrapper() returned" \
4173 -s "mbedtls_ssl_handshake returned" \
4174 -c "mbedtls_ssl_handshake returned" \
4175 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4176
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4177run_test "SNI: client auth no override: optional" \
4178 "$P_SRV debug_level=3 auth_mode=optional \
4179 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4180 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4181 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4182 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4183 -S "skip write certificate request" \
4184 -C "skip parse certificate request" \
4185 -c "got a certificate request" \
4186 -C "skip write certificate" \
4187 -C "skip write certificate verify" \
4188 -S "skip parse certificate verify"
4189
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4190requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4191run_test "SNI: client auth override: none -> optional" \
4192 "$P_SRV debug_level=3 auth_mode=none \
4193 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4194 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4195 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4196 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4197 -S "skip write certificate request" \
4198 -C "skip parse certificate request" \
4199 -c "got a certificate request" \
4200 -C "skip write certificate" \
4201 -C "skip write certificate verify" \
4202 -S "skip parse certificate verify"
4203
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4204requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4205run_test "SNI: client auth override: optional -> none" \
4206 "$P_SRV debug_level=3 auth_mode=optional \
4207 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4208 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4209 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4210 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4211 -s "skip write certificate request" \
4212 -C "skip parse certificate request" \
4213 -c "got no certificate request" \
4214 -c "skip write certificate" \
4215 -c "skip write certificate verify" \
4216 -s "skip parse certificate verify"
4217
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4218requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4219requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4220requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4221run_test "SNI: CA no override" \
4222 "$P_SRV debug_level=3 auth_mode=optional \
4223 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4224 ca_file=data_files/test-ca.crt \
4225 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4226 "$P_CLI debug_level=3 server_name=localhost \
4227 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4228 1 \
4229 -S "skip write certificate request" \
4230 -C "skip parse certificate request" \
4231 -c "got a certificate request" \
4232 -C "skip write certificate" \
4233 -C "skip write certificate verify" \
4234 -S "skip parse certificate verify" \
4235 -s "x509_verify_cert() returned" \
4236 -s "! The certificate is not correctly signed by the trusted CA" \
4237 -S "The certificate has been revoked (is on a CRL)"
4238
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4239requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4240requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4241requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4242run_test "SNI: CA override" \
4243 "$P_SRV debug_level=3 auth_mode=optional \
4244 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4245 ca_file=data_files/test-ca.crt \
4246 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4247 "$P_CLI debug_level=3 server_name=localhost \
4248 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4249 0 \
4250 -S "skip write certificate request" \
4251 -C "skip parse certificate request" \
4252 -c "got a certificate request" \
4253 -C "skip write certificate" \
4254 -C "skip write certificate verify" \
4255 -S "skip parse certificate verify" \
4256 -S "x509_verify_cert() returned" \
4257 -S "! The certificate is not correctly signed by the trusted CA" \
4258 -S "The certificate has been revoked (is on a CRL)"
4259
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4260requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4261requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4262requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4263run_test "SNI: CA override with CRL" \
4264 "$P_SRV debug_level=3 auth_mode=optional \
4265 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4266 ca_file=data_files/test-ca.crt \
4267 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4268 "$P_CLI debug_level=3 server_name=localhost \
4269 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4270 1 \
4271 -S "skip write certificate request" \
4272 -C "skip parse certificate request" \
4273 -c "got a certificate request" \
4274 -C "skip write certificate" \
4275 -C "skip write certificate verify" \
4276 -S "skip parse certificate verify" \
4277 -s "x509_verify_cert() returned" \
4278 -S "! The certificate is not correctly signed by the trusted CA" \
4279 -s "The certificate has been revoked (is on a CRL)"
4280
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4281# Tests for SNI and DTLS
4282
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4283requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4284requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4285run_test "SNI: DTLS, no SNI callback" \
4286 "$P_SRV debug_level=3 dtls=1 \
4287 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4288 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca2.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4289 0 \
4290 -S "parse ServerName extension" \
4291 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4292 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4293
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4294requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4295requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4296requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4297run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4298 "$P_SRV debug_level=3 dtls=1 \
4299 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4300 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4301 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca.crt" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4302 0 \
4303 -s "parse ServerName extension" \
4304 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4305 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4306
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4307requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4308requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4309requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4310run_test "SNI: DTLS, matching cert 2" \
4311 "$P_SRV debug_level=3 dtls=1 \
4312 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4313 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4314 "$P_CLI server_name=polarssl.example dtls=1 ca_file=data_files/test-ca.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4315 0 \
4316 -s "parse ServerName extension" \
4317 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4318 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4319
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4320requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4321run_test "SNI: DTLS, no matching cert" \
4322 "$P_SRV debug_level=3 dtls=1 \
4323 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4324 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4325 "$P_CLI server_name=nonesuch.example dtls=1" \
4326 1 \
4327 -s "parse ServerName extension" \
4328 -s "ssl_sni_wrapper() returned" \
4329 -s "mbedtls_ssl_handshake returned" \
4330 -c "mbedtls_ssl_handshake returned" \
4331 -c "SSL - A fatal alert message was received from our peer"
4332
4333run_test "SNI: DTLS, client auth no override: optional" \
4334 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4335 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4336 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4337 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4338 0 \
4339 -S "skip write certificate request" \
4340 -C "skip parse certificate request" \
4341 -c "got a certificate request" \
4342 -C "skip write certificate" \
4343 -C "skip write certificate verify" \
4344 -S "skip parse certificate verify"
4345
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4346requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4347run_test "SNI: DTLS, client auth override: none -> optional" \
4348 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
4349 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4350 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4351 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4352 0 \
4353 -S "skip write certificate request" \
4354 -C "skip parse certificate request" \
4355 -c "got a certificate request" \
4356 -C "skip write certificate" \
4357 -C "skip write certificate verify" \
4358 -S "skip parse certificate verify"
4359
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4360requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4361run_test "SNI: DTLS, client auth override: optional -> none" \
4362 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4363 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4364 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4365 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4366 0 \
4367 -s "skip write certificate request" \
4368 -C "skip parse certificate request" \
4369 -c "got no certificate request" \
4370 -c "skip write certificate" \
4371 -c "skip write certificate verify" \
4372 -s "skip parse certificate verify"
4373
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4374requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4375requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4376requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4377run_test "SNI: DTLS, CA no override" \
4378 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4379 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4380 ca_file=data_files/test-ca.crt \
4381 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4382 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4383 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4384 1 \
4385 -S "skip write certificate request" \
4386 -C "skip parse certificate request" \
4387 -c "got a certificate request" \
4388 -C "skip write certificate" \
4389 -C "skip write certificate verify" \
4390 -S "skip parse certificate verify" \
4391 -s "x509_verify_cert() returned" \
4392 -s "! The certificate is not correctly signed by the trusted CA" \
4393 -S "The certificate has been revoked (is on a CRL)"
4394
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4395requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4396run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4397 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4398 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4399 ca_file=data_files/test-ca.crt \
4400 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4401 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4402 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4403 0 \
4404 -S "skip write certificate request" \
4405 -C "skip parse certificate request" \
4406 -c "got a certificate request" \
4407 -C "skip write certificate" \
4408 -C "skip write certificate verify" \
4409 -S "skip parse certificate verify" \
4410 -S "x509_verify_cert() returned" \
4411 -S "! The certificate is not correctly signed by the trusted CA" \
4412 -S "The certificate has been revoked (is on a CRL)"
4413
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4414requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4415requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4416requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4417run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4418 "$P_SRV debug_level=3 auth_mode=optional \
4419 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
4420 ca_file=data_files/test-ca.crt \
4421 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4422 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4423 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4424 1 \
4425 -S "skip write certificate request" \
4426 -C "skip parse certificate request" \
4427 -c "got a certificate request" \
4428 -C "skip write certificate" \
4429 -C "skip write certificate verify" \
4430 -S "skip parse certificate verify" \
4431 -s "x509_verify_cert() returned" \
4432 -S "! The certificate is not correctly signed by the trusted CA" \
4433 -s "The certificate has been revoked (is on a CRL)"
4434
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4435# Tests for non-blocking I/O: exercise a variety of handshake flows
4436
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4437run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4438 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4439 "$P_CLI nbio=2 tickets=0" \
4440 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4441 -S "mbedtls_ssl_handshake returned" \
4442 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4443 -c "Read from server: .* bytes read"
4444
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4445run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4446 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
4447 "$P_CLI nbio=2 tickets=0" \
4448 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4449 -S "mbedtls_ssl_handshake returned" \
4450 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4451 -c "Read from server: .* bytes read"
4452
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4453run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4454 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4455 "$P_CLI nbio=2 tickets=1" \
4456 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4457 -S "mbedtls_ssl_handshake returned" \
4458 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4459 -c "Read from server: .* bytes read"
4460
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4461run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4462 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4463 "$P_CLI nbio=2 tickets=1" \
4464 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4465 -S "mbedtls_ssl_handshake returned" \
4466 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4467 -c "Read from server: .* bytes read"
4468
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4469run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4470 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4471 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4472 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4473 -S "mbedtls_ssl_handshake returned" \
4474 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4475 -c "Read from server: .* bytes read"
4476
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4477run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4478 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4479 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4480 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4481 -S "mbedtls_ssl_handshake returned" \
4482 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4483 -c "Read from server: .* bytes read"
4484
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4485run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4486 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4487 "$P_CLI nbio=2 tickets=0 reconnect=1" \
4488 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4489 -S "mbedtls_ssl_handshake returned" \
4490 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4491 -c "Read from server: .* bytes read"
4492
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]4493# Tests for event-driven I/O: exercise a variety of handshake flows
4494
4495run_test "Event-driven I/O: basic handshake" \
4496 "$P_SRV event=1 tickets=0 auth_mode=none" \
4497 "$P_CLI event=1 tickets=0" \
4498 0 \
4499 -S "mbedtls_ssl_handshake returned" \
4500 -C "mbedtls_ssl_handshake returned" \
4501 -c "Read from server: .* bytes read"
4502
4503run_test "Event-driven I/O: client auth" \
4504 "$P_SRV event=1 tickets=0 auth_mode=required" \
4505 "$P_CLI event=1 tickets=0" \
4506 0 \
4507 -S "mbedtls_ssl_handshake returned" \
4508 -C "mbedtls_ssl_handshake returned" \
4509 -c "Read from server: .* bytes read"
4510
4511run_test "Event-driven I/O: ticket" \
4512 "$P_SRV event=1 tickets=1 auth_mode=none" \
4513 "$P_CLI event=1 tickets=1" \
4514 0 \
4515 -S "mbedtls_ssl_handshake returned" \
4516 -C "mbedtls_ssl_handshake returned" \
4517 -c "Read from server: .* bytes read"
4518
4519run_test "Event-driven I/O: ticket + client auth" \
4520 "$P_SRV event=1 tickets=1 auth_mode=required" \
4521 "$P_CLI event=1 tickets=1" \
4522 0 \
4523 -S "mbedtls_ssl_handshake returned" \
4524 -C "mbedtls_ssl_handshake returned" \
4525 -c "Read from server: .* bytes read"
4526
4527run_test "Event-driven I/O: ticket + client auth + resume" \
4528 "$P_SRV event=1 tickets=1 auth_mode=required" \
4529 "$P_CLI event=1 tickets=1 reconnect=1" \
4530 0 \
4531 -S "mbedtls_ssl_handshake returned" \
4532 -C "mbedtls_ssl_handshake returned" \
4533 -c "Read from server: .* bytes read"
4534
4535run_test "Event-driven I/O: ticket + resume" \
4536 "$P_SRV event=1 tickets=1 auth_mode=none" \
4537 "$P_CLI event=1 tickets=1 reconnect=1" \
4538 0 \
4539 -S "mbedtls_ssl_handshake returned" \
4540 -C "mbedtls_ssl_handshake returned" \
4541 -c "Read from server: .* bytes read"
4542
4543run_test "Event-driven I/O: session-id resume" \
4544 "$P_SRV event=1 tickets=0 auth_mode=none" \
4545 "$P_CLI event=1 tickets=0 reconnect=1" \
4546 0 \
4547 -S "mbedtls_ssl_handshake returned" \
4548 -C "mbedtls_ssl_handshake returned" \
4549 -c "Read from server: .* bytes read"
4550
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4551run_test "Event-driven I/O, DTLS: basic handshake" \
4552 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4553 "$P_CLI dtls=1 event=1 tickets=0" \
4554 0 \
4555 -c "Read from server: .* bytes read"
4556
4557run_test "Event-driven I/O, DTLS: client auth" \
4558 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4559 "$P_CLI dtls=1 event=1 tickets=0" \
4560 0 \
4561 -c "Read from server: .* bytes read"
4562
4563run_test "Event-driven I/O, DTLS: ticket" \
4564 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4565 "$P_CLI dtls=1 event=1 tickets=1" \
4566 0 \
4567 -c "Read from server: .* bytes read"
4568
4569run_test "Event-driven I/O, DTLS: ticket + client auth" \
4570 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4571 "$P_CLI dtls=1 event=1 tickets=1" \
4572 0 \
4573 -c "Read from server: .* bytes read"
4574
4575run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
4576 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4577 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4578 0 \
4579 -c "Read from server: .* bytes read"
4580
4581run_test "Event-driven I/O, DTLS: ticket + resume" \
4582 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4583 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4584 0 \
4585 -c "Read from server: .* bytes read"
4586
4587run_test "Event-driven I/O, DTLS: session-id resume" \
4588 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4589 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4590 0 \
4591 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4592
4593# This test demonstrates the need for the mbedtls_ssl_check_pending function.
4594# During session resumption, the client will send its ApplicationData record
4595# within the same datagram as the Finished messages. In this situation, the
4596# server MUST NOT idle on the underlying transport after handshake completion,
4597# because the ApplicationData request has already been queued internally.
4598run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]4599 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4600 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4601 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4602 0 \
4603 -c "Read from server: .* bytes read"
4604
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4605# Tests for version negotiation
4606
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4607run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4608 "$P_SRV" \
4609 "$P_CLI" \
4610 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4611 -S "mbedtls_ssl_handshake returned" \
4612 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4613 -s "Protocol is TLSv1.2" \
4614 -c "Protocol is TLSv1.2"
4615
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4616run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4617 "$P_SRV" \
4618 "$P_CLI max_version=tls1_1" \
4619 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4620 -S "mbedtls_ssl_handshake returned" \
4621 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4622 -s "Protocol is TLSv1.1" \
4623 -c "Protocol is TLSv1.1"
4624
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4625run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4626 "$P_SRV max_version=tls1_1" \
4627 "$P_CLI" \
4628 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4629 -S "mbedtls_ssl_handshake returned" \
4630 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4631 -s "Protocol is TLSv1.1" \
4632 -c "Protocol is TLSv1.1"
4633
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4634run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4635 "$P_SRV max_version=tls1_1" \
4636 "$P_CLI max_version=tls1_1" \
4637 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4638 -S "mbedtls_ssl_handshake returned" \
4639 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4640 -s "Protocol is TLSv1.1" \
4641 -c "Protocol is TLSv1.1"
4642
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4643run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4644 "$P_SRV min_version=tls1_1" \
4645 "$P_CLI max_version=tls1_1" \
4646 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4647 -S "mbedtls_ssl_handshake returned" \
4648 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4649 -s "Protocol is TLSv1.1" \
4650 -c "Protocol is TLSv1.1"
4651
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4652run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4653 "$P_SRV max_version=tls1_1" \
4654 "$P_CLI min_version=tls1_1" \
4655 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4656 -S "mbedtls_ssl_handshake returned" \
4657 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4658 -s "Protocol is TLSv1.1" \
4659 -c "Protocol is TLSv1.1"
4660
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4661run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4662 "$P_SRV max_version=tls1_1" \
4663 "$P_CLI min_version=tls1_2" \
4664 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4665 -s "mbedtls_ssl_handshake returned" \
4666 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4667 -c "SSL - Handshake protocol not within min/max boundaries"
4668
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4669run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4670 "$P_SRV min_version=tls1_2" \
4671 "$P_CLI max_version=tls1_1" \
4672 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4673 -s "mbedtls_ssl_handshake returned" \
4674 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4675 -s "SSL - Handshake protocol not within min/max boundaries"
4676
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4677# Tests for ALPN extension
4678
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4679run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4680 "$P_SRV debug_level=3" \
4681 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4682 0 \
4683 -C "client hello, adding alpn extension" \
4684 -S "found alpn extension" \
4685 -C "got an alert message, type: \\[2:120]" \
4686 -S "server hello, adding alpn extension" \
4687 -C "found alpn extension " \
4688 -C "Application Layer Protocol is" \
4689 -S "Application Layer Protocol is"
4690
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4691run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4692 "$P_SRV debug_level=3" \
4693 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4694 0 \
4695 -c "client hello, adding alpn extension" \
4696 -s "found alpn extension" \
4697 -C "got an alert message, type: \\[2:120]" \
4698 -S "server hello, adding alpn extension" \
4699 -C "found alpn extension " \
4700 -c "Application Layer Protocol is (none)" \
4701 -S "Application Layer Protocol is"
4702
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4703run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4704 "$P_SRV debug_level=3 alpn=abc,1234" \
4705 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4706 0 \
4707 -C "client hello, adding alpn extension" \
4708 -S "found alpn extension" \
4709 -C "got an alert message, type: \\[2:120]" \
4710 -S "server hello, adding alpn extension" \
4711 -C "found alpn extension " \
4712 -C "Application Layer Protocol is" \
4713 -s "Application Layer Protocol is (none)"
4714
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4715run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4716 "$P_SRV debug_level=3 alpn=abc,1234" \
4717 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4718 0 \
4719 -c "client hello, adding alpn extension" \
4720 -s "found alpn extension" \
4721 -C "got an alert message, type: \\[2:120]" \
4722 -s "server hello, adding alpn extension" \
4723 -c "found alpn extension" \
4724 -c "Application Layer Protocol is abc" \
4725 -s "Application Layer Protocol is abc"
4726
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4727run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4728 "$P_SRV debug_level=3 alpn=abc,1234" \
4729 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4730 0 \
4731 -c "client hello, adding alpn extension" \
4732 -s "found alpn extension" \
4733 -C "got an alert message, type: \\[2:120]" \
4734 -s "server hello, adding alpn extension" \
4735 -c "found alpn extension" \
4736 -c "Application Layer Protocol is abc" \
4737 -s "Application Layer Protocol is abc"
4738
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4739run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4740 "$P_SRV debug_level=3 alpn=abc,1234" \
4741 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4742 0 \
4743 -c "client hello, adding alpn extension" \
4744 -s "found alpn extension" \
4745 -C "got an alert message, type: \\[2:120]" \
4746 -s "server hello, adding alpn extension" \
4747 -c "found alpn extension" \
4748 -c "Application Layer Protocol is 1234" \
4749 -s "Application Layer Protocol is 1234"
4750
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4751run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4752 "$P_SRV debug_level=3 alpn=abc,123" \
4753 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4754 1 \
4755 -c "client hello, adding alpn extension" \
4756 -s "found alpn extension" \
4757 -c "got an alert message, type: \\[2:120]" \
4758 -S "server hello, adding alpn extension" \
4759 -C "found alpn extension" \
4760 -C "Application Layer Protocol is 1234" \
4761 -S "Application Layer Protocol is 1234"
4762
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]4763
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4764# Tests for keyUsage in leaf certificates, part 1:
4765# server-side certificate/suite selection
4766
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4767run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4768 "$P_SRV key_file=data_files/server2.key \
4769 crt_file=data_files/server2.ku-ds.crt" \
4770 "$P_CLI" \
4771 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]4772 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4773
4774
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4775run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4776 "$P_SRV key_file=data_files/server2.key \
4777 crt_file=data_files/server2.ku-ke.crt" \
4778 "$P_CLI" \
4779 0 \
4780 -c "Ciphersuite is TLS-RSA-WITH-"
4781
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4782run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4783 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4784 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4785 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4786 1 \
4787 -C "Ciphersuite is "
4788
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4789run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4790 "$P_SRV key_file=data_files/server5.key \
4791 crt_file=data_files/server5.ku-ds.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4792 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4793 0 \
4794 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
4795
4796
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4797run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4798 "$P_SRV key_file=data_files/server5.key \
4799 crt_file=data_files/server5.ku-ka.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4800 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4801 0 \
4802 -c "Ciphersuite is TLS-ECDH-"
4803
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4804run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4805 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4806 crt_file=data_files/server5.ku-ke.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4807 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4808 1 \
4809 -C "Ciphersuite is "
4810
4811# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4812# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4813
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4814run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4815 "$O_SRV -key data_files/server2.key \
4816 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4817 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4818 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4819 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4820 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4821 -C "Processing of the Certificate handshake message failed" \
4822 -c "Ciphersuite is TLS-"
4823
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4824run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4825 "$O_SRV -key data_files/server2.key \
4826 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4827 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4828 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4829 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4830 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4831 -C "Processing of the Certificate handshake message failed" \
4832 -c "Ciphersuite is TLS-"
4833
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4834run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4835 "$O_SRV -key data_files/server2.key \
4836 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4837 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4838 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4839 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4840 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4841 -C "Processing of the Certificate handshake message failed" \
4842 -c "Ciphersuite is TLS-"
4843
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4844run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4845 "$O_SRV -key data_files/server2.key \
4846 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4847 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4848 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4849 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4850 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4851 -c "Processing of the Certificate handshake message failed" \
4852 -C "Ciphersuite is TLS-"
4853
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4854requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4855requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4856run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
4857 "$O_SRV -key data_files/server2.key \
4858 -cert data_files/server2.ku-ke.crt" \
4859 "$P_CLI debug_level=1 auth_mode=optional \
4860 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4861 0 \
4862 -c "bad certificate (usage extensions)" \
4863 -C "Processing of the Certificate handshake message failed" \
4864 -c "Ciphersuite is TLS-" \
4865 -c "! Usage does not match the keyUsage extension"
4866
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4867run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4868 "$O_SRV -key data_files/server2.key \
4869 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4870 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4871 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4872 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4873 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4874 -C "Processing of the Certificate handshake message failed" \
4875 -c "Ciphersuite is TLS-"
4876
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4877run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4878 "$O_SRV -key data_files/server2.key \
4879 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4880 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4881 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4882 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4883 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4884 -c "Processing of the Certificate handshake message failed" \
4885 -C "Ciphersuite is TLS-"
4886
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4887requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4888requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4889run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
4890 "$O_SRV -key data_files/server2.key \
4891 -cert data_files/server2.ku-ds.crt" \
4892 "$P_CLI debug_level=1 auth_mode=optional \
4893 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4894 0 \
4895 -c "bad certificate (usage extensions)" \
4896 -C "Processing of the Certificate handshake message failed" \
4897 -c "Ciphersuite is TLS-" \
4898 -c "! Usage does not match the keyUsage extension"
4899
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4900# Tests for keyUsage in leaf certificates, part 3:
4901# server-side checking of client cert
4902
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4903run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4904 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4905 "$O_CLI -key data_files/server2.key \
4906 -cert data_files/server2.ku-ds.crt" \
4907 0 \
4908 -S "bad certificate (usage extensions)" \
4909 -S "Processing of the Certificate handshake message failed"
4910
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4911run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4912 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4913 "$O_CLI -key data_files/server2.key \
4914 -cert data_files/server2.ku-ke.crt" \
4915 0 \
4916 -s "bad certificate (usage extensions)" \
4917 -S "Processing of the Certificate handshake message failed"
4918
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4919run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4920 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4921 "$O_CLI -key data_files/server2.key \
4922 -cert data_files/server2.ku-ke.crt" \
4923 1 \
4924 -s "bad certificate (usage extensions)" \
4925 -s "Processing of the Certificate handshake message failed"
4926
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4927run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4928 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4929 "$O_CLI -key data_files/server5.key \
4930 -cert data_files/server5.ku-ds.crt" \
4931 0 \
4932 -S "bad certificate (usage extensions)" \
4933 -S "Processing of the Certificate handshake message failed"
4934
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4935run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4936 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4937 "$O_CLI -key data_files/server5.key \
4938 -cert data_files/server5.ku-ka.crt" \
4939 0 \
4940 -s "bad certificate (usage extensions)" \
4941 -S "Processing of the Certificate handshake message failed"
4942
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4943# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
4944
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4945run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4946 "$P_SRV key_file=data_files/server5.key \
4947 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4948 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4949 0
4950
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4951run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4952 "$P_SRV key_file=data_files/server5.key \
4953 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4954 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4955 0
4956
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4957run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4958 "$P_SRV key_file=data_files/server5.key \
4959 crt_file=data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4960 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4961 0
4962
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4963run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]4964 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4965 crt_file=data_files/server5.eku-cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4966 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4967 1
4968
4969# Tests for extendedKeyUsage, part 2: client-side checking of server cert
4970
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4971run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4972 "$O_SRV -key data_files/server5.key \
4973 -cert data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4974 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4975 0 \
4976 -C "bad certificate (usage extensions)" \
4977 -C "Processing of the Certificate handshake message failed" \
4978 -c "Ciphersuite is TLS-"
4979
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4980run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4981 "$O_SRV -key data_files/server5.key \
4982 -cert data_files/server5.eku-srv_cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4983 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4984 0 \
4985 -C "bad certificate (usage extensions)" \
4986 -C "Processing of the Certificate handshake message failed" \
4987 -c "Ciphersuite is TLS-"
4988
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4989run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4990 "$O_SRV -key data_files/server5.key \
4991 -cert data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4992 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4993 0 \
4994 -C "bad certificate (usage extensions)" \
4995 -C "Processing of the Certificate handshake message failed" \
4996 -c "Ciphersuite is TLS-"
4997
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4998run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4999 "$O_SRV -key data_files/server5.key \
5000 -cert data_files/server5.eku-cs.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5001 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5002 1 \
5003 -c "bad certificate (usage extensions)" \
5004 -c "Processing of the Certificate handshake message failed" \
5005 -C "Ciphersuite is TLS-"
5006
5007# Tests for extendedKeyUsage, part 3: server-side checking of client cert
5008
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5009run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5010 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5011 "$O_CLI -key data_files/server5.key \
5012 -cert data_files/server5.eku-cli.crt" \
5013 0 \
5014 -S "bad certificate (usage extensions)" \
5015 -S "Processing of the Certificate handshake message failed"
5016
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5017run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5018 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5019 "$O_CLI -key data_files/server5.key \
5020 -cert data_files/server5.eku-srv_cli.crt" \
5021 0 \
5022 -S "bad certificate (usage extensions)" \
5023 -S "Processing of the Certificate handshake message failed"
5024
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5025run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5026 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5027 "$O_CLI -key data_files/server5.key \
5028 -cert data_files/server5.eku-cs_any.crt" \
5029 0 \
5030 -S "bad certificate (usage extensions)" \
5031 -S "Processing of the Certificate handshake message failed"
5032
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5033run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5034 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5035 "$O_CLI -key data_files/server5.key \
5036 -cert data_files/server5.eku-cs.crt" \
5037 0 \
5038 -s "bad certificate (usage extensions)" \
5039 -S "Processing of the Certificate handshake message failed"
5040
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5041run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5042 "$P_SRV debug_level=1 auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5043 "$O_CLI -key data_files/server5.key \
5044 -cert data_files/server5.eku-cs.crt" \
5045 1 \
5046 -s "bad certificate (usage extensions)" \
5047 -s "Processing of the Certificate handshake message failed"
5048
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5049# Tests for DHM parameters loading
5050
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5051run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5052 "$P_SRV" \
5053 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5054 debug_level=3" \
5055 0 \
5056 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]5057 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5058
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5059run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5060 "$P_SRV dhm_file=data_files/dhparams.pem" \
5061 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5062 debug_level=3" \
5063 0 \
5064 -c "value of 'DHM: P ' (1024 bits)" \
5065 -c "value of 'DHM: G ' (2 bits)"
5066
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5067# Tests for DHM client-side size checking
5068
5069run_test "DHM size: server default, client default, OK" \
5070 "$P_SRV" \
5071 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5072 debug_level=1" \
5073 0 \
5074 -C "DHM prime too short:"
5075
5076run_test "DHM size: server default, client 2048, OK" \
5077 "$P_SRV" \
5078 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5079 debug_level=1 dhmlen=2048" \
5080 0 \
5081 -C "DHM prime too short:"
5082
5083run_test "DHM size: server 1024, client default, OK" \
5084 "$P_SRV dhm_file=data_files/dhparams.pem" \
5085 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5086 debug_level=1" \
5087 0 \
5088 -C "DHM prime too short:"
5089
5090run_test "DHM size: server 1000, client default, rejected" \
5091 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5092 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5093 debug_level=1" \
5094 1 \
5095 -c "DHM prime too short:"
5096
5097run_test "DHM size: server default, client 2049, rejected" \
5098 "$P_SRV" \
5099 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5100 debug_level=1 dhmlen=2049" \
5101 1 \
5102 -c "DHM prime too short:"
5103
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5104# Tests for PSK callback
5105
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5106run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5107 "$P_SRV psk=abc123 psk_identity=foo" \
5108 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5109 psk_identity=foo psk=abc123" \
5110 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5111 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5112 -S "SSL - Unknown identity received" \
5113 -S "SSL - Verification of the message MAC failed"
5114
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5115run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5116 "$P_SRV" \
5117 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5118 psk_identity=foo psk=abc123" \
5119 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5120 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5121 -S "SSL - Unknown identity received" \
5122 -S "SSL - Verification of the message MAC failed"
5123
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5124run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5125 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
5126 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5127 psk_identity=foo psk=abc123" \
5128 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5129 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5130 -s "SSL - Unknown identity received" \
5131 -S "SSL - Verification of the message MAC failed"
5132
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5133run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5134 "$P_SRV psk_list=abc,dead,def,beef" \
5135 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5136 psk_identity=abc psk=dead" \
5137 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5138 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5139 -S "SSL - Unknown identity received" \
5140 -S "SSL - Verification of the message MAC failed"
5141
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5142run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5143 "$P_SRV psk_list=abc,dead,def,beef" \
5144 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5145 psk_identity=def psk=beef" \
5146 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5147 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5148 -S "SSL - Unknown identity received" \
5149 -S "SSL - Verification of the message MAC failed"
5150
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5151run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5152 "$P_SRV psk_list=abc,dead,def,beef" \
5153 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5154 psk_identity=ghi psk=beef" \
5155 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5156 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5157 -s "SSL - Unknown identity received" \
5158 -S "SSL - Verification of the message MAC failed"
5159
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5160run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5161 "$P_SRV psk_list=abc,dead,def,beef" \
5162 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5163 psk_identity=abc psk=beef" \
5164 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5165 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5166 -S "SSL - Unknown identity received" \
5167 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5168
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5169# Tests for EC J-PAKE
5170
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5171requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5172run_test "ECJPAKE: client not configured" \
5173 "$P_SRV debug_level=3" \
5174 "$P_CLI debug_level=3" \
5175 0 \
5176 -C "add ciphersuite: c0ff" \
5177 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5178 -S "found ecjpake kkpp extension" \
5179 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5180 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5181 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5182 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5183 -S "None of the common ciphersuites is usable"
5184
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5185requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5186run_test "ECJPAKE: server not configured" \
5187 "$P_SRV debug_level=3" \
5188 "$P_CLI debug_level=3 ecjpake_pw=bla \
5189 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5190 1 \
5191 -c "add ciphersuite: c0ff" \
5192 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5193 -s "found ecjpake kkpp extension" \
5194 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5195 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5196 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5197 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5198 -s "None of the common ciphersuites is usable"
5199
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5200requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5201run_test "ECJPAKE: working, TLS" \
5202 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5203 "$P_CLI debug_level=3 ecjpake_pw=bla \
5204 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]5205 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5206 -c "add ciphersuite: c0ff" \
5207 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5208 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5209 -s "found ecjpake kkpp extension" \
5210 -S "skip ecjpake kkpp extension" \
5211 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5212 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5213 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5214 -S "None of the common ciphersuites is usable" \
5215 -S "SSL - Verification of the message MAC failed"
5216
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5217server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5218requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5219run_test "ECJPAKE: password mismatch, TLS" \
5220 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5221 "$P_CLI debug_level=3 ecjpake_pw=bad \
5222 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5223 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5224 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5225 -s "SSL - Verification of the message MAC failed"
5226
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5227requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5228run_test "ECJPAKE: working, DTLS" \
5229 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5230 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5231 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5232 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5233 -c "re-using cached ecjpake parameters" \
5234 -S "SSL - Verification of the message MAC failed"
5235
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5236requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5237run_test "ECJPAKE: working, DTLS, no cookie" \
5238 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
5239 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5240 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5241 0 \
5242 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5243 -S "SSL - Verification of the message MAC failed"
5244
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5245server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5246requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5247run_test "ECJPAKE: password mismatch, DTLS" \
5248 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5249 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
5250 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5251 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5252 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5253 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5254
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5255# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5256requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5257run_test "ECJPAKE: working, DTLS, nolog" \
5258 "$P_SRV dtls=1 ecjpake_pw=bla" \
5259 "$P_CLI dtls=1 ecjpake_pw=bla \
5260 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5261 0
5262
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5263# Tests for ciphersuites per version
5264
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5265requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5266requires_config_enabled MBEDTLS_CAMELLIA_C
5267requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5268run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5269 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5270 "$P_CLI force_version=ssl3" \
5271 0 \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5272 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5273
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5274requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
5275requires_config_enabled MBEDTLS_CAMELLIA_C
5276requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5277run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5278 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]5279 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5280 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5281 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5282
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5283requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
5284requires_config_enabled MBEDTLS_CAMELLIA_C
5285requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5286run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5287 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5288 "$P_CLI force_version=tls1_1" \
5289 0 \
5290 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
5291
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5292requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
5293requires_config_enabled MBEDTLS_CAMELLIA_C
5294requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5295run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5296 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5297 "$P_CLI force_version=tls1_2" \
5298 0 \
5299 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
5300
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5301# Test for ClientHello without extensions
5302
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]5303requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5304run_test "ClientHello without extensions, SHA-1 allowed" \
Ron Eldorb76e7652019-01-16 23:14:41 +0200[diff] [blame]5305 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5306 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5307 0 \
5308 -s "dumping 'client hello extensions' (0 bytes)"
5309
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5310requires_gnutls
5311run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
5312 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5313 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5314 0 \
5315 -s "dumping 'client hello extensions' (0 bytes)"
5316
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5317# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5319run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5320 "$P_SRV" \
5321 "$P_CLI request_size=100" \
5322 0 \
5323 -s "Read from client: 100 bytes read$"
5324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5325run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5326 "$P_SRV" \
5327 "$P_CLI request_size=500" \
5328 0 \
5329 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5330
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5331# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5332
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5333requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5334run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5335 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5336 "$P_CLI request_size=1 force_version=ssl3 \
5337 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5338 0 \
5339 -s "Read from client: 1 bytes read"
5340
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5341requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5342run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5343 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5344 "$P_CLI request_size=1 force_version=ssl3 \
5345 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5346 0 \
5347 -s "Read from client: 1 bytes read"
5348
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5349run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5350 "$P_SRV" \
5351 "$P_CLI request_size=1 force_version=tls1 \
5352 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5353 0 \
5354 -s "Read from client: 1 bytes read"
5355
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5356run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5357 "$P_SRV" \
5358 "$P_CLI request_size=1 force_version=tls1 etm=0 \
5359 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5360 0 \
5361 -s "Read from client: 1 bytes read"
5362
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5363requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5364run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5365 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5366 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5367 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5368 0 \
5369 -s "Read from client: 1 bytes read"
5370
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5371requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5372run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5373 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5374 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5375 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5376 0 \
5377 -s "Read from client: 1 bytes read"
5378
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5379run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5380 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5381 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5382 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5383 0 \
5384 -s "Read from client: 1 bytes read"
5385
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5386run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5387 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5388 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5389 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5390 0 \
5391 -s "Read from client: 1 bytes read"
5392
5393requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5394run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5395 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5396 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5397 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5398 0 \
5399 -s "Read from client: 1 bytes read"
5400
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5401requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5402run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5403 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5404 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5405 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5406 0 \
5407 -s "Read from client: 1 bytes read"
5408
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5409run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5410 "$P_SRV" \
5411 "$P_CLI request_size=1 force_version=tls1_1 \
5412 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5413 0 \
5414 -s "Read from client: 1 bytes read"
5415
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5416run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5417 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5418 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5419 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5420 0 \
5421 -s "Read from client: 1 bytes read"
5422
5423requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5424run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5425 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5426 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5427 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5428 0 \
5429 -s "Read from client: 1 bytes read"
5430
5431requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5432run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5433 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5434 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5435 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5436 0 \
5437 -s "Read from client: 1 bytes read"
5438
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5439run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5440 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5441 "$P_CLI request_size=1 force_version=tls1_1 \
5442 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5443 0 \
5444 -s "Read from client: 1 bytes read"
5445
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5446run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5447 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5448 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5449 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5450 0 \
5451 -s "Read from client: 1 bytes read"
5452
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5453requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5454run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5455 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5456 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5457 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5458 0 \
5459 -s "Read from client: 1 bytes read"
5460
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5461requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5462run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5463 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5464 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5465 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5466 0 \
5467 -s "Read from client: 1 bytes read"
5468
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5469run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5470 "$P_SRV" \
5471 "$P_CLI request_size=1 force_version=tls1_2 \
5472 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5473 0 \
5474 -s "Read from client: 1 bytes read"
5475
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5476run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5477 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5478 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5479 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5480 0 \
5481 -s "Read from client: 1 bytes read"
5482
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5483run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5484 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5485 "$P_CLI request_size=1 force_version=tls1_2 \
5486 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5487 0 \
5488 -s "Read from client: 1 bytes read"
5489
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5490requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5491run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5492 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5493 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5494 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5495 0 \
5496 -s "Read from client: 1 bytes read"
5497
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5498requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5499run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5500 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5501 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5502 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5503 0 \
5504 -s "Read from client: 1 bytes read"
5505
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5506run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5507 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5508 "$P_CLI request_size=1 force_version=tls1_2 \
5509 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5510 0 \
5511 -s "Read from client: 1 bytes read"
5512
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5513run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5514 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5515 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5516 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5517 0 \
5518 -s "Read from client: 1 bytes read"
5519
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5520requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5521run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5522 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5523 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5524 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5525 0 \
5526 -s "Read from client: 1 bytes read"
5527
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5528requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5529run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5530 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5531 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5532 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5533 0 \
5534 -s "Read from client: 1 bytes read"
5535
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5536run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5537 "$P_SRV" \
5538 "$P_CLI request_size=1 force_version=tls1_2 \
5539 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5540 0 \
5541 -s "Read from client: 1 bytes read"
5542
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5543run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5544 "$P_SRV" \
5545 "$P_CLI request_size=1 force_version=tls1_2 \
5546 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5547 0 \
5548 -s "Read from client: 1 bytes read"
5549
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5550# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5551
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5552run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5553 "$P_SRV dtls=1 force_version=dtls1" \
5554 "$P_CLI dtls=1 request_size=1 \
5555 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5556 0 \
5557 -s "Read from client: 1 bytes read"
5558
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5559run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5560 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
5561 "$P_CLI dtls=1 request_size=1 \
5562 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5563 0 \
5564 -s "Read from client: 1 bytes read"
5565
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5566requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5567run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5568 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
5569 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5570 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5571 0 \
5572 -s "Read from client: 1 bytes read"
5573
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5574requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5575run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5576 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5577 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5578 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5579 0 \
5580 -s "Read from client: 1 bytes read"
5581
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5582run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5583 "$P_SRV dtls=1 force_version=dtls1_2" \
5584 "$P_CLI dtls=1 request_size=1 \
5585 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5586 0 \
5587 -s "Read from client: 1 bytes read"
5588
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5589run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5590 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5591 "$P_CLI dtls=1 request_size=1 \
5592 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5593 0 \
5594 -s "Read from client: 1 bytes read"
5595
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5596requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5597run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5598 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5599 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5600 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5601 0 \
5602 -s "Read from client: 1 bytes read"
5603
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5604requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5605run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5606 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5607 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5608 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5609 0 \
5610 -s "Read from client: 1 bytes read"
5611
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5612# Tests for small server packets
5613
5614requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5615run_test "Small server packet SSLv3 BlockCipher" \
5616 "$P_SRV response_size=1 min_version=ssl3" \
5617 "$P_CLI force_version=ssl3 \
5618 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5619 0 \
5620 -c "Read from server: 1 bytes read"
5621
5622requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5623run_test "Small server packet SSLv3 StreamCipher" \
5624 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5625 "$P_CLI force_version=ssl3 \
5626 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5627 0 \
5628 -c "Read from server: 1 bytes read"
5629
5630run_test "Small server packet TLS 1.0 BlockCipher" \
5631 "$P_SRV response_size=1" \
5632 "$P_CLI force_version=tls1 \
5633 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5634 0 \
5635 -c "Read from server: 1 bytes read"
5636
5637run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
5638 "$P_SRV response_size=1" \
5639 "$P_CLI force_version=tls1 etm=0 \
5640 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5641 0 \
5642 -c "Read from server: 1 bytes read"
5643
5644requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5645run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
5646 "$P_SRV response_size=1 trunc_hmac=1" \
5647 "$P_CLI force_version=tls1 \
5648 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5649 0 \
5650 -c "Read from server: 1 bytes read"
5651
5652requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5653run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
5654 "$P_SRV response_size=1 trunc_hmac=1" \
5655 "$P_CLI force_version=tls1 \
5656 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5657 0 \
5658 -c "Read from server: 1 bytes read"
5659
5660run_test "Small server packet TLS 1.0 StreamCipher" \
5661 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5662 "$P_CLI force_version=tls1 \
5663 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5664 0 \
5665 -c "Read from server: 1 bytes read"
5666
5667run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
5668 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5669 "$P_CLI force_version=tls1 \
5670 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5671 0 \
5672 -c "Read from server: 1 bytes read"
5673
5674requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5675run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
5676 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5677 "$P_CLI force_version=tls1 \
5678 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5679 0 \
5680 -c "Read from server: 1 bytes read"
5681
5682requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5683run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
5684 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5685 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5686 trunc_hmac=1 etm=0" \
5687 0 \
5688 -c "Read from server: 1 bytes read"
5689
5690run_test "Small server packet TLS 1.1 BlockCipher" \
5691 "$P_SRV response_size=1" \
5692 "$P_CLI force_version=tls1_1 \
5693 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5694 0 \
5695 -c "Read from server: 1 bytes read"
5696
5697run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
5698 "$P_SRV response_size=1" \
5699 "$P_CLI force_version=tls1_1 \
5700 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5701 0 \
5702 -c "Read from server: 1 bytes read"
5703
5704requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5705run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
5706 "$P_SRV response_size=1 trunc_hmac=1" \
5707 "$P_CLI force_version=tls1_1 \
5708 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5709 0 \
5710 -c "Read from server: 1 bytes read"
5711
5712requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5713run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
5714 "$P_SRV response_size=1 trunc_hmac=1" \
5715 "$P_CLI force_version=tls1_1 \
5716 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5717 0 \
5718 -c "Read from server: 1 bytes read"
5719
5720run_test "Small server packet TLS 1.1 StreamCipher" \
5721 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5722 "$P_CLI force_version=tls1_1 \
5723 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5724 0 \
5725 -c "Read from server: 1 bytes read"
5726
5727run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
5728 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5729 "$P_CLI force_version=tls1_1 \
5730 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5731 0 \
5732 -c "Read from server: 1 bytes read"
5733
5734requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5735run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
5736 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5737 "$P_CLI force_version=tls1_1 \
5738 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5739 0 \
5740 -c "Read from server: 1 bytes read"
5741
5742requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5743run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
5744 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5745 "$P_CLI force_version=tls1_1 \
5746 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5747 0 \
5748 -c "Read from server: 1 bytes read"
5749
5750run_test "Small server packet TLS 1.2 BlockCipher" \
5751 "$P_SRV response_size=1" \
5752 "$P_CLI force_version=tls1_2 \
5753 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5754 0 \
5755 -c "Read from server: 1 bytes read"
5756
5757run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
5758 "$P_SRV response_size=1" \
5759 "$P_CLI force_version=tls1_2 \
5760 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5761 0 \
5762 -c "Read from server: 1 bytes read"
5763
5764run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
5765 "$P_SRV response_size=1" \
5766 "$P_CLI force_version=tls1_2 \
5767 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
5768 0 \
5769 -c "Read from server: 1 bytes read"
5770
5771requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5772run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
5773 "$P_SRV response_size=1 trunc_hmac=1" \
5774 "$P_CLI force_version=tls1_2 \
5775 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5776 0 \
5777 -c "Read from server: 1 bytes read"
5778
5779requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5780run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
5781 "$P_SRV response_size=1 trunc_hmac=1" \
5782 "$P_CLI force_version=tls1_2 \
5783 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5784 0 \
5785 -c "Read from server: 1 bytes read"
5786
5787run_test "Small server packet TLS 1.2 StreamCipher" \
5788 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5789 "$P_CLI force_version=tls1_2 \
5790 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5791 0 \
5792 -c "Read from server: 1 bytes read"
5793
5794run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
5795 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5796 "$P_CLI force_version=tls1_2 \
5797 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5798 0 \
5799 -c "Read from server: 1 bytes read"
5800
5801requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5802run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
5803 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5804 "$P_CLI force_version=tls1_2 \
5805 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5806 0 \
5807 -c "Read from server: 1 bytes read"
5808
5809requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5810run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
5811 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5812 "$P_CLI force_version=tls1_2 \
5813 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5814 0 \
5815 -c "Read from server: 1 bytes read"
5816
5817run_test "Small server packet TLS 1.2 AEAD" \
5818 "$P_SRV response_size=1" \
5819 "$P_CLI force_version=tls1_2 \
5820 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5821 0 \
5822 -c "Read from server: 1 bytes read"
5823
5824run_test "Small server packet TLS 1.2 AEAD shorter tag" \
5825 "$P_SRV response_size=1" \
5826 "$P_CLI force_version=tls1_2 \
5827 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5828 0 \
5829 -c "Read from server: 1 bytes read"
5830
5831# Tests for small server packets in DTLS
5832
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5833run_test "Small server packet DTLS 1.0" \
5834 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
5835 "$P_CLI dtls=1 \
5836 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5837 0 \
5838 -c "Read from server: 1 bytes read"
5839
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5840run_test "Small server packet DTLS 1.0, without EtM" \
5841 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
5842 "$P_CLI dtls=1 \
5843 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5844 0 \
5845 -c "Read from server: 1 bytes read"
5846
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5847requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5848run_test "Small server packet DTLS 1.0, truncated hmac" \
5849 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
5850 "$P_CLI dtls=1 trunc_hmac=1 \
5851 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5852 0 \
5853 -c "Read from server: 1 bytes read"
5854
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5855requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5856run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
5857 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
5858 "$P_CLI dtls=1 \
5859 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5860 0 \
5861 -c "Read from server: 1 bytes read"
5862
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5863run_test "Small server packet DTLS 1.2" \
5864 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
5865 "$P_CLI dtls=1 \
5866 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5867 0 \
5868 -c "Read from server: 1 bytes read"
5869
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5870run_test "Small server packet DTLS 1.2, without EtM" \
5871 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
5872 "$P_CLI dtls=1 \
5873 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5874 0 \
5875 -c "Read from server: 1 bytes read"
5876
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5877requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5878run_test "Small server packet DTLS 1.2, truncated hmac" \
5879 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
5880 "$P_CLI dtls=1 \
5881 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5882 0 \
5883 -c "Read from server: 1 bytes read"
5884
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5885requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5886run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
5887 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
5888 "$P_CLI dtls=1 \
5889 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5890 0 \
5891 -c "Read from server: 1 bytes read"
5892
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]5893# A test for extensions in SSLv3
5894
5895requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5896run_test "SSLv3 with extensions, server side" \
5897 "$P_SRV min_version=ssl3 debug_level=3" \
5898 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
5899 0 \
5900 -S "dumping 'client hello extensions'" \
5901 -S "server hello, total extension length:"
5902
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5903# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5904
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5905# How many fragments do we expect to write $1 bytes?
5906fragments_for_write() {
5907 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
5908}
5909
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5910requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5911run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5912 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5913 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5914 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5915 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5916 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5917 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5918
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5919requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5920run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5921 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5922 "$P_CLI request_size=16384 force_version=ssl3 \
5923 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5924 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5925 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5926 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5927
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5928run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5929 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5930 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5931 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5932 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5933 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5934 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5935
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5936run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5937 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5938 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
5939 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5940 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5941 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5942
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5943requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5944run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5945 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5946 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5947 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5948 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5949 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5950 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5951
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5952requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5953run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5954 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5955 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5956 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5957 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5958 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5959
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5960run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5961 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5962 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5963 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5964 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5965 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5966
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5967run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5968 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5969 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5970 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5971 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5972 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5973
5974requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5975run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5976 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5977 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5978 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5979 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5980 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5981
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5982requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5983run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5984 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5985 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5986 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5987 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5988 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5989 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5990
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5991run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5992 "$P_SRV" \
5993 "$P_CLI request_size=16384 force_version=tls1_1 \
5994 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5995 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5996 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5997 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5998
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5999run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6000 "$P_SRV" \
6001 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
6002 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6003 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6004 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6005
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6006requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6007run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6008 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6009 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6010 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6011 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6012 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6013
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6014requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6015run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6016 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6017 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6018 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6019 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6020 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6021
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6022run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6023 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6024 "$P_CLI request_size=16384 force_version=tls1_1 \
6025 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6026 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6027 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6028 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6029
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6030run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6031 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6032 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6033 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6034 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6035 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6036 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6037
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6038requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6039run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6040 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6041 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6042 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6043 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6044 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6045
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6046requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6047run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6048 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6049 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6050 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6051 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6052 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6053 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6054
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6055run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6056 "$P_SRV" \
6057 "$P_CLI request_size=16384 force_version=tls1_2 \
6058 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6059 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6060 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6061 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6062
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6063run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6064 "$P_SRV" \
6065 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
6066 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6067 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6068 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6069
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6070run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6071 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6072 "$P_CLI request_size=16384 force_version=tls1_2 \
6073 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6074 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6075 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6076 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6077
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6078requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6079run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6080 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6081 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6082 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6083 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6084 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6085
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6086requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6087run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6088 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6089 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6090 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6091 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6092 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6093 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6094
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6095run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6096 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6097 "$P_CLI request_size=16384 force_version=tls1_2 \
6098 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6099 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6100 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6101 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6102
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6103run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6104 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6105 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6106 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6107 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6108 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6109
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6110requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6111run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6112 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6113 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6114 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6115 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6116 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6117
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6118requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6119run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6120 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6121 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6122 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6123 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6124 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6125 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6126
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6127run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6128 "$P_SRV" \
6129 "$P_CLI request_size=16384 force_version=tls1_2 \
6130 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6131 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6132 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6133 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6134
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6135run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6136 "$P_SRV" \
6137 "$P_CLI request_size=16384 force_version=tls1_2 \
6138 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6139 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6140 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6141 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6142
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6143# Test for large server packets
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6144requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6145run_test "Large server packet SSLv3 StreamCipher" \
6146 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6147 "$P_CLI force_version=ssl3 \
6148 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6149 0 \
6150 -c "Read from server: 16384 bytes read"
6151
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]6152# Checking next 4 tests logs for 1n-1 split against BEAST too
6153requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6154run_test "Large server packet SSLv3 BlockCipher" \
6155 "$P_SRV response_size=16384 min_version=ssl3" \
6156 "$P_CLI force_version=ssl3 recsplit=0 \
6157 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6158 0 \
6159 -c "Read from server: 1 bytes read"\
6160 -c "16383 bytes read"\
6161 -C "Read from server: 16384 bytes read"
6162
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6163run_test "Large server packet TLS 1.0 BlockCipher" \
6164 "$P_SRV response_size=16384" \
6165 "$P_CLI force_version=tls1 recsplit=0 \
6166 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6167 0 \
6168 -c "Read from server: 1 bytes read"\
6169 -c "16383 bytes read"\
6170 -C "Read from server: 16384 bytes read"
6171
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6172run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
6173 "$P_SRV response_size=16384" \
6174 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
6175 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6176 0 \
6177 -c "Read from server: 1 bytes read"\
6178 -c "16383 bytes read"\
6179 -C "Read from server: 16384 bytes read"
6180
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6181requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6182run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
6183 "$P_SRV response_size=16384" \
6184 "$P_CLI force_version=tls1 recsplit=0 \
6185 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6186 trunc_hmac=1" \
6187 0 \
6188 -c "Read from server: 1 bytes read"\
6189 -c "16383 bytes read"\
6190 -C "Read from server: 16384 bytes read"
6191
6192requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6193run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
6194 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6195 "$P_CLI force_version=tls1 \
6196 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6197 trunc_hmac=1" \
6198 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6199 -s "16384 bytes written in 1 fragments" \
6200 -c "Read from server: 16384 bytes read"
6201
6202run_test "Large server packet TLS 1.0 StreamCipher" \
6203 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6204 "$P_CLI force_version=tls1 \
6205 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6206 0 \
6207 -s "16384 bytes written in 1 fragments" \
6208 -c "Read from server: 16384 bytes read"
6209
6210run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
6211 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6212 "$P_CLI force_version=tls1 \
6213 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6214 0 \
6215 -s "16384 bytes written in 1 fragments" \
6216 -c "Read from server: 16384 bytes read"
6217
6218requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6219run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
6220 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6221 "$P_CLI force_version=tls1 \
6222 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6223 0 \
6224 -s "16384 bytes written in 1 fragments" \
6225 -c "Read from server: 16384 bytes read"
6226
6227requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6228run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6229 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6230 "$P_CLI force_version=tls1 \
6231 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6232 0 \
6233 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6234 -c "Read from server: 16384 bytes read"
6235
6236run_test "Large server packet TLS 1.1 BlockCipher" \
6237 "$P_SRV response_size=16384" \
6238 "$P_CLI force_version=tls1_1 \
6239 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6240 0 \
6241 -c "Read from server: 16384 bytes read"
6242
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6243run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
6244 "$P_SRV response_size=16384" \
6245 "$P_CLI force_version=tls1_1 etm=0 \
6246 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6247 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6248 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6249 -c "Read from server: 16384 bytes read"
6250
6251requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6252run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
6253 "$P_SRV response_size=16384" \
6254 "$P_CLI force_version=tls1_1 \
6255 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6256 trunc_hmac=1" \
6257 0 \
6258 -c "Read from server: 16384 bytes read"
6259
6260requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6261run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6262 "$P_SRV response_size=16384 trunc_hmac=1" \
6263 "$P_CLI force_version=tls1_1 \
6264 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6265 0 \
6266 -s "16384 bytes written in 1 fragments" \
6267 -c "Read from server: 16384 bytes read"
6268
6269run_test "Large server packet TLS 1.1 StreamCipher" \
6270 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6271 "$P_CLI force_version=tls1_1 \
6272 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6273 0 \
6274 -c "Read from server: 16384 bytes read"
6275
6276run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
6277 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6278 "$P_CLI force_version=tls1_1 \
6279 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6280 0 \
6281 -s "16384 bytes written in 1 fragments" \
6282 -c "Read from server: 16384 bytes read"
6283
6284requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6285run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
6286 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6287 "$P_CLI force_version=tls1_1 \
6288 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6289 trunc_hmac=1" \
6290 0 \
6291 -c "Read from server: 16384 bytes read"
6292
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6293run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6294 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6295 "$P_CLI force_version=tls1_1 \
6296 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6297 0 \
6298 -s "16384 bytes written in 1 fragments" \
6299 -c "Read from server: 16384 bytes read"
6300
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6301run_test "Large server packet TLS 1.2 BlockCipher" \
6302 "$P_SRV response_size=16384" \
6303 "$P_CLI force_version=tls1_2 \
6304 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6305 0 \
6306 -c "Read from server: 16384 bytes read"
6307
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6308run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
6309 "$P_SRV response_size=16384" \
6310 "$P_CLI force_version=tls1_2 etm=0 \
6311 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6312 0 \
6313 -s "16384 bytes written in 1 fragments" \
6314 -c "Read from server: 16384 bytes read"
6315
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6316run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
6317 "$P_SRV response_size=16384" \
6318 "$P_CLI force_version=tls1_2 \
6319 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6320 0 \
6321 -c "Read from server: 16384 bytes read"
6322
6323requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6324run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
6325 "$P_SRV response_size=16384" \
6326 "$P_CLI force_version=tls1_2 \
6327 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6328 trunc_hmac=1" \
6329 0 \
6330 -c "Read from server: 16384 bytes read"
6331
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6332run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6333 "$P_SRV response_size=16384 trunc_hmac=1" \
6334 "$P_CLI force_version=tls1_2 \
6335 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6336 0 \
6337 -s "16384 bytes written in 1 fragments" \
6338 -c "Read from server: 16384 bytes read"
6339
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6340run_test "Large server packet TLS 1.2 StreamCipher" \
6341 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6342 "$P_CLI force_version=tls1_2 \
6343 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6344 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6345 -s "16384 bytes written in 1 fragments" \
6346 -c "Read from server: 16384 bytes read"
6347
6348run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
6349 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6350 "$P_CLI force_version=tls1_2 \
6351 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6352 0 \
6353 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6354 -c "Read from server: 16384 bytes read"
6355
6356requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6357run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
6358 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6359 "$P_CLI force_version=tls1_2 \
6360 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6361 trunc_hmac=1" \
6362 0 \
6363 -c "Read from server: 16384 bytes read"
6364
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6365requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6366run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6367 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6368 "$P_CLI force_version=tls1_2 \
6369 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6370 0 \
6371 -s "16384 bytes written in 1 fragments" \
6372 -c "Read from server: 16384 bytes read"
6373
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6374run_test "Large server packet TLS 1.2 AEAD" \
6375 "$P_SRV response_size=16384" \
6376 "$P_CLI force_version=tls1_2 \
6377 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6378 0 \
6379 -c "Read from server: 16384 bytes read"
6380
6381run_test "Large server packet TLS 1.2 AEAD shorter tag" \
6382 "$P_SRV response_size=16384" \
6383 "$P_CLI force_version=tls1_2 \
6384 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6385 0 \
6386 -c "Read from server: 16384 bytes read"
6387
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6388# Tests for restartable ECC
6389
6390requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6391run_test "EC restart: TLS, default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6392 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6393 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6394 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6395 debug_level=1" \
6396 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6397 -C "x509_verify_cert.*4b00" \
6398 -C "mbedtls_pk_verify.*4b00" \
6399 -C "mbedtls_ecdh_make_public.*4b00" \
6400 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6401
6402requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6403run_test "EC restart: TLS, max_ops=0" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6404 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6405 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6406 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6407 debug_level=1 ec_max_ops=0" \
6408 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6409 -C "x509_verify_cert.*4b00" \
6410 -C "mbedtls_pk_verify.*4b00" \
6411 -C "mbedtls_ecdh_make_public.*4b00" \
6412 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6413
6414requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6415run_test "EC restart: TLS, max_ops=65535" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6416 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6417 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6418 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6419 debug_level=1 ec_max_ops=65535" \
6420 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6421 -C "x509_verify_cert.*4b00" \
6422 -C "mbedtls_pk_verify.*4b00" \
6423 -C "mbedtls_ecdh_make_public.*4b00" \
6424 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6425
6426requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6427run_test "EC restart: TLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6428 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6429 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6430 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6431 debug_level=1 ec_max_ops=1000" \
6432 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6433 -c "x509_verify_cert.*4b00" \
6434 -c "mbedtls_pk_verify.*4b00" \
6435 -c "mbedtls_ecdh_make_public.*4b00" \
6436 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6437
6438requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6439requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6440run_test "EC restart: TLS, max_ops=1000, badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6441 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6442 crt_file=data_files/server5-badsign.crt \
6443 key_file=data_files/server5.key" \
6444 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6445 key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \
6446 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6447 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6448 -c "x509_verify_cert.*4b00" \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6449 -c "mbedtls_pk_verify.*4b00" \
6450 -c "mbedtls_ecdh_make_public.*4b00" \
6451 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6452 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6453
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6454requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6455requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6456run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6457 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6458 crt_file=data_files/server5-badsign.crt \
6459 key_file=data_files/server5.key" \
6460 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6461 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6462 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6463 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6464 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6465 -c "x509_verify_cert.*4b00" \
6466 -c "mbedtls_pk_verify.*4b00" \
6467 -c "mbedtls_ecdh_make_public.*4b00" \
6468 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6469 -c "! The certificate is not correctly signed by the trusted CA" \
6470 -C "! mbedtls_ssl_handshake returned" \
6471 -C "X509 - Certificate verification failed"
6472
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6473requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6474requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6475requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6476run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6477 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6478 crt_file=data_files/server5-badsign.crt \
6479 key_file=data_files/server5.key" \
6480 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6481 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6482 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6483 debug_level=1 ec_max_ops=1000 auth_mode=none" \
6484 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6485 -C "x509_verify_cert.*4b00" \
6486 -c "mbedtls_pk_verify.*4b00" \
6487 -c "mbedtls_ecdh_make_public.*4b00" \
6488 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6489 -C "! The certificate is not correctly signed by the trusted CA" \
6490 -C "! mbedtls_ssl_handshake returned" \
6491 -C "X509 - Certificate verification failed"
6492
6493requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6494run_test "EC restart: DTLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6495 "$P_SRV auth_mode=required dtls=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6496 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6497 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6498 dtls=1 debug_level=1 ec_max_ops=1000" \
6499 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6500 -c "x509_verify_cert.*4b00" \
6501 -c "mbedtls_pk_verify.*4b00" \
6502 -c "mbedtls_ecdh_make_public.*4b00" \
6503 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6504
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6505requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6506run_test "EC restart: TLS, max_ops=1000 no client auth" \
6507 "$P_SRV" \
6508 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6509 debug_level=1 ec_max_ops=1000" \
6510 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6511 -c "x509_verify_cert.*4b00" \
6512 -c "mbedtls_pk_verify.*4b00" \
6513 -c "mbedtls_ecdh_make_public.*4b00" \
6514 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6515
6516requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6517run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
6518 "$P_SRV psk=abc123" \
6519 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
6520 psk=abc123 debug_level=1 ec_max_ops=1000" \
6521 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6522 -C "x509_verify_cert.*4b00" \
6523 -C "mbedtls_pk_verify.*4b00" \
6524 -C "mbedtls_ecdh_make_public.*4b00" \
6525 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6526
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6527# Tests of asynchronous private key support in SSL
6528
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6529requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6530run_test "SSL async private: sign, delay=0" \
6531 "$P_SRV \
6532 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6533 "$P_CLI" \
6534 0 \
6535 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6536 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6537
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6538requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6539run_test "SSL async private: sign, delay=1" \
6540 "$P_SRV \
6541 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6542 "$P_CLI" \
6543 0 \
6544 -s "Async sign callback: using key slot " \
6545 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6546 -s "Async resume (slot [0-9]): sign done, status=0"
6547
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]6548requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6549run_test "SSL async private: sign, delay=2" \
6550 "$P_SRV \
6551 async_operations=s async_private_delay1=2 async_private_delay2=2" \
6552 "$P_CLI" \
6553 0 \
6554 -s "Async sign callback: using key slot " \
6555 -U "Async sign callback: using key slot " \
6556 -s "Async resume (slot [0-9]): call 1 more times." \
6557 -s "Async resume (slot [0-9]): call 0 more times." \
6558 -s "Async resume (slot [0-9]): sign done, status=0"
6559
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]6560# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
6561# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
6562requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6563requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6564run_test "SSL async private: sign, RSA, TLS 1.1" \
6565 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
6566 async_operations=s async_private_delay1=0 async_private_delay2=0" \
6567 "$P_CLI force_version=tls1_1" \
6568 0 \
6569 -s "Async sign callback: using key slot " \
6570 -s "Async resume (slot [0-9]): sign done, status=0"
6571
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6572requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]6573requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]6574requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6575requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]6576run_test "SSL async private: sign, SNI" \
6577 "$P_SRV debug_level=3 \
6578 async_operations=s async_private_delay1=0 async_private_delay2=0 \
6579 crt_file=data_files/server5.crt key_file=data_files/server5.key \
6580 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
6581 "$P_CLI server_name=polarssl.example" \
6582 0 \
6583 -s "Async sign callback: using key slot " \
6584 -s "Async resume (slot [0-9]): sign done, status=0" \
6585 -s "parse ServerName extension" \
6586 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6587 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
6588
6589requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6590run_test "SSL async private: decrypt, delay=0" \
6591 "$P_SRV \
6592 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6593 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6594 0 \
6595 -s "Async decrypt callback: using key slot " \
6596 -s "Async resume (slot [0-9]): decrypt done, status=0"
6597
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6598requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6599run_test "SSL async private: decrypt, delay=1" \
6600 "$P_SRV \
6601 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6602 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6603 0 \
6604 -s "Async decrypt callback: using key slot " \
6605 -s "Async resume (slot [0-9]): call 0 more times." \
6606 -s "Async resume (slot [0-9]): decrypt done, status=0"
6607
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6608requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6609run_test "SSL async private: decrypt RSA-PSK, delay=0" \
6610 "$P_SRV psk=abc123 \
6611 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6612 "$P_CLI psk=abc123 \
6613 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6614 0 \
6615 -s "Async decrypt callback: using key slot " \
6616 -s "Async resume (slot [0-9]): decrypt done, status=0"
6617
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6618requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6619run_test "SSL async private: decrypt RSA-PSK, delay=1" \
6620 "$P_SRV psk=abc123 \
6621 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6622 "$P_CLI psk=abc123 \
6623 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6624 0 \
6625 -s "Async decrypt callback: using key slot " \
6626 -s "Async resume (slot [0-9]): call 0 more times." \
6627 -s "Async resume (slot [0-9]): decrypt done, status=0"
6628
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6629requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6630run_test "SSL async private: sign callback not present" \
6631 "$P_SRV \
6632 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6633 "$P_CLI; [ \$? -eq 1 ] &&
6634 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6635 0 \
6636 -S "Async sign callback" \
6637 -s "! mbedtls_ssl_handshake returned" \
6638 -s "The own private key or pre-shared key is not set, but needed" \
6639 -s "Async resume (slot [0-9]): decrypt done, status=0" \
6640 -s "Successful connection"
6641
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6642requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6643run_test "SSL async private: decrypt callback not present" \
6644 "$P_SRV debug_level=1 \
6645 async_operations=s async_private_delay1=1 async_private_delay2=1" \
6646 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
6647 [ \$? -eq 1 ] && $P_CLI" \
6648 0 \
6649 -S "Async decrypt callback" \
6650 -s "! mbedtls_ssl_handshake returned" \
6651 -s "got no RSA private key" \
6652 -s "Async resume (slot [0-9]): sign done, status=0" \
6653 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6654
6655# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6656requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6657run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6658 "$P_SRV \
6659 async_operations=s async_private_delay1=1 \
6660 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6661 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6662 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ca_file=data_files/test-ca2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6663 0 \
6664 -s "Async sign callback: using key slot 0," \
6665 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6666 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6667
6668# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6669requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6670run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6671 "$P_SRV \
6672 async_operations=s async_private_delay2=1 \
6673 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6674 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6675 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6676 0 \
6677 -s "Async sign callback: using key slot 0," \
6678 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6679 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6680
6681# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6682requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]6683run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6684 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]6685 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6686 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6687 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6688 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6689 0 \
6690 -s "Async sign callback: using key slot 1," \
6691 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6692 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6693
6694# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6695requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6696run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6697 "$P_SRV \
6698 async_operations=s async_private_delay1=1 \
6699 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6700 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6701 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6702 0 \
6703 -s "Async sign callback: no key matches this certificate."
6704
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6705requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6706run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6707 "$P_SRV \
6708 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6709 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6710 "$P_CLI" \
6711 1 \
6712 -s "Async sign callback: injected error" \
6713 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6714 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6715 -s "! mbedtls_ssl_handshake returned"
6716
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6717requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6718run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6719 "$P_SRV \
6720 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6721 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6722 "$P_CLI" \
6723 1 \
6724 -s "Async sign callback: using key slot " \
6725 -S "Async resume" \
6726 -s "Async cancel"
6727
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6728requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6729run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6730 "$P_SRV \
6731 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6732 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6733 "$P_CLI" \
6734 1 \
6735 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6736 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6737 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6738 -s "! mbedtls_ssl_handshake returned"
6739
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6740requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6741run_test "SSL async private: decrypt, error in start" \
6742 "$P_SRV \
6743 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6744 async_private_error=1" \
6745 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6746 1 \
6747 -s "Async decrypt callback: injected error" \
6748 -S "Async resume" \
6749 -S "Async cancel" \
6750 -s "! mbedtls_ssl_handshake returned"
6751
6752requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6753run_test "SSL async private: decrypt, cancel after start" \
6754 "$P_SRV \
6755 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6756 async_private_error=2" \
6757 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6758 1 \
6759 -s "Async decrypt callback: using key slot " \
6760 -S "Async resume" \
6761 -s "Async cancel"
6762
6763requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6764run_test "SSL async private: decrypt, error in resume" \
6765 "$P_SRV \
6766 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6767 async_private_error=3" \
6768 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6769 1 \
6770 -s "Async decrypt callback: using key slot " \
6771 -s "Async resume callback: decrypt done but injected error" \
6772 -S "Async cancel" \
6773 -s "! mbedtls_ssl_handshake returned"
6774
6775requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6776run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6777 "$P_SRV \
6778 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6779 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6780 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6781 0 \
6782 -s "Async cancel" \
6783 -s "! mbedtls_ssl_handshake returned" \
6784 -s "Async resume" \
6785 -s "Successful connection"
6786
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6787requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6788run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6789 "$P_SRV \
6790 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6791 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6792 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6793 0 \
6794 -s "! mbedtls_ssl_handshake returned" \
6795 -s "Async resume" \
6796 -s "Successful connection"
6797
6798# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6799requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6800run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6801 "$P_SRV \
6802 async_operations=s async_private_delay1=1 async_private_error=-2 \
6803 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6804 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6805 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6806 [ \$? -eq 1 ] &&
6807 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6808 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]6809 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6810 -S "Async resume" \
6811 -s "Async cancel" \
6812 -s "! mbedtls_ssl_handshake returned" \
6813 -s "Async sign callback: no key matches this certificate." \
6814 -s "Successful connection"
6815
6816# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6817requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6818run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6819 "$P_SRV \
6820 async_operations=s async_private_delay1=1 async_private_error=-3 \
6821 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6822 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6823 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6824 [ \$? -eq 1 ] &&
6825 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6826 0 \
6827 -s "Async resume" \
6828 -s "! mbedtls_ssl_handshake returned" \
6829 -s "Async sign callback: no key matches this certificate." \
6830 -s "Successful connection"
6831
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6832requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6833requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6834run_test "SSL async private: renegotiation: client-initiated; sign" \
6835 "$P_SRV \
6836 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6837 exchanges=2 renegotiation=1" \
6838 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
6839 0 \
6840 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6841 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6842
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6843requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6844requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6845run_test "SSL async private: renegotiation: server-initiated; sign" \
6846 "$P_SRV \
6847 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6848 exchanges=2 renegotiation=1 renegotiate=1" \
6849 "$P_CLI exchanges=2 renegotiation=1" \
6850 0 \
6851 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6852 -s "Async resume (slot [0-9]): sign done, status=0"
6853
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6854requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6855requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6856run_test "SSL async private: renegotiation: client-initiated; decrypt" \
6857 "$P_SRV \
6858 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6859 exchanges=2 renegotiation=1" \
6860 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
6861 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6862 0 \
6863 -s "Async decrypt callback: using key slot " \
6864 -s "Async resume (slot [0-9]): decrypt done, status=0"
6865
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6866requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6867requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6868run_test "SSL async private: renegotiation: server-initiated; decrypt" \
6869 "$P_SRV \
6870 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6871 exchanges=2 renegotiation=1 renegotiate=1" \
6872 "$P_CLI exchanges=2 renegotiation=1 \
6873 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6874 0 \
6875 -s "Async decrypt callback: using key slot " \
6876 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6877
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6878# Tests for ECC extensions (rfc 4492)
6879
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6880requires_config_enabled MBEDTLS_AES_C
6881requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6882requires_config_enabled MBEDTLS_SHA256_C
6883requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6884run_test "Force a non ECC ciphersuite in the client side" \
6885 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6886 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6887 0 \
6888 -C "client hello, adding supported_elliptic_curves extension" \
6889 -C "client hello, adding supported_point_formats extension" \
6890 -S "found supported elliptic curves extension" \
6891 -S "found supported point formats extension"
6892
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6893requires_config_enabled MBEDTLS_AES_C
6894requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6895requires_config_enabled MBEDTLS_SHA256_C
6896requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6897run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6898 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6899 "$P_CLI debug_level=3" \
6900 0 \
6901 -C "found supported_point_formats extension" \
6902 -S "server hello, supported_point_formats extension"
6903
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6904requires_config_enabled MBEDTLS_AES_C
6905requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6906requires_config_enabled MBEDTLS_SHA256_C
6907requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6908run_test "Force an ECC ciphersuite in the client side" \
6909 "$P_SRV debug_level=3" \
6910 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6911 0 \
6912 -c "client hello, adding supported_elliptic_curves extension" \
6913 -c "client hello, adding supported_point_formats extension" \
6914 -s "found supported elliptic curves extension" \
6915 -s "found supported point formats extension"
6916
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6917requires_config_enabled MBEDTLS_AES_C
6918requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6919requires_config_enabled MBEDTLS_SHA256_C
6920requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6921run_test "Force an ECC ciphersuite in the server side" \
6922 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6923 "$P_CLI debug_level=3" \
6924 0 \
6925 -c "found supported_point_formats extension" \
6926 -s "server hello, supported_point_formats extension"
6927
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6928# Tests for DTLS HelloVerifyRequest
6929
6930run_test "DTLS cookie: enabled" \
6931 "$P_SRV dtls=1 debug_level=2" \
6932 "$P_CLI dtls=1 debug_level=2" \
6933 0 \
6934 -s "cookie verification failed" \
6935 -s "cookie verification passed" \
6936 -S "cookie verification skipped" \
6937 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6938 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6939 -S "SSL - The requested feature is not available"
6940
6941run_test "DTLS cookie: disabled" \
6942 "$P_SRV dtls=1 debug_level=2 cookies=0" \
6943 "$P_CLI dtls=1 debug_level=2" \
6944 0 \
6945 -S "cookie verification failed" \
6946 -S "cookie verification passed" \
6947 -s "cookie verification skipped" \
6948 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6949 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6950 -S "SSL - The requested feature is not available"
6951
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6952run_test "DTLS cookie: default (failing)" \
6953 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
6954 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
6955 1 \
6956 -s "cookie verification failed" \
6957 -S "cookie verification passed" \
6958 -S "cookie verification skipped" \
6959 -C "received hello verify request" \
6960 -S "hello verification requested" \
6961 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6962
6963requires_ipv6
6964run_test "DTLS cookie: enabled, IPv6" \
6965 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
6966 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
6967 0 \
6968 -s "cookie verification failed" \
6969 -s "cookie verification passed" \
6970 -S "cookie verification skipped" \
6971 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6972 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6973 -S "SSL - The requested feature is not available"
6974
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6975run_test "DTLS cookie: enabled, nbio" \
6976 "$P_SRV dtls=1 nbio=2 debug_level=2" \
6977 "$P_CLI dtls=1 nbio=2 debug_level=2" \
6978 0 \
6979 -s "cookie verification failed" \
6980 -s "cookie verification passed" \
6981 -S "cookie verification skipped" \
6982 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6983 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6984 -S "SSL - The requested feature is not available"
6985
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6986# Tests for client reconnecting from the same port with DTLS
6987
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6988not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6989run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6990 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
6991 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6992 0 \
6993 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6994 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6995 -S "Client initiated reconnection from same port"
6996
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6997not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6998run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6999 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
7000 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7001 0 \
7002 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7003 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7004 -s "Client initiated reconnection from same port"
7005
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7006not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
7007run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7008 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
7009 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7010 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7011 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7012 -s "Client initiated reconnection from same port"
7013
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7014only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
7015run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
7016 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
7017 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
7018 0 \
7019 -S "The operation timed out" \
7020 -s "Client initiated reconnection from same port"
7021
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7022run_test "DTLS client reconnect from same port: no cookies" \
7023 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]7024 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
7025 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7026 -s "The operation timed out" \
7027 -S "Client initiated reconnection from same port"
7028
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7029# Tests for various cases of client authentication with DTLS
7030# (focused on handshake flows and message parsing)
7031
7032run_test "DTLS client auth: required" \
7033 "$P_SRV dtls=1 auth_mode=required" \
7034 "$P_CLI dtls=1" \
7035 0 \
7036 -s "Verifying peer X.509 certificate... ok"
7037
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7038requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7039requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7040run_test "DTLS client auth: optional, client has no cert" \
7041 "$P_SRV dtls=1 auth_mode=optional" \
7042 "$P_CLI dtls=1 crt_file=none key_file=none" \
7043 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7044 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7045
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7046requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7047requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7048run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7049 "$P_SRV dtls=1 auth_mode=none" \
7050 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
7051 0 \
7052 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7053 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7054
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]7055run_test "DTLS wrong PSK: badmac alert" \
7056 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
7057 "$P_CLI dtls=1 psk=abc124" \
7058 1 \
7059 -s "SSL - Verification of the message MAC failed" \
7060 -c "SSL - A fatal alert message was received from our peer"
7061
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7062# Tests for receiving fragmented handshake messages with DTLS
7063
7064requires_gnutls
7065run_test "DTLS reassembly: no fragmentation (gnutls server)" \
7066 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7067 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7068 0 \
7069 -C "found fragmented DTLS handshake message" \
7070 -C "error"
7071
7072requires_gnutls
7073run_test "DTLS reassembly: some fragmentation (gnutls server)" \
7074 "$G_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7075 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7076 0 \
7077 -c "found fragmented DTLS handshake message" \
7078 -C "error"
7079
7080requires_gnutls
7081run_test "DTLS reassembly: more fragmentation (gnutls server)" \
7082 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7083 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7084 0 \
7085 -c "found fragmented DTLS handshake message" \
7086 -C "error"
7087
7088requires_gnutls
7089run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
7090 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7091 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7092 0 \
7093 -c "found fragmented DTLS handshake message" \
7094 -C "error"
7095
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7096requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7097requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7098run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
7099 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7100 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7101 0 \
7102 -c "found fragmented DTLS handshake message" \
7103 -c "client hello, adding renegotiation extension" \
7104 -c "found renegotiation extension" \
7105 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7106 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7107 -C "error" \
7108 -s "Extra-header:"
7109
7110requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7111requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7112run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
7113 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7114 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7115 0 \
7116 -c "found fragmented DTLS handshake message" \
7117 -c "client hello, adding renegotiation extension" \
7118 -c "found renegotiation extension" \
7119 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7120 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7121 -C "error" \
7122 -s "Extra-header:"
7123
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7124run_test "DTLS reassembly: no fragmentation (openssl server)" \
7125 "$O_SRV -dtls1 -mtu 2048" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7126 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7127 0 \
7128 -C "found fragmented DTLS handshake message" \
7129 -C "error"
7130
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7131run_test "DTLS reassembly: some fragmentation (openssl server)" \
7132 "$O_SRV -dtls1 -mtu 768" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7133 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7134 0 \
7135 -c "found fragmented DTLS handshake message" \
7136 -C "error"
7137
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7138run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7139 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7140 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7141 0 \
7142 -c "found fragmented DTLS handshake message" \
7143 -C "error"
7144
7145run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
7146 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7147 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7148 0 \
7149 -c "found fragmented DTLS handshake message" \
7150 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7151
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7152# Tests for sending fragmented handshake messages with DTLS
7153#
7154# Use client auth when we need the client to send large messages,
7155# and use large cert chains on both sides too (the long chains we have all use
7156# both RSA and ECDSA, but ideally we should have long chains with either).
7157# Sizes reached (UDP payload):
7158# - 2037B for server certificate
7159# - 1542B for client certificate
7160# - 1013B for newsessionticket
7161# - all others below 512B
7162# All those tests assume MAX_CONTENT_LEN is at least 2048
7163
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7164requires_config_enabled MBEDTLS_RSA_C
7165requires_config_enabled MBEDTLS_ECDSA_C
7166requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7167run_test "DTLS fragmenting: none (for reference)" \
7168 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7169 crt_file=data_files/server7_int-ca.crt \
7170 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7171 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7172 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7173 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7174 "$P_CLI dtls=1 debug_level=2 \
7175 crt_file=data_files/server8_int-ca2.crt \
7176 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7177 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7178 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7179 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7180 0 \
7181 -S "found fragmented DTLS handshake message" \
7182 -C "found fragmented DTLS handshake message" \
7183 -C "error"
7184
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7185requires_config_enabled MBEDTLS_RSA_C
7186requires_config_enabled MBEDTLS_ECDSA_C
7187requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7188run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7189 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7190 crt_file=data_files/server7_int-ca.crt \
7191 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7192 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7193 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7194 max_frag_len=1024" \
7195 "$P_CLI dtls=1 debug_level=2 \
7196 crt_file=data_files/server8_int-ca2.crt \
7197 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7198 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7199 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7200 max_frag_len=2048" \
7201 0 \
7202 -S "found fragmented DTLS handshake message" \
7203 -c "found fragmented DTLS handshake message" \
7204 -C "error"
7205
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7206# With the MFL extension, the server has no way of forcing
7207# the client to not exceed a certain MTU; hence, the following
7208# test can't be replicated with an MTU proxy such as the one
7209# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7210requires_config_enabled MBEDTLS_RSA_C
7211requires_config_enabled MBEDTLS_ECDSA_C
7212requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7213run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7214 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7215 crt_file=data_files/server7_int-ca.crt \
7216 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7217 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7218 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7219 max_frag_len=512" \
7220 "$P_CLI dtls=1 debug_level=2 \
7221 crt_file=data_files/server8_int-ca2.crt \
7222 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7223 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7224 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7225 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7226 0 \
7227 -S "found fragmented DTLS handshake message" \
7228 -c "found fragmented DTLS handshake message" \
7229 -C "error"
7230
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7231requires_config_enabled MBEDTLS_RSA_C
7232requires_config_enabled MBEDTLS_ECDSA_C
7233requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7234run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7235 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7236 crt_file=data_files/server7_int-ca.crt \
7237 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7238 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7239 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7240 max_frag_len=2048" \
7241 "$P_CLI dtls=1 debug_level=2 \
7242 crt_file=data_files/server8_int-ca2.crt \
7243 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7244 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7245 hs_timeout=2500-60000 \
7246 max_frag_len=1024" \
7247 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7248 -S "found fragmented DTLS handshake message" \
7249 -c "found fragmented DTLS handshake message" \
7250 -C "error"
7251
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7252# While not required by the standard defining the MFL extension
7253# (according to which it only applies to records, not to datagrams),
7254# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7255# as otherwise there wouldn't be any means to communicate MTU restrictions
7256# to the peer.
7257# The next test checks that no datagrams significantly larger than the
7258# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7259requires_config_enabled MBEDTLS_RSA_C
7260requires_config_enabled MBEDTLS_ECDSA_C
7261requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7262run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7263 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7264 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7265 crt_file=data_files/server7_int-ca.crt \
7266 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7267 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7268 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7269 max_frag_len=2048" \
7270 "$P_CLI dtls=1 debug_level=2 \
7271 crt_file=data_files/server8_int-ca2.crt \
7272 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7273 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7274 hs_timeout=2500-60000 \
7275 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7276 0 \
7277 -S "found fragmented DTLS handshake message" \
7278 -c "found fragmented DTLS handshake message" \
7279 -C "error"
7280
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7281requires_config_enabled MBEDTLS_RSA_C
7282requires_config_enabled MBEDTLS_ECDSA_C
7283requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7284run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7285 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7286 crt_file=data_files/server7_int-ca.crt \
7287 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7288 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7289 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7290 max_frag_len=2048" \
7291 "$P_CLI dtls=1 debug_level=2 \
7292 crt_file=data_files/server8_int-ca2.crt \
7293 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7294 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7295 hs_timeout=2500-60000 \
7296 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7297 0 \
7298 -s "found fragmented DTLS handshake message" \
7299 -c "found fragmented DTLS handshake message" \
7300 -C "error"
7301
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7302# While not required by the standard defining the MFL extension
7303# (according to which it only applies to records, not to datagrams),
7304# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7305# as otherwise there wouldn't be any means to communicate MTU restrictions
7306# to the peer.
7307# The next test checks that no datagrams significantly larger than the
7308# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7309requires_config_enabled MBEDTLS_RSA_C
7310requires_config_enabled MBEDTLS_ECDSA_C
7311requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7312run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7313 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7314 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7315 crt_file=data_files/server7_int-ca.crt \
7316 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7317 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7318 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7319 max_frag_len=2048" \
7320 "$P_CLI dtls=1 debug_level=2 \
7321 crt_file=data_files/server8_int-ca2.crt \
7322 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7323 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7324 hs_timeout=2500-60000 \
7325 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7326 0 \
7327 -s "found fragmented DTLS handshake message" \
7328 -c "found fragmented DTLS handshake message" \
7329 -C "error"
7330
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7331requires_config_enabled MBEDTLS_RSA_C
7332requires_config_enabled MBEDTLS_ECDSA_C
7333run_test "DTLS fragmenting: none (for reference) (MTU)" \
7334 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7335 crt_file=data_files/server7_int-ca.crt \
7336 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7337 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7338 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7339 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7340 "$P_CLI dtls=1 debug_level=2 \
7341 crt_file=data_files/server8_int-ca2.crt \
7342 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7343 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7344 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7345 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7346 0 \
7347 -S "found fragmented DTLS handshake message" \
7348 -C "found fragmented DTLS handshake message" \
7349 -C "error"
7350
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7351requires_config_enabled MBEDTLS_RSA_C
7352requires_config_enabled MBEDTLS_ECDSA_C
7353run_test "DTLS fragmenting: client (MTU)" \
7354 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7355 crt_file=data_files/server7_int-ca.crt \
7356 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7357 ca_file=data_files/test-ca.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7358 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7359 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7360 "$P_CLI dtls=1 debug_level=2 \
7361 crt_file=data_files/server8_int-ca2.crt \
7362 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7363 ca_file=data_files/test-ca2.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7364 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7365 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7366 0 \
7367 -s "found fragmented DTLS handshake message" \
7368 -C "found fragmented DTLS handshake message" \
7369 -C "error"
7370
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7371requires_config_enabled MBEDTLS_RSA_C
7372requires_config_enabled MBEDTLS_ECDSA_C
7373run_test "DTLS fragmenting: server (MTU)" \
7374 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7375 crt_file=data_files/server7_int-ca.crt \
7376 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7377 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7378 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7379 mtu=512" \
7380 "$P_CLI dtls=1 debug_level=2 \
7381 crt_file=data_files/server8_int-ca2.crt \
7382 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7383 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7384 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7385 mtu=2048" \
7386 0 \
7387 -S "found fragmented DTLS handshake message" \
7388 -c "found fragmented DTLS handshake message" \
7389 -C "error"
7390
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7391requires_config_enabled MBEDTLS_RSA_C
7392requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7393run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7394 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7395 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7396 crt_file=data_files/server7_int-ca.crt \
7397 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7398 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7399 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]7400 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7401 "$P_CLI dtls=1 debug_level=2 \
7402 crt_file=data_files/server8_int-ca2.crt \
7403 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7404 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7405 hs_timeout=2500-60000 \
7406 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7407 0 \
7408 -s "found fragmented DTLS handshake message" \
7409 -c "found fragmented DTLS handshake message" \
7410 -C "error"
7411
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7412# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7413requires_config_enabled MBEDTLS_RSA_C
7414requires_config_enabled MBEDTLS_ECDSA_C
7415requires_config_enabled MBEDTLS_SHA256_C
7416requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7417requires_config_enabled MBEDTLS_AES_C
7418requires_config_enabled MBEDTLS_GCM_C
7419run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]7420 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7421 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7422 crt_file=data_files/server7_int-ca.crt \
7423 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7424 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7425 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7426 mtu=512" \
7427 "$P_CLI dtls=1 debug_level=2 \
7428 crt_file=data_files/server8_int-ca2.crt \
7429 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7430 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7431 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7432 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7433 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]7434 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]7435 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7436 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7437 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]7438
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7439# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7440# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7441# The ratio of max/min timeout should ideally equal 4 to accept two
7442# retransmissions, but in some cases (like both the server and client using
7443# fragmentation and auto-reduction) an extra retransmission might occur,
7444# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]7445not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7446requires_config_enabled MBEDTLS_RSA_C
7447requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7448requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7449requires_config_enabled MBEDTLS_AES_C
7450requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7451run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7452 -p "$P_PXY mtu=508" \
7453 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7454 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7455 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7456 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7457 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7458 "$P_CLI dtls=1 debug_level=2 \
7459 crt_file=data_files/server8_int-ca2.crt \
7460 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7461 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7462 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7463 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7464 0 \
7465 -s "found fragmented DTLS handshake message" \
7466 -c "found fragmented DTLS handshake message" \
7467 -C "error"
7468
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7469# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7470only_with_valgrind
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7471requires_config_enabled MBEDTLS_RSA_C
7472requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7473requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7474requires_config_enabled MBEDTLS_AES_C
7475requires_config_enabled MBEDTLS_GCM_C
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7476run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7477 -p "$P_PXY mtu=508" \
7478 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7479 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7480 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7481 ca_file=data_files/test-ca.crt \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7482 hs_timeout=250-10000" \
7483 "$P_CLI dtls=1 debug_level=2 \
7484 crt_file=data_files/server8_int-ca2.crt \
7485 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7486 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7487 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7488 hs_timeout=250-10000" \
7489 0 \
7490 -s "found fragmented DTLS handshake message" \
7491 -c "found fragmented DTLS handshake message" \
7492 -C "error"
7493
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7494# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]7495# OTOH the client might resend if the server is to slow to reset after sending
7496# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7497not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7498requires_config_enabled MBEDTLS_RSA_C
7499requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7500run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7501 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7502 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7503 crt_file=data_files/server7_int-ca.crt \
7504 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7505 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7506 hs_timeout=10000-60000 \
7507 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7508 "$P_CLI dtls=1 debug_level=2 \
7509 crt_file=data_files/server8_int-ca2.crt \
7510 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7511 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7512 hs_timeout=10000-60000 \
7513 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7514 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7515 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7516 -s "found fragmented DTLS handshake message" \
7517 -c "found fragmented DTLS handshake message" \
7518 -C "error"
7519
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7520# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7521# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
7522# OTOH the client might resend if the server is to slow to reset after sending
7523# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7524not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7525requires_config_enabled MBEDTLS_RSA_C
7526requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7527requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7528requires_config_enabled MBEDTLS_AES_C
7529requires_config_enabled MBEDTLS_GCM_C
7530run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7531 -p "$P_PXY mtu=512" \
7532 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7533 crt_file=data_files/server7_int-ca.crt \
7534 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7535 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7536 hs_timeout=10000-60000 \
7537 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7538 "$P_CLI dtls=1 debug_level=2 \
7539 crt_file=data_files/server8_int-ca2.crt \
7540 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7541 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7542 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7543 hs_timeout=10000-60000 \
7544 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7545 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7546 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7547 -s "found fragmented DTLS handshake message" \
7548 -c "found fragmented DTLS handshake message" \
7549 -C "error"
7550
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7551not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7552requires_config_enabled MBEDTLS_RSA_C
7553requires_config_enabled MBEDTLS_ECDSA_C
7554run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7555 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7556 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7557 crt_file=data_files/server7_int-ca.crt \
7558 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7559 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7560 hs_timeout=10000-60000 \
7561 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7562 "$P_CLI dtls=1 debug_level=2 \
7563 crt_file=data_files/server8_int-ca2.crt \
7564 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7565 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7566 hs_timeout=10000-60000 \
7567 mtu=1024 nbio=2" \
7568 0 \
7569 -S "autoreduction" \
7570 -s "found fragmented DTLS handshake message" \
7571 -c "found fragmented DTLS handshake message" \
7572 -C "error"
7573
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7574# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7575not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7576requires_config_enabled MBEDTLS_RSA_C
7577requires_config_enabled MBEDTLS_ECDSA_C
7578requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7579requires_config_enabled MBEDTLS_AES_C
7580requires_config_enabled MBEDTLS_GCM_C
7581run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
7582 -p "$P_PXY mtu=512" \
7583 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7584 crt_file=data_files/server7_int-ca.crt \
7585 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7586 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7587 hs_timeout=10000-60000 \
7588 mtu=512 nbio=2" \
7589 "$P_CLI dtls=1 debug_level=2 \
7590 crt_file=data_files/server8_int-ca2.crt \
7591 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7592 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7593 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7594 hs_timeout=10000-60000 \
7595 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7596 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7597 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7598 -s "found fragmented DTLS handshake message" \
7599 -c "found fragmented DTLS handshake message" \
7600 -C "error"
7601
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7602# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]7603# This ensures things still work after session_reset().
7604# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7605# Since we don't support reading fragmented ClientHello yet,
7606# up the MTU to 1450 (larger than ClientHello with session ticket,
7607# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7608# An autoreduction on the client-side might happen if the server is
7609# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7610# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7611# resumed listening, which would result in a spurious autoreduction.
7612not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7613requires_config_enabled MBEDTLS_RSA_C
7614requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7615requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7616requires_config_enabled MBEDTLS_AES_C
7617requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7618run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
7619 -p "$P_PXY mtu=1450" \
7620 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7621 crt_file=data_files/server7_int-ca.crt \
7622 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7623 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7624 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7625 mtu=1450" \
7626 "$P_CLI dtls=1 debug_level=2 \
7627 crt_file=data_files/server8_int-ca2.crt \
7628 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7629 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7630 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7631 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7632 mtu=1450 reconnect=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7633 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7634 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7635 -s "found fragmented DTLS handshake message" \
7636 -c "found fragmented DTLS handshake message" \
7637 -C "error"
7638
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7639# An autoreduction on the client-side might happen if the server is
7640# slow to reset, therefore omitting '-C "autoreduction"' below.
7641not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7642requires_config_enabled MBEDTLS_RSA_C
7643requires_config_enabled MBEDTLS_ECDSA_C
7644requires_config_enabled MBEDTLS_SHA256_C
7645requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7646requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7647requires_config_enabled MBEDTLS_CHACHAPOLY_C
7648run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
7649 -p "$P_PXY mtu=512" \
7650 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7651 crt_file=data_files/server7_int-ca.crt \
7652 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7653 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7654 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7655 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7656 mtu=512" \
7657 "$P_CLI dtls=1 debug_level=2 \
7658 crt_file=data_files/server8_int-ca2.crt \
7659 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7660 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7661 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7662 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7663 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7664 mtu=512" \
7665 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7666 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7667 -s "found fragmented DTLS handshake message" \
7668 -c "found fragmented DTLS handshake message" \
7669 -C "error"
7670
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7671# An autoreduction on the client-side might happen if the server is
7672# slow to reset, therefore omitting '-C "autoreduction"' below.
7673not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7674requires_config_enabled MBEDTLS_RSA_C
7675requires_config_enabled MBEDTLS_ECDSA_C
7676requires_config_enabled MBEDTLS_SHA256_C
7677requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7678requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7679requires_config_enabled MBEDTLS_AES_C
7680requires_config_enabled MBEDTLS_GCM_C
7681run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
7682 -p "$P_PXY mtu=512" \
7683 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7684 crt_file=data_files/server7_int-ca.crt \
7685 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7686 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7687 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7688 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7689 mtu=512" \
7690 "$P_CLI dtls=1 debug_level=2 \
7691 crt_file=data_files/server8_int-ca2.crt \
7692 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7693 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7694 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7695 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7696 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7697 mtu=512" \
7698 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7699 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7700 -s "found fragmented DTLS handshake message" \
7701 -c "found fragmented DTLS handshake message" \
7702 -C "error"
7703
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7704# An autoreduction on the client-side might happen if the server is
7705# slow to reset, therefore omitting '-C "autoreduction"' below.
7706not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7707requires_config_enabled MBEDTLS_RSA_C
7708requires_config_enabled MBEDTLS_ECDSA_C
7709requires_config_enabled MBEDTLS_SHA256_C
7710requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7711requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7712requires_config_enabled MBEDTLS_AES_C
7713requires_config_enabled MBEDTLS_CCM_C
7714run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7715 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7716 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7717 crt_file=data_files/server7_int-ca.crt \
7718 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7719 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7720 exchanges=2 renegotiation=1 \
7721 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7722 hs_timeout=10000-60000 \
7723 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7724 "$P_CLI dtls=1 debug_level=2 \
7725 crt_file=data_files/server8_int-ca2.crt \
7726 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7727 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7728 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7729 hs_timeout=10000-60000 \
7730 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7731 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7732 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7733 -s "found fragmented DTLS handshake message" \
7734 -c "found fragmented DTLS handshake message" \
7735 -C "error"
7736
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7737# An autoreduction on the client-side might happen if the server is
7738# slow to reset, therefore omitting '-C "autoreduction"' below.
7739not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7740requires_config_enabled MBEDTLS_RSA_C
7741requires_config_enabled MBEDTLS_ECDSA_C
7742requires_config_enabled MBEDTLS_SHA256_C
7743requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7744requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7745requires_config_enabled MBEDTLS_AES_C
7746requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7747requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
7748run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7749 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7750 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7751 crt_file=data_files/server7_int-ca.crt \
7752 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7753 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7754 exchanges=2 renegotiation=1 \
7755 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7756 hs_timeout=10000-60000 \
7757 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7758 "$P_CLI dtls=1 debug_level=2 \
7759 crt_file=data_files/server8_int-ca2.crt \
7760 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7761 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7762 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7763 hs_timeout=10000-60000 \
7764 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7765 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7766 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7767 -s "found fragmented DTLS handshake message" \
7768 -c "found fragmented DTLS handshake message" \
7769 -C "error"
7770
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7771# An autoreduction on the client-side might happen if the server is
7772# slow to reset, therefore omitting '-C "autoreduction"' below.
7773not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7774requires_config_enabled MBEDTLS_RSA_C
7775requires_config_enabled MBEDTLS_ECDSA_C
7776requires_config_enabled MBEDTLS_SHA256_C
7777requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7778requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7779requires_config_enabled MBEDTLS_AES_C
7780requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7781run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7782 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7783 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7784 crt_file=data_files/server7_int-ca.crt \
7785 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7786 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7787 exchanges=2 renegotiation=1 \
7788 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7789 hs_timeout=10000-60000 \
7790 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7791 "$P_CLI dtls=1 debug_level=2 \
7792 crt_file=data_files/server8_int-ca2.crt \
7793 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7794 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7795 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7796 hs_timeout=10000-60000 \
7797 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7798 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7799 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7800 -s "found fragmented DTLS handshake message" \
7801 -c "found fragmented DTLS handshake message" \
7802 -C "error"
7803
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7804# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7805requires_config_enabled MBEDTLS_RSA_C
7806requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7807requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7808requires_config_enabled MBEDTLS_AES_C
7809requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7810client_needs_more_time 2
7811run_test "DTLS fragmenting: proxy MTU + 3d" \
7812 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7813 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7814 crt_file=data_files/server7_int-ca.crt \
7815 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7816 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7817 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7818 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7819 crt_file=data_files/server8_int-ca2.crt \
7820 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7821 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7822 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7823 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7824 0 \
7825 -s "found fragmented DTLS handshake message" \
7826 -c "found fragmented DTLS handshake message" \
7827 -C "error"
7828
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7829# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7830requires_config_enabled MBEDTLS_RSA_C
7831requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7832requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7833requires_config_enabled MBEDTLS_AES_C
7834requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7835client_needs_more_time 2
7836run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
7837 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
7838 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7839 crt_file=data_files/server7_int-ca.crt \
7840 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7841 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7842 hs_timeout=250-10000 mtu=512 nbio=2" \
7843 "$P_CLI dtls=1 debug_level=2 \
7844 crt_file=data_files/server8_int-ca2.crt \
7845 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7846 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7847 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7848 hs_timeout=250-10000 mtu=512 nbio=2" \
7849 0 \
7850 -s "found fragmented DTLS handshake message" \
7851 -c "found fragmented DTLS handshake message" \
7852 -C "error"
7853
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7854# interop tests for DTLS fragmentating with reliable connection
7855#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7856# here and below we just want to test that the we fragment in a way that
7857# pleases other implementations, so we don't need the peer to fragment
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7858requires_config_enabled MBEDTLS_RSA_C
7859requires_config_enabled MBEDTLS_ECDSA_C
7860requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7861requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7862run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
7863 "$G_SRV -u" \
7864 "$P_CLI dtls=1 debug_level=2 \
7865 crt_file=data_files/server8_int-ca2.crt \
7866 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7867 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7868 mtu=512 force_version=dtls1_2" \
7869 0 \
7870 -c "fragmenting handshake message" \
7871 -C "error"
7872
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7873requires_config_enabled MBEDTLS_RSA_C
7874requires_config_enabled MBEDTLS_ECDSA_C
7875requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7876requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7877run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
7878 "$G_SRV -u" \
7879 "$P_CLI dtls=1 debug_level=2 \
7880 crt_file=data_files/server8_int-ca2.crt \
7881 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7882 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7883 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7884 0 \
7885 -c "fragmenting handshake message" \
7886 -C "error"
7887
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7888# We use --insecure for the GnuTLS client because it expects
7889# the hostname / IP it connects to to be the name used in the
7890# certificate obtained from the server. Here, however, it
7891# connects to 127.0.0.1 while our test certificates use 'localhost'
7892# as the server name in the certificate. This will make the
7893# certifiate validation fail, but passing --insecure makes
7894# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7895requires_config_enabled MBEDTLS_RSA_C
7896requires_config_enabled MBEDTLS_ECDSA_C
7897requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7898requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7899requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7900run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7901 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7902 crt_file=data_files/server7_int-ca.crt \
7903 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7904 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7905 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7906 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7907 0 \
7908 -s "fragmenting handshake message"
7909
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7910# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7911requires_config_enabled MBEDTLS_RSA_C
7912requires_config_enabled MBEDTLS_ECDSA_C
7913requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7914requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7915requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7916run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7917 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7918 crt_file=data_files/server7_int-ca.crt \
7919 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7920 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7921 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7922 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7923 0 \
7924 -s "fragmenting handshake message"
7925
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7926requires_config_enabled MBEDTLS_RSA_C
7927requires_config_enabled MBEDTLS_ECDSA_C
7928requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7929run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
7930 "$O_SRV -dtls1_2 -verify 10" \
7931 "$P_CLI dtls=1 debug_level=2 \
7932 crt_file=data_files/server8_int-ca2.crt \
7933 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7934 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7935 mtu=512 force_version=dtls1_2" \
7936 0 \
7937 -c "fragmenting handshake message" \
7938 -C "error"
7939
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7940requires_config_enabled MBEDTLS_RSA_C
7941requires_config_enabled MBEDTLS_ECDSA_C
7942requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7943run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
7944 "$O_SRV -dtls1 -verify 10" \
7945 "$P_CLI dtls=1 debug_level=2 \
7946 crt_file=data_files/server8_int-ca2.crt \
7947 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7948 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7949 mtu=512 force_version=dtls1" \
7950 0 \
7951 -c "fragmenting handshake message" \
7952 -C "error"
7953
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7954requires_config_enabled MBEDTLS_RSA_C
7955requires_config_enabled MBEDTLS_ECDSA_C
7956requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7957run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
7958 "$P_SRV dtls=1 debug_level=2 \
7959 crt_file=data_files/server7_int-ca.crt \
7960 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7961 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7962 mtu=512 force_version=dtls1_2" \
7963 "$O_CLI -dtls1_2" \
7964 0 \
7965 -s "fragmenting handshake message"
7966
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7967requires_config_enabled MBEDTLS_RSA_C
7968requires_config_enabled MBEDTLS_ECDSA_C
7969requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7970run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
7971 "$P_SRV dtls=1 debug_level=2 \
7972 crt_file=data_files/server7_int-ca.crt \
7973 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7974 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7975 mtu=512 force_version=dtls1" \
7976 "$O_CLI -dtls1" \
7977 0 \
7978 -s "fragmenting handshake message"
7979
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7980# interop tests for DTLS fragmentating with unreliable connection
7981#
7982# again we just want to test that the we fragment in a way that
7983# pleases other implementations, so we don't need the peer to fragment
7984requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7985requires_config_enabled MBEDTLS_RSA_C
7986requires_config_enabled MBEDTLS_ECDSA_C
7987requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7988client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7989run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
7990 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7991 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7992 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7993 crt_file=data_files/server8_int-ca2.crt \
7994 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7995 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7996 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7997 0 \
7998 -c "fragmenting handshake message" \
7999 -C "error"
8000
8001requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8002requires_config_enabled MBEDTLS_RSA_C
8003requires_config_enabled MBEDTLS_ECDSA_C
8004requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8005client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8006run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
8007 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8008 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8009 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8010 crt_file=data_files/server8_int-ca2.crt \
8011 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8012 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8013 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8014 0 \
8015 -c "fragmenting handshake message" \
8016 -C "error"
8017
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8018requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8019requires_config_enabled MBEDTLS_RSA_C
8020requires_config_enabled MBEDTLS_ECDSA_C
8021requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8022client_needs_more_time 4
8023run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
8024 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8025 "$P_SRV dtls=1 debug_level=2 \
8026 crt_file=data_files/server7_int-ca.crt \
8027 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8028 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8029 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8030 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8031 0 \
8032 -s "fragmenting handshake message"
8033
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8034requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8035requires_config_enabled MBEDTLS_RSA_C
8036requires_config_enabled MBEDTLS_ECDSA_C
8037requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8038client_needs_more_time 4
8039run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
8040 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8041 "$P_SRV dtls=1 debug_level=2 \
8042 crt_file=data_files/server7_int-ca.crt \
8043 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8044 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8045 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8046 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8047 0 \
8048 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8049
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8050## Interop test with OpenSSL might trigger a bug in recent versions (including
8051## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8052## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8053## They should be re-enabled once a fixed version of OpenSSL is available
8054## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8055skip_next_test
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8056requires_config_enabled MBEDTLS_RSA_C
8057requires_config_enabled MBEDTLS_ECDSA_C
8058requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8059client_needs_more_time 4
8060run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
8061 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8062 "$O_SRV -dtls1_2 -verify 10" \
8063 "$P_CLI dtls=1 debug_level=2 \
8064 crt_file=data_files/server8_int-ca2.crt \
8065 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8066 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8067 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8068 0 \
8069 -c "fragmenting handshake message" \
8070 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8071
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8072skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8073requires_config_enabled MBEDTLS_RSA_C
8074requires_config_enabled MBEDTLS_ECDSA_C
8075requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8076client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8077run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
8078 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8079 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8080 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8081 crt_file=data_files/server8_int-ca2.crt \
8082 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8083 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8084 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8085 0 \
8086 -c "fragmenting handshake message" \
8087 -C "error"
8088
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8089skip_next_test
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8090requires_config_enabled MBEDTLS_RSA_C
8091requires_config_enabled MBEDTLS_ECDSA_C
8092requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8093client_needs_more_time 4
8094run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
8095 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8096 "$P_SRV dtls=1 debug_level=2 \
8097 crt_file=data_files/server7_int-ca.crt \
8098 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8099 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8100 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8101 "$O_CLI -dtls1_2" \
8102 0 \
8103 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8104
8105# -nbio is added to prevent s_client from blocking in case of duplicated
8106# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8107skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8108requires_config_enabled MBEDTLS_RSA_C
8109requires_config_enabled MBEDTLS_ECDSA_C
8110requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8111client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8112run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
8113 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8114 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8115 crt_file=data_files/server7_int-ca.crt \
8116 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8117 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8118 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8119 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8120 0 \
8121 -s "fragmenting handshake message"
8122
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8123# Tests for specific things with "unreliable" UDP connection
8124
8125not_with_valgrind # spurious resend due to timeout
8126run_test "DTLS proxy: reference" \
8127 -p "$P_PXY" \
8128 "$P_SRV dtls=1 debug_level=2" \
8129 "$P_CLI dtls=1 debug_level=2" \
8130 0 \
8131 -C "replayed record" \
8132 -S "replayed record" \
Hanno Beckere03eb7b2019-07-19 15:43:09 +0100[diff] [blame]8133 -C "Buffer record from epoch" \
8134 -S "Buffer record from epoch" \
8135 -C "ssl_buffer_message" \
8136 -S "ssl_buffer_message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8137 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8138 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8139 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8140 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8141 -c "HTTP/1.0 200 OK"
8142
8143not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8144run_test "DTLS proxy: duplicate every packet" \
8145 -p "$P_PXY duplicate=1" \
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]8146 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8147 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8148 0 \
8149 -c "replayed record" \
8150 -s "replayed record" \
8151 -c "record from another epoch" \
8152 -s "record from another epoch" \
8153 -S "resend" \
8154 -s "Extra-header:" \
8155 -c "HTTP/1.0 200 OK"
8156
8157run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
8158 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8159 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
8160 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8161 0 \
8162 -c "replayed record" \
8163 -S "replayed record" \
8164 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8165 -s "record from another epoch" \
8166 -c "resend" \
8167 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8168 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8169 -c "HTTP/1.0 200 OK"
8170
8171run_test "DTLS proxy: multiple records in same datagram" \
8172 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8173 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8174 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8175 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8176 -c "next record in same datagram" \
8177 -s "next record in same datagram"
8178
8179run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
8180 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8181 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8182 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8183 0 \
8184 -c "next record in same datagram" \
8185 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8186
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8187run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
8188 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8189 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
8190 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8191 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8192 -c "discarding invalid record (mac)" \
8193 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8194 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8195 -c "HTTP/1.0 200 OK" \
8196 -S "too many records with bad MAC" \
8197 -S "Verification of the message MAC failed"
8198
8199run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
8200 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8201 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
8202 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8203 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8204 -C "discarding invalid record (mac)" \
8205 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8206 -S "Extra-header:" \
8207 -C "HTTP/1.0 200 OK" \
8208 -s "too many records with bad MAC" \
8209 -s "Verification of the message MAC failed"
8210
8211run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
8212 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8213 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
8214 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8215 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8216 -c "discarding invalid record (mac)" \
8217 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8218 -s "Extra-header:" \
8219 -c "HTTP/1.0 200 OK" \
8220 -S "too many records with bad MAC" \
8221 -S "Verification of the message MAC failed"
8222
8223run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
8224 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8225 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
8226 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8227 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8228 -c "discarding invalid record (mac)" \
8229 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8230 -s "Extra-header:" \
8231 -c "HTTP/1.0 200 OK" \
8232 -s "too many records with bad MAC" \
8233 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8234
8235run_test "DTLS proxy: delay ChangeCipherSpec" \
8236 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]8237 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
8238 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8239 0 \
8240 -c "record from another epoch" \
8241 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8242 -s "Extra-header:" \
8243 -c "HTTP/1.0 200 OK"
8244
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8245# Tests for reordering support with DTLS
8246
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8247run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
8248 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8249 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8250 hs_timeout=2500-60000" \
8251 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8252 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8253 0 \
8254 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8255 -c "Next handshake message has been buffered - load"\
8256 -S "Buffering HS message" \
8257 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8258 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8259 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8260 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8261 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8262
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8263run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
8264 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8265 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8266 hs_timeout=2500-60000" \
8267 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8268 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8269 0 \
8270 -c "Buffering HS message" \
8271 -c "found fragmented DTLS handshake message"\
8272 -c "Next handshake message 1 not or only partially bufffered" \
8273 -c "Next handshake message has been buffered - load"\
8274 -S "Buffering HS message" \
8275 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8276 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8277 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8278 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8279 -S "Remember CCS message"
8280
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8281# The client buffers the ServerKeyExchange before receiving the fragmented
8282# Certificate message; at the time of writing, together these are aroudn 1200b
8283# in size, so that the bound below ensures that the certificate can be reassembled
8284# while keeping the ServerKeyExchange.
8285requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
8286run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8287 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8288 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8289 hs_timeout=2500-60000" \
8290 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8291 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8292 0 \
8293 -c "Buffering HS message" \
8294 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8295 -C "attempt to make space by freeing buffered messages" \
8296 -S "Buffering HS message" \
8297 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8298 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8299 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8300 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8301 -S "Remember CCS message"
8302
8303# The size constraints ensure that the delayed certificate message can't
8304# be reassembled while keeping the ServerKeyExchange message, but it can
8305# when dropping it first.
8306requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
8307requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
8308run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
8309 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8310 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8311 hs_timeout=2500-60000" \
8312 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8313 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8314 0 \
8315 -c "Buffering HS message" \
8316 -c "attempt to make space by freeing buffered future messages" \
8317 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8318 -S "Buffering HS message" \
8319 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8320 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8321 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8322 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8323 -S "Remember CCS message"
8324
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8325run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
8326 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8327 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
8328 hs_timeout=2500-60000" \
8329 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8330 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8331 0 \
8332 -C "Buffering HS message" \
8333 -C "Next handshake message has been buffered - load"\
8334 -s "Buffering HS message" \
8335 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8336 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8337 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8338 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8339 -S "Remember CCS message"
8340
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]8341# This needs session tickets; otherwise CCS is the first message in its flight
8342requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8343run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
8344 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8345 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8346 hs_timeout=2500-60000" \
8347 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8348 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8349 0 \
8350 -C "Buffering HS message" \
8351 -C "Next handshake message has been buffered - load"\
8352 -S "Buffering HS message" \
8353 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8354 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8355 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8356 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8357 -S "Remember CCS message"
8358
8359run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
8360 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8361 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8362 hs_timeout=2500-60000" \
8363 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8364 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8365 0 \
8366 -C "Buffering HS message" \
8367 -C "Next handshake message has been buffered - load"\
8368 -S "Buffering HS message" \
8369 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8370 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8371 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8372 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8373 -s "Remember CCS message"
8374
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8375run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8376 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8377 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8378 hs_timeout=2500-60000" \
8379 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8380 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]8381 0 \
8382 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8383 -s "Found buffered record from current epoch - load" \
8384 -c "Buffer record from epoch 1" \
8385 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8386
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8387# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
8388# from the server are delayed, so that the encrypted Finished message
8389# is received and buffered. When the fragmented NewSessionTicket comes
8390# in afterwards, the encrypted Finished message must be freed in order
8391# to make space for the NewSessionTicket to be reassembled.
8392# This works only in very particular circumstances:
8393# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
8394# of the NewSessionTicket, but small enough to also allow buffering of
8395# the encrypted Finished message.
8396# - The MTU setting on the server must be so small that the NewSessionTicket
8397# needs to be fragmented.
8398# - All messages sent by the server must be small enough to be either sent
8399# without fragmentation or be reassembled within the bounds of
8400# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
8401# handshake, omitting CRTs.
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8402requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
8403requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8404run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
8405 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8406 "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8407 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
8408 0 \
8409 -s "Buffer record from epoch 1" \
8410 -s "Found buffered record from current epoch - load" \
8411 -c "Buffer record from epoch 1" \
8412 -C "Found buffered record from current epoch - load" \
8413 -c "Enough space available after freeing future epoch record"
8414
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]8415# Tests for "randomly unreliable connection": try a variety of flows and peers
8416
8417client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8418run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
8419 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8420 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8421 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8422 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8423 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8424 0 \
8425 -s "Extra-header:" \
8426 -c "HTTP/1.0 200 OK"
8427
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8428client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8429run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
8430 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8431 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8432 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8433 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
8434 0 \
8435 -s "Extra-header:" \
8436 -c "HTTP/1.0 200 OK"
8437
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8438client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8439run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
8440 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8441 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8442 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8443 0 \
8444 -s "Extra-header:" \
8445 -c "HTTP/1.0 200 OK"
8446
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8447client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8448run_test "DTLS proxy: 3d, FS, client auth" \
8449 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8450 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
8451 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8452 0 \
8453 -s "Extra-header:" \
8454 -c "HTTP/1.0 200 OK"
8455
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8456client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8457run_test "DTLS proxy: 3d, FS, ticket" \
8458 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8459 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
8460 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8461 0 \
8462 -s "Extra-header:" \
8463 -c "HTTP/1.0 200 OK"
8464
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8465client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8466run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
8467 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8468 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
8469 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8470 0 \
8471 -s "Extra-header:" \
8472 -c "HTTP/1.0 200 OK"
8473
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8474client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8475run_test "DTLS proxy: 3d, max handshake, nbio" \
8476 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8477 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8478 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8479 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8480 0 \
8481 -s "Extra-header:" \
8482 -c "HTTP/1.0 200 OK"
8483
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8484client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8485requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8486requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8487requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8488run_test "DTLS proxy: 3d, min handshake, resumption" \
8489 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8490 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8491 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8492 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8493 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8494 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8495 0 \
8496 -s "a session has been resumed" \
8497 -c "a session has been resumed" \
8498 -s "Extra-header:" \
8499 -c "HTTP/1.0 200 OK"
8500
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8501client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8502requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8503requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8504requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8505run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
8506 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8507 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8508 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8509 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8510 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8511 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
8512 0 \
8513 -s "a session has been resumed" \
8514 -c "a session has been resumed" \
8515 -s "Extra-header:" \
8516 -c "HTTP/1.0 200 OK"
8517
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8518client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8519requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8520run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8521 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8522 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8523 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8524 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8525 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8526 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8527 0 \
8528 -c "=> renegotiate" \
8529 -s "=> renegotiate" \
8530 -s "Extra-header:" \
8531 -c "HTTP/1.0 200 OK"
8532
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8533client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8534requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8535run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
8536 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8537 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8538 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8539 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8540 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8541 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8542 0 \
8543 -c "=> renegotiate" \
8544 -s "=> renegotiate" \
8545 -s "Extra-header:" \
8546 -c "HTTP/1.0 200 OK"
8547
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8548client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8549requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8550run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8551 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8552 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8553 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8554 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8555 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8556 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8557 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8558 0 \
8559 -c "=> renegotiate" \
8560 -s "=> renegotiate" \
8561 -s "Extra-header:" \
8562 -c "HTTP/1.0 200 OK"
8563
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8564client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8565requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8566run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8567 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8568 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8569 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8570 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8571 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8572 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8573 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8574 0 \
8575 -c "=> renegotiate" \
8576 -s "=> renegotiate" \
8577 -s "Extra-header:" \
8578 -c "HTTP/1.0 200 OK"
8579
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8580## Interop tests with OpenSSL might trigger a bug in recent versions (including
8581## all versions installed on the CI machines), reported here:
8582## Bug report: https://github.com/openssl/openssl/issues/6902
8583## They should be re-enabled once a fixed version of OpenSSL is available
8584## (this should happen in some 1.1.1_ release according to the ticket).
8585skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8586client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8587not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8588run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8589 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8590 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8591 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8592 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8593 -c "HTTP/1.0 200 OK"
8594
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8595skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8596client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8597not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8598run_test "DTLS proxy: 3d, openssl server, fragmentation" \
8599 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8600 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8601 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8602 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8603 -c "HTTP/1.0 200 OK"
8604
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8605skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8606client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8607not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8608run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
8609 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8610 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8611 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8612 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8613 -c "HTTP/1.0 200 OK"
8614
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]8615requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8616client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8617not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8618run_test "DTLS proxy: 3d, gnutls server" \
8619 -p "$P_PXY drop=5 delay=5 duplicate=5" \
8620 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8621 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8622 0 \
8623 -s "Extra-header:" \
8624 -c "Extra-header:"
8625
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8626requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8627client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8628not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8629run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
8630 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8631 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8632 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8633 0 \
8634 -s "Extra-header:" \
8635 -c "Extra-header:"
8636
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8637requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8638client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8639not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8640run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
8641 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8642 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8643 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8644 0 \
8645 -s "Extra-header:" \
8646 -c "Extra-header:"
8647
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]8648# Final report
8649
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8650echo "------------------------------------------------------------------------"
8651
8652if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8653 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8654else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8655 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8656fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]8657PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]8658echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8659
8660exit $FAILS