TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 49349bacb9f462b7f394f8bdd4f1cf1428a01c58 / . / tests / ssl-opt.sh
blob: ff1ab8535668cf0a5485c06f5b29157559453427 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]9# Assumes a build with default options.
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]16: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]17: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]18: ${GNUTLS_CLI:=gnutls-cli}
19: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]20: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]22O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]23O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]24G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]25G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]26TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]27
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]28TESTS=0
29FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]30SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]33
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]35FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]36EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]37
38print_usage() {
39 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]40 printf " -h|--help\tPrint this help.\n"
41 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
42 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
43 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]44}
45
46get_options() {
47 while [ $# -gt 0 ]; do
48 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]49 -f|--filter)
50 shift; FILTER=$1
51 ;;
52 -e|--exclude)
53 shift; EXCLUDE=$1
54 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]55 -m|--memcheck)
56 MEMCHECK=1
57 ;;
58 -h|--help)
59 print_usage
60 exit 0
61 ;;
62 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]63 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]64 print_usage
65 exit 1
66 ;;
67 esac
68 shift
69 done
70}
71
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]72# skip next test if the flag is not enabled in config.h
73requires_config_enabled() {
74 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
75 SKIP_NEXT="YES"
76 fi
77}
78
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]79# skip next test if the flag is enabled in config.h
80requires_config_disabled() {
81 if grep "^#define $1" $CONFIG_H > /dev/null; then
82 SKIP_NEXT="YES"
83 fi
84}
85
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]86# skip next test if OpenSSL doesn't support FALLBACK_SCSV
87requires_openssl_with_fallback_scsv() {
88 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
89 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
90 then
91 OPENSSL_HAS_FBSCSV="YES"
92 else
93 OPENSSL_HAS_FBSCSV="NO"
94 fi
95 fi
96 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
97 SKIP_NEXT="YES"
98 fi
99}
100
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]101# skip next test if GnuTLS isn't available
102requires_gnutls() {
103 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]104 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]105 GNUTLS_AVAILABLE="YES"
106 else
107 GNUTLS_AVAILABLE="NO"
108 fi
109 fi
110 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
111 SKIP_NEXT="YES"
112 fi
113}
114
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]115# skip next test if IPv6 isn't available on this host
116requires_ipv6() {
117 if [ -z "${HAS_IPV6:-}" ]; then
118 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
119 SRV_PID=$!
120 sleep 1
121 kill $SRV_PID >/dev/null 2>&1
122 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
123 HAS_IPV6="NO"
124 else
125 HAS_IPV6="YES"
126 fi
127 rm -r $SRV_OUT
128 fi
129
130 if [ "$HAS_IPV6" = "NO" ]; then
131 SKIP_NEXT="YES"
132 fi
133}
134
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]135# skip the next test if valgrind is in use
136not_with_valgrind() {
137 if [ "$MEMCHECK" -gt 0 ]; then
138 SKIP_NEXT="YES"
139 fi
140}
141
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]142# skip the next test if valgrind is NOT in use
143only_with_valgrind() {
144 if [ "$MEMCHECK" -eq 0 ]; then
145 SKIP_NEXT="YES"
146 fi
147}
148
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]149# multiply the client timeout delay by the given factor for the next test
150needs_more_time() {
151 CLI_DELAY_FACTOR=$1
152}
153
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]154# print_name <name>
155print_name() {
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]156 printf "$1 "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]157 LEN=$(( 72 - `echo "$1" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]158 for i in `seq 1 $LEN`; do printf '.'; done
159 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]160
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]161 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]162}
163
164# fail <message>
165fail() {
166 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]167 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]168
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]169 mv $SRV_OUT o-srv-${TESTS}.log
170 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]171 if [ -n "$PXY_CMD" ]; then
172 mv $PXY_OUT o-pxy-${TESTS}.log
173 fi
174 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]175
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]176 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
177 echo " ! server output:"
178 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]179 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]180 echo " ! client output:"
181 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]182 if [ -n "$PXY_CMD" ]; then
183 echo " ! ========================================================"
184 echo " ! proxy output:"
185 cat o-pxy-${TESTS}.log
186 fi
187 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]188 fi
189
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]190 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]191}
192
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]193# is_polar <cmd_line>
194is_polar() {
195 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
196}
197
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]198# openssl s_server doesn't have -www with DTLS
199check_osrv_dtls() {
200 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
201 NEEDS_INPUT=1
202 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
203 else
204 NEEDS_INPUT=0
205 fi
206}
207
208# provide input to commands that need it
209provide_input() {
210 if [ $NEEDS_INPUT -eq 0 ]; then
211 return
212 fi
213
214 while true; do
215 echo "HTTP/1.0 200 OK"
216 sleep 1
217 done
218}
219
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]220# has_mem_err <log_file_name>
221has_mem_err() {
222 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
223 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
224 then
225 return 1 # false: does not have errors
226 else
227 return 0 # true: has errors
228 fi
229}
230
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]231# wait for server to start: two versions depending on lsof availability
232wait_server_start() {
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]233 if which lsof >/dev/null 2>&1; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]234 START_TIME=$( date +%s )
235 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]236
237 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]238 if [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]239 while [ $DONE -eq 0 ]; do
240 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
241 then
242 DONE=1
243 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
244 echo "SERVERSTART TIMEOUT"
245 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
246 DONE=1
247 fi
248 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]249 else
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]250 while [ $DONE -eq 0 ]; do
251 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
252 then
253 DONE=1
254 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
255 echo "SERVERSTART TIMEOUT"
256 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
257 DONE=1
258 fi
259 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]260 fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]261 else
262 sleep "$START_DELAY"
263 fi
264}
265
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]266# wait for client to terminate and set CLI_EXIT
267# must be called right after starting the client
268wait_client_done() {
269 CLI_PID=$!
270
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]271 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
272 CLI_DELAY_FACTOR=1
273
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]274 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]275 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]276
277 wait $CLI_PID
278 CLI_EXIT=$?
279
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]280 kill $DOG_PID >/dev/null 2>&1
281 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]282
283 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
284}
285
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]286# check if the given command uses dtls and sets global variable DTLS
287detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]288 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]289 DTLS=1
290 else
291 DTLS=0
292 fi
293}
294
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]295# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]296# Options: -s pattern pattern that must be present in server output
297# -c pattern pattern that must be present in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]298# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]299# -S pattern pattern that must be absent in server output
300# -C pattern pattern that must be absent in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]301# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]302run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]303 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]304 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]305
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]306 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
307 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]308 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]309 return
310 fi
311
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]312 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]313
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]314 # should we skip?
315 if [ "X$SKIP_NEXT" = "XYES" ]; then
316 SKIP_NEXT="NO"
317 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]318 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]319 return
320 fi
321
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]322 # does this test use a proxy?
323 if [ "X$1" = "X-p" ]; then
324 PXY_CMD="$2"
325 shift 2
326 else
327 PXY_CMD=""
328 fi
329
330 # get commands and client output
331 SRV_CMD="$1"
332 CLI_CMD="$2"
333 CLI_EXPECT="$3"
334 shift 3
335
336 # fix client port
337 if [ -n "$PXY_CMD" ]; then
338 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
339 else
340 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
341 fi
342
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]343 # update DTLS variable
344 detect_dtls "$SRV_CMD"
345
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]346 # prepend valgrind to our commands if active
347 if [ "$MEMCHECK" -gt 0 ]; then
348 if is_polar "$SRV_CMD"; then
349 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
350 fi
351 if is_polar "$CLI_CMD"; then
352 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
353 fi
354 fi
355
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]356 TIMES_LEFT=2
357 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]358 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]359
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]360 # run the commands
361 if [ -n "$PXY_CMD" ]; then
362 echo "$PXY_CMD" > $PXY_OUT
363 $PXY_CMD >> $PXY_OUT 2>&1 &
364 PXY_PID=$!
365 # assume proxy starts faster than server
366 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]367
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]368 check_osrv_dtls
369 echo "$SRV_CMD" > $SRV_OUT
370 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
371 SRV_PID=$!
372 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]373
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]374 echo "$CLI_CMD" > $CLI_OUT
375 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
376 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]377
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]378 # terminate the server (and the proxy)
379 kill $SRV_PID
380 wait $SRV_PID
381 if [ -n "$PXY_CMD" ]; then
382 kill $PXY_PID >/dev/null 2>&1
383 wait $PXY_PID
384 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]385
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]386 # retry only on timeouts
387 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
388 printf "RETRY "
389 else
390 TIMES_LEFT=0
391 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]392 done
393
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]394 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]395 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]396 # expected client exit to incorrectly succeed in case of catastrophic
397 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]398 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]399 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]400 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]401 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]402 return
403 fi
404 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]405 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]406 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]407 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]408 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]409 return
410 fi
411 fi
412
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]413 # check server exit code
414 if [ $? != 0 ]; then
415 fail "server fail"
416 return
417 fi
418
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]419 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]420 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
421 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]422 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]423 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]424 return
425 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]426
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]427 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]428 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]429 while [ $# -gt 0 ]
430 do
431 case $1 in
432 "-s")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]433 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
434 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]435 return
436 fi
437 ;;
438
439 "-c")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]440 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
441 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]442 return
443 fi
444 ;;
445
446 "-S")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]447 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
448 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]449 return
450 fi
451 ;;
452
453 "-C")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]454 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
455 fail "pattern '$2' MUST NOT be present in the Client output"
456 return
457 fi
458 ;;
459
460 # The filtering in the following two options (-u and -U) do the following
461 # - ignore valgrind output
462 # - filter out everything but lines right after the pattern occurances
463 # - keep one of each non-unique line
464 # - count how many lines remain
465 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
466 # if there were no duplicates.
467 "-U")
468 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
469 fail "lines following pattern '$2' must be unique in Server output"
470 return
471 fi
472 ;;
473
474 "-u")
475 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
476 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]477 return
478 fi
479 ;;
480
481 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]482 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]483 exit 1
484 esac
485 shift 2
486 done
487
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]488 # check valgrind's results
489 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]490 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]491 fail "Server has memory errors"
492 return
493 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]494 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]495 fail "Client has memory errors"
496 return
497 fi
498 fi
499
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]500 # if we're here, everything is ok
501 echo "PASS"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]502 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]503}
504
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]505cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]506 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]507 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
508 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
509 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
510 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]511 exit 1
512}
513
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]514#
515# MAIN
516#
517
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]518if cd $( dirname $0 ); then :; else
519 echo "cd $( dirname $0 ) failed" >&2
520 exit 1
521fi
522
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]523get_options "$@"
524
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]525# sanity checks, avoid an avalanche of errors
526if [ ! -x "$P_SRV" ]; then
527 echo "Command '$P_SRV' is not an executable file"
528 exit 1
529fi
530if [ ! -x "$P_CLI" ]; then
531 echo "Command '$P_CLI' is not an executable file"
532 exit 1
533fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]534if [ ! -x "$P_PXY" ]; then
535 echo "Command '$P_PXY' is not an executable file"
536 exit 1
537fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]538if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
539 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]540 exit 1
541fi
542
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]543# used by watchdog
544MAIN_PID="$$"
545
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]546# be more patient with valgrind
547if [ "$MEMCHECK" -gt 0 ]; then
548 START_DELAY=3
549 DOG_DELAY=30
550else
551 START_DELAY=1
552 DOG_DELAY=10
553fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]554CLI_DELAY_FACTOR=1
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]555
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]556# Pick a "unique" server port in the range 10000-19999, and a proxy port
557PORT_BASE="0000$$"
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]558PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]559SRV_PORT="1$PORT_BASE"
560PXY_PORT="2$PORT_BASE"
561unset PORT_BASE
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]562
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]563# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]564# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]565P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
566P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
567P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]568O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]569O_CLI="$O_CLI -connect localhost:+SRV_PORT"
570G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]571G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]572
Gilles Peskine35db5ba2017-05-10 10:13:59 +0200[diff] [blame]573# Allow SHA-1, because many of our test certificates use it
574P_SRV="$P_SRV allow_sha1=1"
575P_CLI="$P_CLI allow_sha1=1"
576
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]577# Also pick a unique name for intermediate files
578SRV_OUT="srv_out.$$"
579CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]580PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]581SESSION="session.$$"
582
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]583SKIP_NEXT="NO"
584
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]585trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]586
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]587# Basic test
588
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]589# Checks that:
590# - things work with all ciphersuites active (used with config-full in all.sh)
591# - the expected (highest security) parameters are selected
592# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]593run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]594 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]595 "$P_CLI" \
596 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]597 -s "Protocol is TLSv1.2" \
598 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
599 -s "client hello v3, signature_algorithm ext: 6" \
600 -s "ECDHE curve: secp521r1" \
601 -S "error" \
602 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]603
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]604run_test "Default, DTLS" \
605 "$P_SRV dtls=1" \
606 "$P_CLI dtls=1" \
607 0 \
608 -s "Protocol is DTLSv1.2" \
609 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
610
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]611# Test for uniqueness of IVs in AEAD ciphersuites
612run_test "Unique IV in GCM" \
613 "$P_SRV exchanges=20 debug_level=4" \
614 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
615 0 \
616 -u "IV used" \
617 -U "IV used"
618
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]619# Tests for rc4 option
620
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]621requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]622run_test "RC4: server disabled, client enabled" \
623 "$P_SRV" \
624 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
625 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]626 -s "SSL - The server has no ciphersuites in common"
627
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]628requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]629run_test "RC4: server half, client enabled" \
630 "$P_SRV arc4=1" \
631 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
632 1 \
633 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]634
635run_test "RC4: server enabled, client disabled" \
636 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
637 "$P_CLI" \
638 1 \
639 -s "SSL - The server has no ciphersuites in common"
640
641run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]642 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]643 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
644 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]645 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]646 -S "SSL - The server has no ciphersuites in common"
647
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]648# Tests for SHA-1 support
649
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]650requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]651run_test "SHA-1 forbidden by default in server certificate" \
652 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
653 "$P_CLI debug_level=2 allow_sha1=0" \
654 1 \
655 -c "The certificate is signed with an unacceptable hash"
656
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]657requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
658run_test "SHA-1 forbidden by default in server certificate" \
659 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
660 "$P_CLI debug_level=2 allow_sha1=0" \
661 0
662
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]663run_test "SHA-1 explicitly allowed in server certificate" \
664 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
665 "$P_CLI allow_sha1=1" \
666 0
667
668run_test "SHA-256 allowed by default in server certificate" \
669 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
670 "$P_CLI allow_sha1=0" \
671 0
672
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]673requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]674run_test "SHA-1 forbidden by default in client certificate" \
675 "$P_SRV auth_mode=required allow_sha1=0" \
676 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
677 1 \
678 -s "The certificate is signed with an unacceptable hash"
679
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]680requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
681run_test "SHA-1 forbidden by default in client certificate" \
682 "$P_SRV auth_mode=required allow_sha1=0" \
683 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
684 0
685
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]686run_test "SHA-1 explicitly allowed in client certificate" \
687 "$P_SRV auth_mode=required allow_sha1=1" \
688 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
689 0
690
691run_test "SHA-256 allowed by default in client certificate" \
692 "$P_SRV auth_mode=required allow_sha1=0" \
693 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
694 0
695
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]696# Tests for Truncated HMAC extension
697
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]698run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]699 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]700 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]701 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]702 -s "dumping 'computed mac' (20 bytes)" \
703 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]704
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]705run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]706 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]707 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
708 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]709 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]710 -s "dumping 'computed mac' (20 bytes)" \
711 -S "dumping 'computed mac' (10 bytes)"
712
713run_test "Truncated HMAC: client enabled, server default" \
714 "$P_SRV debug_level=4" \
715 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
716 trunc_hmac=1" \
717 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]718 -s "dumping 'computed mac' (20 bytes)" \
719 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]720
721run_test "Truncated HMAC: client enabled, server disabled" \
722 "$P_SRV debug_level=4 trunc_hmac=0" \
723 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
724 trunc_hmac=1" \
725 0 \
726 -s "dumping 'computed mac' (20 bytes)" \
727 -S "dumping 'computed mac' (10 bytes)"
728
729run_test "Truncated HMAC: client enabled, server enabled" \
730 "$P_SRV debug_level=4 trunc_hmac=1" \
731 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
732 trunc_hmac=1" \
733 0 \
734 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]735 -s "dumping 'computed mac' (10 bytes)"
736
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]737# Tests for Encrypt-then-MAC extension
738
739run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]740 "$P_SRV debug_level=3 \
741 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]742 "$P_CLI debug_level=3" \
743 0 \
744 -c "client hello, adding encrypt_then_mac extension" \
745 -s "found encrypt then mac extension" \
746 -s "server hello, adding encrypt then mac extension" \
747 -c "found encrypt_then_mac extension" \
748 -c "using encrypt then mac" \
749 -s "using encrypt then mac"
750
751run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]752 "$P_SRV debug_level=3 etm=0 \
753 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]754 "$P_CLI debug_level=3 etm=1" \
755 0 \
756 -c "client hello, adding encrypt_then_mac extension" \
757 -s "found encrypt then mac extension" \
758 -S "server hello, adding encrypt then mac extension" \
759 -C "found encrypt_then_mac extension" \
760 -C "using encrypt then mac" \
761 -S "using encrypt then mac"
762
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]763run_test "Encrypt then MAC: client enabled, aead cipher" \
764 "$P_SRV debug_level=3 etm=1 \
765 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
766 "$P_CLI debug_level=3 etm=1" \
767 0 \
768 -c "client hello, adding encrypt_then_mac extension" \
769 -s "found encrypt then mac extension" \
770 -S "server hello, adding encrypt then mac extension" \
771 -C "found encrypt_then_mac extension" \
772 -C "using encrypt then mac" \
773 -S "using encrypt then mac"
774
775run_test "Encrypt then MAC: client enabled, stream cipher" \
776 "$P_SRV debug_level=3 etm=1 \
777 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]778 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]779 0 \
780 -c "client hello, adding encrypt_then_mac extension" \
781 -s "found encrypt then mac extension" \
782 -S "server hello, adding encrypt then mac extension" \
783 -C "found encrypt_then_mac extension" \
784 -C "using encrypt then mac" \
785 -S "using encrypt then mac"
786
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]787run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]788 "$P_SRV debug_level=3 etm=1 \
789 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]790 "$P_CLI debug_level=3 etm=0" \
791 0 \
792 -C "client hello, adding encrypt_then_mac extension" \
793 -S "found encrypt then mac extension" \
794 -S "server hello, adding encrypt then mac extension" \
795 -C "found encrypt_then_mac extension" \
796 -C "using encrypt then mac" \
797 -S "using encrypt then mac"
798
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]799requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]800run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]801 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]802 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]803 "$P_CLI debug_level=3 force_version=ssl3" \
804 0 \
805 -C "client hello, adding encrypt_then_mac extension" \
806 -S "found encrypt then mac extension" \
807 -S "server hello, adding encrypt then mac extension" \
808 -C "found encrypt_then_mac extension" \
809 -C "using encrypt then mac" \
810 -S "using encrypt then mac"
811
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]812requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]813run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]814 "$P_SRV debug_level=3 force_version=ssl3 \
815 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]816 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]817 0 \
818 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]819 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]820 -S "server hello, adding encrypt then mac extension" \
821 -C "found encrypt_then_mac extension" \
822 -C "using encrypt then mac" \
823 -S "using encrypt then mac"
824
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]825# Tests for Extended Master Secret extension
826
827run_test "Extended Master Secret: default" \
828 "$P_SRV debug_level=3" \
829 "$P_CLI debug_level=3" \
830 0 \
831 -c "client hello, adding extended_master_secret extension" \
832 -s "found extended master secret extension" \
833 -s "server hello, adding extended master secret extension" \
834 -c "found extended_master_secret extension" \
835 -c "using extended master secret" \
836 -s "using extended master secret"
837
838run_test "Extended Master Secret: client enabled, server disabled" \
839 "$P_SRV debug_level=3 extended_ms=0" \
840 "$P_CLI debug_level=3 extended_ms=1" \
841 0 \
842 -c "client hello, adding extended_master_secret extension" \
843 -s "found extended master secret extension" \
844 -S "server hello, adding extended master secret extension" \
845 -C "found extended_master_secret extension" \
846 -C "using extended master secret" \
847 -S "using extended master secret"
848
849run_test "Extended Master Secret: client disabled, server enabled" \
850 "$P_SRV debug_level=3 extended_ms=1" \
851 "$P_CLI debug_level=3 extended_ms=0" \
852 0 \
853 -C "client hello, adding extended_master_secret extension" \
854 -S "found extended master secret extension" \
855 -S "server hello, adding extended master secret extension" \
856 -C "found extended_master_secret extension" \
857 -C "using extended master secret" \
858 -S "using extended master secret"
859
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]860requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]861run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]862 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]863 "$P_CLI debug_level=3 force_version=ssl3" \
864 0 \
865 -C "client hello, adding extended_master_secret extension" \
866 -S "found extended master secret extension" \
867 -S "server hello, adding extended master secret extension" \
868 -C "found extended_master_secret extension" \
869 -C "using extended master secret" \
870 -S "using extended master secret"
871
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]872requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]873run_test "Extended Master Secret: client enabled, server SSLv3" \
874 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]875 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]876 0 \
877 -c "client hello, adding extended_master_secret extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]878 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]879 -S "server hello, adding extended master secret extension" \
880 -C "found extended_master_secret extension" \
881 -C "using extended master secret" \
882 -S "using extended master secret"
883
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]884# Tests for FALLBACK_SCSV
885
886run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]887 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]888 "$P_CLI debug_level=3 force_version=tls1_1" \
889 0 \
890 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]891 -S "received FALLBACK_SCSV" \
892 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]893 -C "is a fatal alert message (msg 86)"
894
895run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]896 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]897 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
898 0 \
899 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]900 -S "received FALLBACK_SCSV" \
901 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]902 -C "is a fatal alert message (msg 86)"
903
904run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]905 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]906 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]907 1 \
908 -c "adding FALLBACK_SCSV" \
909 -s "received FALLBACK_SCSV" \
910 -s "inapropriate fallback" \
911 -c "is a fatal alert message (msg 86)"
912
913run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]914 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]915 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]916 0 \
917 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]918 -s "received FALLBACK_SCSV" \
919 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]920 -C "is a fatal alert message (msg 86)"
921
922requires_openssl_with_fallback_scsv
923run_test "Fallback SCSV: default, openssl server" \
924 "$O_SRV" \
925 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
926 0 \
927 -C "adding FALLBACK_SCSV" \
928 -C "is a fatal alert message (msg 86)"
929
930requires_openssl_with_fallback_scsv
931run_test "Fallback SCSV: enabled, openssl server" \
932 "$O_SRV" \
933 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
934 1 \
935 -c "adding FALLBACK_SCSV" \
936 -c "is a fatal alert message (msg 86)"
937
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]938requires_openssl_with_fallback_scsv
939run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]940 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]941 "$O_CLI -tls1_1" \
942 0 \
943 -S "received FALLBACK_SCSV" \
944 -S "inapropriate fallback"
945
946requires_openssl_with_fallback_scsv
947run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]948 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]949 "$O_CLI -tls1_1 -fallback_scsv" \
950 1 \
951 -s "received FALLBACK_SCSV" \
952 -s "inapropriate fallback"
953
954requires_openssl_with_fallback_scsv
955run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]956 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]957 "$O_CLI -fallback_scsv" \
958 0 \
959 -s "received FALLBACK_SCSV" \
960 -S "inapropriate fallback"
961
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]962## ClientHello generated with
963## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
964## then manually twiddling the ciphersuite list.
965## The ClientHello content is spelled out below as a hex string as
966## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
967## The expected response is an inappropriate_fallback alert.
968requires_openssl_with_fallback_scsv
969run_test "Fallback SCSV: beginning of list" \
970 "$P_SRV debug_level=2" \
971 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
972 0 \
973 -s "received FALLBACK_SCSV" \
974 -s "inapropriate fallback"
975
976requires_openssl_with_fallback_scsv
977run_test "Fallback SCSV: end of list" \
978 "$P_SRV debug_level=2" \
979 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
980 0 \
981 -s "received FALLBACK_SCSV" \
982 -s "inapropriate fallback"
983
984## Here the expected response is a valid ServerHello prefix, up to the random.
985requires_openssl_with_fallback_scsv
986run_test "Fallback SCSV: not in list" \
987 "$P_SRV debug_level=2" \
988 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
989 0 \
990 -S "received FALLBACK_SCSV" \
991 -S "inapropriate fallback"
992
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]993# Tests for CBC 1/n-1 record splitting
994
995run_test "CBC Record splitting: TLS 1.2, no splitting" \
996 "$P_SRV" \
997 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
998 request_size=123 force_version=tls1_2" \
999 0 \
1000 -s "Read from client: 123 bytes read" \
1001 -S "Read from client: 1 bytes read" \
1002 -S "122 bytes read"
1003
1004run_test "CBC Record splitting: TLS 1.1, no splitting" \
1005 "$P_SRV" \
1006 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1007 request_size=123 force_version=tls1_1" \
1008 0 \
1009 -s "Read from client: 123 bytes read" \
1010 -S "Read from client: 1 bytes read" \
1011 -S "122 bytes read"
1012
1013run_test "CBC Record splitting: TLS 1.0, splitting" \
1014 "$P_SRV" \
1015 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1016 request_size=123 force_version=tls1" \
1017 0 \
1018 -S "Read from client: 123 bytes read" \
1019 -s "Read from client: 1 bytes read" \
1020 -s "122 bytes read"
1021
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]1022requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1023run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1024 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1025 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1026 request_size=123 force_version=ssl3" \
1027 0 \
1028 -S "Read from client: 123 bytes read" \
1029 -s "Read from client: 1 bytes read" \
1030 -s "122 bytes read"
1031
1032run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1033 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1034 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1035 request_size=123 force_version=tls1" \
1036 0 \
1037 -s "Read from client: 123 bytes read" \
1038 -S "Read from client: 1 bytes read" \
1039 -S "122 bytes read"
1040
1041run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1042 "$P_SRV" \
1043 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1044 request_size=123 force_version=tls1 recsplit=0" \
1045 0 \
1046 -s "Read from client: 123 bytes read" \
1047 -S "Read from client: 1 bytes read" \
1048 -S "122 bytes read"
1049
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1050run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1051 "$P_SRV nbio=2" \
1052 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1053 request_size=123 force_version=tls1" \
1054 0 \
1055 -S "Read from client: 123 bytes read" \
1056 -s "Read from client: 1 bytes read" \
1057 -s "122 bytes read"
1058
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1059# Tests for Session Tickets
1060
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1061run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1062 "$P_SRV debug_level=3 tickets=1" \
1063 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1064 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1065 -c "client hello, adding session ticket extension" \
1066 -s "found session ticket extension" \
1067 -s "server hello, adding session ticket extension" \
1068 -c "found session_ticket extension" \
1069 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1070 -S "session successfully restored from cache" \
1071 -s "session successfully restored from ticket" \
1072 -s "a session has been resumed" \
1073 -c "a session has been resumed"
1074
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1075run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1076 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1077 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1078 0 \
1079 -c "client hello, adding session ticket extension" \
1080 -s "found session ticket extension" \
1081 -s "server hello, adding session ticket extension" \
1082 -c "found session_ticket extension" \
1083 -c "parse new session ticket" \
1084 -S "session successfully restored from cache" \
1085 -s "session successfully restored from ticket" \
1086 -s "a session has been resumed" \
1087 -c "a session has been resumed"
1088
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1089run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1090 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1091 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1092 0 \
1093 -c "client hello, adding session ticket extension" \
1094 -s "found session ticket extension" \
1095 -s "server hello, adding session ticket extension" \
1096 -c "found session_ticket extension" \
1097 -c "parse new session ticket" \
1098 -S "session successfully restored from cache" \
1099 -S "session successfully restored from ticket" \
1100 -S "a session has been resumed" \
1101 -C "a session has been resumed"
1102
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1103run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1104 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1105 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1106 0 \
1107 -c "client hello, adding session ticket extension" \
1108 -c "found session_ticket extension" \
1109 -c "parse new session ticket" \
1110 -c "a session has been resumed"
1111
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1112run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1113 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1114 "( $O_CLI -sess_out $SESSION; \
1115 $O_CLI -sess_in $SESSION; \
1116 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1117 0 \
1118 -s "found session ticket extension" \
1119 -s "server hello, adding session ticket extension" \
1120 -S "session successfully restored from cache" \
1121 -s "session successfully restored from ticket" \
1122 -s "a session has been resumed"
1123
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1124# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1125
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1126run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1127 "$P_SRV debug_level=3 tickets=0" \
1128 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1129 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1130 -c "client hello, adding session ticket extension" \
1131 -s "found session ticket extension" \
1132 -S "server hello, adding session ticket extension" \
1133 -C "found session_ticket extension" \
1134 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1135 -s "session successfully restored from cache" \
1136 -S "session successfully restored from ticket" \
1137 -s "a session has been resumed" \
1138 -c "a session has been resumed"
1139
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1140run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1141 "$P_SRV debug_level=3 tickets=1" \
1142 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1143 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1144 -C "client hello, adding session ticket extension" \
1145 -S "found session ticket extension" \
1146 -S "server hello, adding session ticket extension" \
1147 -C "found session_ticket extension" \
1148 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1149 -s "session successfully restored from cache" \
1150 -S "session successfully restored from ticket" \
1151 -s "a session has been resumed" \
1152 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1153
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1154run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1155 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1156 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1157 0 \
1158 -S "session successfully restored from cache" \
1159 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1160 -S "a session has been resumed" \
1161 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1162
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1163run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1164 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1165 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1166 0 \
1167 -s "session successfully restored from cache" \
1168 -S "session successfully restored from ticket" \
1169 -s "a session has been resumed" \
1170 -c "a session has been resumed"
1171
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1172run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1173 "$P_SRV debug_level=3 tickets=0" \
1174 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1175 0 \
1176 -s "session successfully restored from cache" \
1177 -S "session successfully restored from ticket" \
1178 -s "a session has been resumed" \
1179 -c "a session has been resumed"
1180
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1181run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1182 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1183 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1184 0 \
1185 -S "session successfully restored from cache" \
1186 -S "session successfully restored from ticket" \
1187 -S "a session has been resumed" \
1188 -C "a session has been resumed"
1189
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1190run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1191 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1192 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1193 0 \
1194 -s "session successfully restored from cache" \
1195 -S "session successfully restored from ticket" \
1196 -s "a session has been resumed" \
1197 -c "a session has been resumed"
1198
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1199run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1200 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1201 "( $O_CLI -sess_out $SESSION; \
1202 $O_CLI -sess_in $SESSION; \
1203 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1204 0 \
1205 -s "found session ticket extension" \
1206 -S "server hello, adding session ticket extension" \
1207 -s "session successfully restored from cache" \
1208 -S "session successfully restored from ticket" \
1209 -s "a session has been resumed"
1210
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1211run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1212 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1213 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1214 0 \
1215 -C "found session_ticket extension" \
1216 -C "parse new session ticket" \
1217 -c "a session has been resumed"
1218
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1219# Tests for Max Fragment Length extension
1220
Hanno Becker64691dc2017-09-22 16:58:50 +0100[diff] [blame]1221MAX_CONTENT_LEN_EXPECT='16384'
1222MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1223
1224if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1225 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1226 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1227 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1228 printf "\n"
1229 printf "The tests assume this value and if it changes, the tests in this\n"
1230 printf "script should also be adjusted.\n"
1231 printf "\n"
1232
1233 exit 1
1234fi
1235
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1236requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1237run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1238 "$P_SRV debug_level=3" \
1239 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1240 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1241 -c "Maximum fragment length is 16384" \
1242 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1243 -C "client hello, adding max_fragment_length extension" \
1244 -S "found max fragment length extension" \
1245 -S "server hello, max_fragment_length extension" \
1246 -C "found max_fragment_length extension"
1247
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1248requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1249run_test "Max fragment length: enabled, default, larger message" \
1250 "$P_SRV debug_level=3" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1251 "$P_CLI debug_level=3 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1252 0 \
1253 -c "Maximum fragment length is 16384" \
1254 -s "Maximum fragment length is 16384" \
1255 -C "client hello, adding max_fragment_length extension" \
1256 -S "found max fragment length extension" \
1257 -S "server hello, max_fragment_length extension" \
1258 -C "found max_fragment_length extension" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1259 -c "16385 bytes written in 2 fragments" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1260 -s "16384 bytes read" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1261 -s "1 bytes read"
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1262
1263requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1264run_test "Max fragment length, DTLS: enabled, default, larger message" \
1265 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1266 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1267 1 \
1268 -c "Maximum fragment length is 16384" \
1269 -s "Maximum fragment length is 16384" \
1270 -C "client hello, adding max_fragment_length extension" \
1271 -S "found max fragment length extension" \
1272 -S "server hello, max_fragment_length extension" \
1273 -C "found max_fragment_length extension" \
1274 -c "fragment larger than.*maximum "
1275
1276requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1277run_test "Max fragment length: disabled, larger message" \
1278 "$P_SRV debug_level=3" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1279 "$P_CLI debug_level=3 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1280 0 \
1281 -C "Maximum fragment length is 16384" \
1282 -S "Maximum fragment length is 16384" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1283 -c "16385 bytes written in 2 fragments" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1284 -s "16384 bytes read" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1285 -s "1 bytes read"
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1286
1287requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1288run_test "Max fragment length DTLS: disabled, larger message" \
1289 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1290 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1291 1 \
1292 -C "Maximum fragment length is 16384" \
1293 -S "Maximum fragment length is 16384" \
1294 -c "fragment larger than.*maximum "
1295
1296requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1297run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1298 "$P_SRV debug_level=3" \
1299 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1300 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1301 -c "Maximum fragment length is 4096" \
1302 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1303 -c "client hello, adding max_fragment_length extension" \
1304 -s "found max fragment length extension" \
1305 -s "server hello, max_fragment_length extension" \
1306 -c "found max_fragment_length extension"
1307
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1308requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1309run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1310 "$P_SRV debug_level=3 max_frag_len=4096" \
1311 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1312 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1313 -c "Maximum fragment length is 16384" \
1314 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1315 -C "client hello, adding max_fragment_length extension" \
1316 -S "found max fragment length extension" \
1317 -S "server hello, max_fragment_length extension" \
1318 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1319
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1320requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1321requires_gnutls
1322run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1323 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1324 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1325 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1326 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1327 -c "client hello, adding max_fragment_length extension" \
1328 -c "found max_fragment_length extension"
1329
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1330requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1331run_test "Max fragment length: client, message just fits" \
1332 "$P_SRV debug_level=3" \
1333 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1334 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1335 -c "Maximum fragment length is 2048" \
1336 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1337 -c "client hello, adding max_fragment_length extension" \
1338 -s "found max fragment length extension" \
1339 -s "server hello, max_fragment_length extension" \
1340 -c "found max_fragment_length extension" \
1341 -c "2048 bytes written in 1 fragments" \
1342 -s "2048 bytes read"
1343
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1344requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1345run_test "Max fragment length: client, larger message" \
1346 "$P_SRV debug_level=3" \
1347 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1348 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1349 -c "Maximum fragment length is 2048" \
1350 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1351 -c "client hello, adding max_fragment_length extension" \
1352 -s "found max fragment length extension" \
1353 -s "server hello, max_fragment_length extension" \
1354 -c "found max_fragment_length extension" \
1355 -c "2345 bytes written in 2 fragments" \
1356 -s "2048 bytes read" \
1357 -s "297 bytes read"
1358
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1359requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1360run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1361 "$P_SRV debug_level=3 dtls=1" \
1362 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1363 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1364 -c "Maximum fragment length is 2048" \
1365 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1366 -c "client hello, adding max_fragment_length extension" \
1367 -s "found max fragment length extension" \
1368 -s "server hello, max_fragment_length extension" \
1369 -c "found max_fragment_length extension" \
1370 -c "fragment larger than.*maximum"
1371
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1372# Tests for renegotiation
1373
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1374run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1375 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1376 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1377 0 \
1378 -C "client hello, adding renegotiation extension" \
1379 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1380 -S "found renegotiation extension" \
1381 -s "server hello, secure renegotiation extension" \
1382 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1383 -C "=> renegotiate" \
1384 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1385 -S "write hello request"
1386
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1387requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1388run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1389 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1390 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1391 0 \
1392 -c "client hello, adding renegotiation extension" \
1393 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1394 -s "found renegotiation extension" \
1395 -s "server hello, secure renegotiation extension" \
1396 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1397 -c "=> renegotiate" \
1398 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1399 -S "write hello request"
1400
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1401requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1402run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1403 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1404 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1405 0 \
1406 -c "client hello, adding renegotiation extension" \
1407 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1408 -s "found renegotiation extension" \
1409 -s "server hello, secure renegotiation extension" \
1410 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1411 -c "=> renegotiate" \
1412 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1413 -s "write hello request"
1414
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1415# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1416# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1417# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1418requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1419run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1420 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1421 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1422 0 \
1423 -c "client hello, adding renegotiation extension" \
1424 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1425 -s "found renegotiation extension" \
1426 -s "server hello, secure renegotiation extension" \
1427 -c "found renegotiation extension" \
1428 -c "=> renegotiate" \
1429 -s "=> renegotiate" \
1430 -S "write hello request" \
1431 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1432
1433# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1434# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1435# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1436requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1437run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1438 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1439 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1440 0 \
1441 -c "client hello, adding renegotiation extension" \
1442 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1443 -s "found renegotiation extension" \
1444 -s "server hello, secure renegotiation extension" \
1445 -c "found renegotiation extension" \
1446 -c "=> renegotiate" \
1447 -s "=> renegotiate" \
1448 -s "write hello request" \
1449 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1450
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1451requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1452run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1453 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1454 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1455 0 \
1456 -c "client hello, adding renegotiation extension" \
1457 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1458 -s "found renegotiation extension" \
1459 -s "server hello, secure renegotiation extension" \
1460 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1461 -c "=> renegotiate" \
1462 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1463 -s "write hello request"
1464
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1465requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1466run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1467 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1468 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1469 1 \
1470 -c "client hello, adding renegotiation extension" \
1471 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1472 -S "found renegotiation extension" \
1473 -s "server hello, secure renegotiation extension" \
1474 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1475 -c "=> renegotiate" \
1476 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1477 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1478 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1479 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1480
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1481requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1482run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1483 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1484 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1485 0 \
1486 -C "client hello, adding renegotiation extension" \
1487 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1488 -S "found renegotiation extension" \
1489 -s "server hello, secure renegotiation extension" \
1490 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1491 -C "=> renegotiate" \
1492 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1493 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1494 -S "SSL - An unexpected message was received from our peer" \
1495 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1496
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1497requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1498run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1499 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1500 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1501 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1502 0 \
1503 -C "client hello, adding renegotiation extension" \
1504 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1505 -S "found renegotiation extension" \
1506 -s "server hello, secure renegotiation extension" \
1507 -c "found renegotiation extension" \
1508 -C "=> renegotiate" \
1509 -S "=> renegotiate" \
1510 -s "write hello request" \
1511 -S "SSL - An unexpected message was received from our peer" \
1512 -S "failed"
1513
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1514# delay 2 for 1 alert record + 1 application data record
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1515requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1516run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1517 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1518 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1519 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1520 0 \
1521 -C "client hello, adding renegotiation extension" \
1522 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1523 -S "found renegotiation extension" \
1524 -s "server hello, secure renegotiation extension" \
1525 -c "found renegotiation extension" \
1526 -C "=> renegotiate" \
1527 -S "=> renegotiate" \
1528 -s "write hello request" \
1529 -S "SSL - An unexpected message was received from our peer" \
1530 -S "failed"
1531
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1532requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1533run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1534 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1535 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1536 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1537 0 \
1538 -C "client hello, adding renegotiation extension" \
1539 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1540 -S "found renegotiation extension" \
1541 -s "server hello, secure renegotiation extension" \
1542 -c "found renegotiation extension" \
1543 -C "=> renegotiate" \
1544 -S "=> renegotiate" \
1545 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1546 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1547
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1548requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1549run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1550 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1551 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1552 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1553 0 \
1554 -c "client hello, adding renegotiation extension" \
1555 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1556 -s "found renegotiation extension" \
1557 -s "server hello, secure renegotiation extension" \
1558 -c "found renegotiation extension" \
1559 -c "=> renegotiate" \
1560 -s "=> renegotiate" \
1561 -s "write hello request" \
1562 -S "SSL - An unexpected message was received from our peer" \
1563 -S "failed"
1564
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1565requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1566run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1567 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1568 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1569 0 \
1570 -C "client hello, adding renegotiation extension" \
1571 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1572 -S "found renegotiation extension" \
1573 -s "server hello, secure renegotiation extension" \
1574 -c "found renegotiation extension" \
1575 -S "record counter limit reached: renegotiate" \
1576 -C "=> renegotiate" \
1577 -S "=> renegotiate" \
1578 -S "write hello request" \
1579 -S "SSL - An unexpected message was received from our peer" \
1580 -S "failed"
1581
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1582# one extra exchange to be able to complete renego
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1583requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1584run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1585 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1586 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1587 0 \
1588 -c "client hello, adding renegotiation extension" \
1589 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1590 -s "found renegotiation extension" \
1591 -s "server hello, secure renegotiation extension" \
1592 -c "found renegotiation extension" \
1593 -s "record counter limit reached: renegotiate" \
1594 -c "=> renegotiate" \
1595 -s "=> renegotiate" \
1596 -s "write hello request" \
1597 -S "SSL - An unexpected message was received from our peer" \
1598 -S "failed"
1599
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1600requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1601run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1602 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1603 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1604 0 \
1605 -c "client hello, adding renegotiation extension" \
1606 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1607 -s "found renegotiation extension" \
1608 -s "server hello, secure renegotiation extension" \
1609 -c "found renegotiation extension" \
1610 -s "record counter limit reached: renegotiate" \
1611 -c "=> renegotiate" \
1612 -s "=> renegotiate" \
1613 -s "write hello request" \
1614 -S "SSL - An unexpected message was received from our peer" \
1615 -S "failed"
1616
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1617requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1618run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1619 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1620 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1621 0 \
1622 -C "client hello, adding renegotiation extension" \
1623 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1624 -S "found renegotiation extension" \
1625 -s "server hello, secure renegotiation extension" \
1626 -c "found renegotiation extension" \
1627 -S "record counter limit reached: renegotiate" \
1628 -C "=> renegotiate" \
1629 -S "=> renegotiate" \
1630 -S "write hello request" \
1631 -S "SSL - An unexpected message was received from our peer" \
1632 -S "failed"
1633
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1634requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1635run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1636 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1637 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1638 0 \
1639 -c "client hello, adding renegotiation extension" \
1640 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1641 -s "found renegotiation extension" \
1642 -s "server hello, secure renegotiation extension" \
1643 -c "found renegotiation extension" \
1644 -c "=> renegotiate" \
1645 -s "=> renegotiate" \
1646 -S "write hello request"
1647
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1648requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1649run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1650 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1651 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1652 0 \
1653 -c "client hello, adding renegotiation extension" \
1654 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1655 -s "found renegotiation extension" \
1656 -s "server hello, secure renegotiation extension" \
1657 -c "found renegotiation extension" \
1658 -c "=> renegotiate" \
1659 -s "=> renegotiate" \
1660 -s "write hello request"
1661
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1662requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1663run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1664 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1665 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1666 0 \
1667 -c "client hello, adding renegotiation extension" \
1668 -c "found renegotiation extension" \
1669 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1670 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1671 -C "error" \
1672 -c "HTTP/1.0 200 [Oo][Kk]"
1673
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1674requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1675requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1676run_test "Renegotiation: gnutls server strict, client-initiated" \
1677 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1678 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1679 0 \
1680 -c "client hello, adding renegotiation extension" \
1681 -c "found renegotiation extension" \
1682 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1683 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1684 -C "error" \
1685 -c "HTTP/1.0 200 [Oo][Kk]"
1686
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1687requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1688requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1689run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1690 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1691 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1692 1 \
1693 -c "client hello, adding renegotiation extension" \
1694 -C "found renegotiation extension" \
1695 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1696 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1697 -c "error" \
1698 -C "HTTP/1.0 200 [Oo][Kk]"
1699
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1700requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1701requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1702run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1703 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1704 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1705 allow_legacy=0" \
1706 1 \
1707 -c "client hello, adding renegotiation extension" \
1708 -C "found renegotiation extension" \
1709 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1710 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1711 -c "error" \
1712 -C "HTTP/1.0 200 [Oo][Kk]"
1713
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1714requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1715requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1716run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1717 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1718 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1719 allow_legacy=1" \
1720 0 \
1721 -c "client hello, adding renegotiation extension" \
1722 -C "found renegotiation extension" \
1723 -c "=> renegotiate" \
1724 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1725 -C "error" \
1726 -c "HTTP/1.0 200 [Oo][Kk]"
1727
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1728requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1729run_test "Renegotiation: DTLS, client-initiated" \
1730 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1731 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1732 0 \
1733 -c "client hello, adding renegotiation extension" \
1734 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1735 -s "found renegotiation extension" \
1736 -s "server hello, secure renegotiation extension" \
1737 -c "found renegotiation extension" \
1738 -c "=> renegotiate" \
1739 -s "=> renegotiate" \
1740 -S "write hello request"
1741
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1742requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1743run_test "Renegotiation: DTLS, server-initiated" \
1744 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1745 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1746 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1747 0 \
1748 -c "client hello, adding renegotiation extension" \
1749 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1750 -s "found renegotiation extension" \
1751 -s "server hello, secure renegotiation extension" \
1752 -c "found renegotiation extension" \
1753 -c "=> renegotiate" \
1754 -s "=> renegotiate" \
1755 -s "write hello request"
1756
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1757requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]1758run_test "Renegotiation: DTLS, renego_period overflow" \
1759 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1760 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1761 0 \
1762 -c "client hello, adding renegotiation extension" \
1763 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1764 -s "found renegotiation extension" \
1765 -s "server hello, secure renegotiation extension" \
1766 -s "record counter limit reached: renegotiate" \
1767 -c "=> renegotiate" \
1768 -s "=> renegotiate" \
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1769 -s "write hello request"
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]1770
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1771requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1772requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1773run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1774 "$G_SRV -u --mtu 4096" \
1775 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1776 0 \
1777 -c "client hello, adding renegotiation extension" \
1778 -c "found renegotiation extension" \
1779 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1780 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1781 -C "error" \
1782 -s "Extra-header:"
1783
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1784# Test for the "secure renegotation" extension only (no actual renegotiation)
1785
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1786requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1787run_test "Renego ext: gnutls server strict, client default" \
1788 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1789 "$P_CLI debug_level=3" \
1790 0 \
1791 -c "found renegotiation extension" \
1792 -C "error" \
1793 -c "HTTP/1.0 200 [Oo][Kk]"
1794
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1795requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1796run_test "Renego ext: gnutls server unsafe, client default" \
1797 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1798 "$P_CLI debug_level=3" \
1799 0 \
1800 -C "found renegotiation extension" \
1801 -C "error" \
1802 -c "HTTP/1.0 200 [Oo][Kk]"
1803
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1804requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1805run_test "Renego ext: gnutls server unsafe, client break legacy" \
1806 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1807 "$P_CLI debug_level=3 allow_legacy=-1" \
1808 1 \
1809 -C "found renegotiation extension" \
1810 -c "error" \
1811 -C "HTTP/1.0 200 [Oo][Kk]"
1812
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1813requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1814run_test "Renego ext: gnutls client strict, server default" \
1815 "$P_SRV debug_level=3" \
1816 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1817 0 \
1818 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1819 -s "server hello, secure renegotiation extension"
1820
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1821requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1822run_test "Renego ext: gnutls client unsafe, server default" \
1823 "$P_SRV debug_level=3" \
1824 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1825 0 \
1826 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1827 -S "server hello, secure renegotiation extension"
1828
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1829requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1830run_test "Renego ext: gnutls client unsafe, server break legacy" \
1831 "$P_SRV debug_level=3 allow_legacy=-1" \
1832 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1833 1 \
1834 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1835 -S "server hello, secure renegotiation extension"
1836
Janos Follath365b2262016-02-17 10:11:21 +0000[diff] [blame]1837# Tests for silently dropping trailing extra bytes in .der certificates
1838
1839requires_gnutls
1840run_test "DER format: no trailing bytes" \
1841 "$P_SRV crt_file=data_files/server5-der0.crt \
1842 key_file=data_files/server5.key" \
1843 "$G_CLI " \
1844 0 \
1845 -c "Handshake was completed" \
1846
1847requires_gnutls
1848run_test "DER format: with a trailing zero byte" \
1849 "$P_SRV crt_file=data_files/server5-der1a.crt \
1850 key_file=data_files/server5.key" \
1851 "$G_CLI " \
1852 0 \
1853 -c "Handshake was completed" \
1854
1855requires_gnutls
1856run_test "DER format: with a trailing random byte" \
1857 "$P_SRV crt_file=data_files/server5-der1b.crt \
1858 key_file=data_files/server5.key" \
1859 "$G_CLI " \
1860 0 \
1861 -c "Handshake was completed" \
1862
1863requires_gnutls
1864run_test "DER format: with 2 trailing random bytes" \
1865 "$P_SRV crt_file=data_files/server5-der2.crt \
1866 key_file=data_files/server5.key" \
1867 "$G_CLI " \
1868 0 \
1869 -c "Handshake was completed" \
1870
1871requires_gnutls
1872run_test "DER format: with 4 trailing random bytes" \
1873 "$P_SRV crt_file=data_files/server5-der4.crt \
1874 key_file=data_files/server5.key" \
1875 "$G_CLI " \
1876 0 \
1877 -c "Handshake was completed" \
1878
1879requires_gnutls
1880run_test "DER format: with 8 trailing random bytes" \
1881 "$P_SRV crt_file=data_files/server5-der8.crt \
1882 key_file=data_files/server5.key" \
1883 "$G_CLI " \
1884 0 \
1885 -c "Handshake was completed" \
1886
1887requires_gnutls
1888run_test "DER format: with 9 trailing random bytes" \
1889 "$P_SRV crt_file=data_files/server5-der9.crt \
1890 key_file=data_files/server5.key" \
1891 "$G_CLI " \
1892 0 \
1893 -c "Handshake was completed" \
1894
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1895# Tests for auth_mode
1896
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1897run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1898 "$P_SRV crt_file=data_files/server5-badsign.crt \
1899 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1900 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1901 1 \
1902 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1903 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1904 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1905 -c "X509 - Certificate verification failed"
1906
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1907run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1908 "$P_SRV crt_file=data_files/server5-badsign.crt \
1909 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1910 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1911 0 \
1912 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1913 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1914 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1915 -C "X509 - Certificate verification failed"
1916
Hanno Becker61c0c702017-05-15 16:05:15 +0100[diff] [blame]1917run_test "Authentication: server goodcert, client optional, no trusted CA" \
1918 "$P_SRV" \
1919 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1920 0 \
1921 -c "x509_verify_cert() returned" \
1922 -c "! The certificate is not correctly signed by the trusted CA" \
1923 -c "! Certificate verification flags"\
1924 -C "! mbedtls_ssl_handshake returned" \
1925 -C "X509 - Certificate verification failed" \
1926 -C "SSL - No CA Chain is set, but required to operate"
1927
1928run_test "Authentication: server goodcert, client required, no trusted CA" \
1929 "$P_SRV" \
1930 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1931 1 \
1932 -c "x509_verify_cert() returned" \
1933 -c "! The certificate is not correctly signed by the trusted CA" \
1934 -c "! Certificate verification flags"\
1935 -c "! mbedtls_ssl_handshake returned" \
1936 -c "SSL - No CA Chain is set, but required to operate"
1937
1938# The purpose of the next two tests is to test the client's behaviour when receiving a server
1939# certificate with an unsupported elliptic curve. This should usually not happen because
1940# the client informs the server about the supported curves - it does, though, in the
1941# corner case of a static ECDH suite, because the server doesn't check the curve on that
1942# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1943# different means to have the server ignoring the client's supported curve list.
1944
1945requires_config_enabled MBEDTLS_ECP_C
1946run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1947 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1948 crt_file=data_files/server5.ku-ka.crt" \
1949 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1950 1 \
1951 -c "bad certificate (EC key curve)"\
1952 -c "! Certificate verification flags"\
1953 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1954
1955requires_config_enabled MBEDTLS_ECP_C
1956run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1957 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1958 crt_file=data_files/server5.ku-ka.crt" \
1959 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1960 1 \
1961 -c "bad certificate (EC key curve)"\
1962 -c "! Certificate verification flags"\
1963 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1964
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1965run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1966 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1967 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1968 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1969 0 \
1970 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1971 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1972 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1973 -C "X509 - Certificate verification failed"
1974
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1975run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1976 "$P_SRV debug_level=3 auth_mode=required" \
1977 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1978 key_file=data_files/server5.key" \
1979 1 \
1980 -S "skip write certificate request" \
1981 -C "skip parse certificate request" \
1982 -c "got a certificate request" \
1983 -C "skip write certificate" \
1984 -C "skip write certificate verify" \
1985 -S "skip parse certificate verify" \
1986 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]1987 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1988 -s "! mbedtls_ssl_handshake returned" \
1989 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1990 -s "X509 - Certificate verification failed"
1991
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1992run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1993 "$P_SRV debug_level=3 auth_mode=optional" \
1994 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1995 key_file=data_files/server5.key" \
1996 0 \
1997 -S "skip write certificate request" \
1998 -C "skip parse certificate request" \
1999 -c "got a certificate request" \
2000 -C "skip write certificate" \
2001 -C "skip write certificate verify" \
2002 -S "skip parse certificate verify" \
2003 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2004 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2005 -S "! mbedtls_ssl_handshake returned" \
2006 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2007 -S "X509 - Certificate verification failed"
2008
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2009run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2010 "$P_SRV debug_level=3 auth_mode=none" \
2011 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2012 key_file=data_files/server5.key" \
2013 0 \
2014 -s "skip write certificate request" \
2015 -C "skip parse certificate request" \
2016 -c "got no certificate request" \
2017 -c "skip write certificate" \
2018 -c "skip write certificate verify" \
2019 -s "skip parse certificate verify" \
2020 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2021 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2022 -S "! mbedtls_ssl_handshake returned" \
2023 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2024 -S "X509 - Certificate verification failed"
2025
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2026run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2027 "$P_SRV debug_level=3 auth_mode=optional" \
2028 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2029 0 \
2030 -S "skip write certificate request" \
2031 -C "skip parse certificate request" \
2032 -c "got a certificate request" \
2033 -C "skip write certificate$" \
2034 -C "got no certificate to send" \
2035 -S "SSLv3 client has no certificate" \
2036 -c "skip write certificate verify" \
2037 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2038 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2039 -S "! mbedtls_ssl_handshake returned" \
2040 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2041 -S "X509 - Certificate verification failed"
2042
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2043run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2044 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2045 "$O_CLI" \
2046 0 \
2047 -S "skip write certificate request" \
2048 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2049 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2050 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2051 -S "X509 - Certificate verification failed"
2052
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2053run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2054 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2055 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2056 0 \
2057 -C "skip parse certificate request" \
2058 -c "got a certificate request" \
2059 -C "skip write certificate$" \
2060 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2061 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2062
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2063requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2064run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2065 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2066 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2067 0 \
2068 -S "skip write certificate request" \
2069 -C "skip parse certificate request" \
2070 -c "got a certificate request" \
2071 -C "skip write certificate$" \
2072 -c "skip write certificate verify" \
2073 -c "got no certificate to send" \
2074 -s "SSLv3 client has no certificate" \
2075 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2076 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2077 -S "! mbedtls_ssl_handshake returned" \
2078 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2079 -S "X509 - Certificate verification failed"
2080
Manuel Pégourié-Gonnard591035d2017-06-26 10:45:33 +0200[diff] [blame]2081run_test "Authentication: server max_int chain, client default" \
2082 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2083 key_file=data_files/dir-maxpath/09.key" \
2084 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2085 0 \
2086 -C "X509 - A fatal error occured"
2087
2088run_test "Authentication: server max_int+1 chain, client default" \
2089 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2090 key_file=data_files/dir-maxpath/10.key" \
2091 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2092 1 \
2093 -c "X509 - A fatal error occured"
2094
2095run_test "Authentication: server max_int+1 chain, client optional" \
2096 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2097 key_file=data_files/dir-maxpath/10.key" \
2098 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2099 auth_mode=optional" \
2100 1 \
2101 -c "X509 - A fatal error occured"
2102
2103run_test "Authentication: server max_int+1 chain, client none" \
2104 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2105 key_file=data_files/dir-maxpath/10.key" \
2106 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2107 auth_mode=none" \
2108 0 \
2109 -C "X509 - A fatal error occured"
2110
2111run_test "Authentication: client max_int+1 chain, server default" \
2112 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2113 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2114 key_file=data_files/dir-maxpath/10.key" \
2115 0 \
2116 -S "X509 - A fatal error occured"
2117
2118run_test "Authentication: client max_int+1 chain, server optional" \
2119 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2120 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2121 key_file=data_files/dir-maxpath/10.key" \
2122 1 \
2123 -s "X509 - A fatal error occured"
2124
2125run_test "Authentication: client max_int+1 chain, server required" \
2126 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2127 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2128 key_file=data_files/dir-maxpath/10.key" \
2129 1 \
2130 -s "X509 - A fatal error occured"
2131
2132run_test "Authentication: client max_int chain, server required" \
2133 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2134 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2135 key_file=data_files/dir-maxpath/09.key" \
2136 0 \
2137 -S "X509 - A fatal error occured"
2138
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2139# Tests for certificate selection based on SHA verson
2140
2141run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2142 "$P_SRV crt_file=data_files/server5.crt \
2143 key_file=data_files/server5.key \
2144 crt_file2=data_files/server5-sha1.crt \
2145 key_file2=data_files/server5.key" \
2146 "$P_CLI force_version=tls1_2" \
2147 0 \
2148 -c "signed using.*ECDSA with SHA256" \
2149 -C "signed using.*ECDSA with SHA1"
2150
2151run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2152 "$P_SRV crt_file=data_files/server5.crt \
2153 key_file=data_files/server5.key \
2154 crt_file2=data_files/server5-sha1.crt \
2155 key_file2=data_files/server5.key" \
2156 "$P_CLI force_version=tls1_1" \
2157 0 \
2158 -C "signed using.*ECDSA with SHA256" \
2159 -c "signed using.*ECDSA with SHA1"
2160
2161run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2162 "$P_SRV crt_file=data_files/server5.crt \
2163 key_file=data_files/server5.key \
2164 crt_file2=data_files/server5-sha1.crt \
2165 key_file2=data_files/server5.key" \
2166 "$P_CLI force_version=tls1" \
2167 0 \
2168 -C "signed using.*ECDSA with SHA256" \
2169 -c "signed using.*ECDSA with SHA1"
2170
2171run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2172 "$P_SRV crt_file=data_files/server5.crt \
2173 key_file=data_files/server5.key \
2174 crt_file2=data_files/server6.crt \
2175 key_file2=data_files/server6.key" \
2176 "$P_CLI force_version=tls1_1" \
2177 0 \
2178 -c "serial number.*09" \
2179 -c "signed using.*ECDSA with SHA256" \
2180 -C "signed using.*ECDSA with SHA1"
2181
2182run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2183 "$P_SRV crt_file=data_files/server6.crt \
2184 key_file=data_files/server6.key \
2185 crt_file2=data_files/server5.crt \
2186 key_file2=data_files/server5.key" \
2187 "$P_CLI force_version=tls1_1" \
2188 0 \
2189 -c "serial number.*0A" \
2190 -c "signed using.*ECDSA with SHA256" \
2191 -C "signed using.*ECDSA with SHA1"
2192
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2193# tests for SNI
2194
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2195run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2196 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2197 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2198 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2199 0 \
2200 -S "parse ServerName extension" \
2201 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2202 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2203
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2204run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2205 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2206 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2207 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2208 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2209 0 \
2210 -s "parse ServerName extension" \
2211 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2212 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2213
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2214run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2215 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2216 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2217 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2218 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2219 0 \
2220 -s "parse ServerName extension" \
2221 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2222 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2223
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2224run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2225 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2226 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2227 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2228 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2229 1 \
2230 -s "parse ServerName extension" \
2231 -s "ssl_sni_wrapper() returned" \
2232 -s "mbedtls_ssl_handshake returned" \
2233 -c "mbedtls_ssl_handshake returned" \
2234 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2235
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2236run_test "SNI: client auth no override: optional" \
2237 "$P_SRV debug_level=3 auth_mode=optional \
2238 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2239 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2240 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2241 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2242 -S "skip write certificate request" \
2243 -C "skip parse certificate request" \
2244 -c "got a certificate request" \
2245 -C "skip write certificate" \
2246 -C "skip write certificate verify" \
2247 -S "skip parse certificate verify"
2248
2249run_test "SNI: client auth override: none -> optional" \
2250 "$P_SRV debug_level=3 auth_mode=none \
2251 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2252 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2253 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2254 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2255 -S "skip write certificate request" \
2256 -C "skip parse certificate request" \
2257 -c "got a certificate request" \
2258 -C "skip write certificate" \
2259 -C "skip write certificate verify" \
2260 -S "skip parse certificate verify"
2261
2262run_test "SNI: client auth override: optional -> none" \
2263 "$P_SRV debug_level=3 auth_mode=optional \
2264 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2265 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2266 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2267 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2268 -s "skip write certificate request" \
2269 -C "skip parse certificate request" \
2270 -c "got no certificate request" \
2271 -c "skip write certificate" \
2272 -c "skip write certificate verify" \
2273 -s "skip parse certificate verify"
2274
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2275run_test "SNI: CA no override" \
2276 "$P_SRV debug_level=3 auth_mode=optional \
2277 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2278 ca_file=data_files/test-ca.crt \
2279 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2280 "$P_CLI debug_level=3 server_name=localhost \
2281 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2282 1 \
2283 -S "skip write certificate request" \
2284 -C "skip parse certificate request" \
2285 -c "got a certificate request" \
2286 -C "skip write certificate" \
2287 -C "skip write certificate verify" \
2288 -S "skip parse certificate verify" \
2289 -s "x509_verify_cert() returned" \
2290 -s "! The certificate is not correctly signed by the trusted CA" \
2291 -S "The certificate has been revoked (is on a CRL)"
2292
2293run_test "SNI: CA override" \
2294 "$P_SRV debug_level=3 auth_mode=optional \
2295 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2296 ca_file=data_files/test-ca.crt \
2297 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2298 "$P_CLI debug_level=3 server_name=localhost \
2299 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2300 0 \
2301 -S "skip write certificate request" \
2302 -C "skip parse certificate request" \
2303 -c "got a certificate request" \
2304 -C "skip write certificate" \
2305 -C "skip write certificate verify" \
2306 -S "skip parse certificate verify" \
2307 -S "x509_verify_cert() returned" \
2308 -S "! The certificate is not correctly signed by the trusted CA" \
2309 -S "The certificate has been revoked (is on a CRL)"
2310
2311run_test "SNI: CA override with CRL" \
2312 "$P_SRV debug_level=3 auth_mode=optional \
2313 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2314 ca_file=data_files/test-ca.crt \
2315 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2316 "$P_CLI debug_level=3 server_name=localhost \
2317 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2318 1 \
2319 -S "skip write certificate request" \
2320 -C "skip parse certificate request" \
2321 -c "got a certificate request" \
2322 -C "skip write certificate" \
2323 -C "skip write certificate verify" \
2324 -S "skip parse certificate verify" \
2325 -s "x509_verify_cert() returned" \
2326 -S "! The certificate is not correctly signed by the trusted CA" \
2327 -s "The certificate has been revoked (is on a CRL)"
2328
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2329# Tests for non-blocking I/O: exercise a variety of handshake flows
2330
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2331run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2332 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2333 "$P_CLI nbio=2 tickets=0" \
2334 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2335 -S "mbedtls_ssl_handshake returned" \
2336 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2337 -c "Read from server: .* bytes read"
2338
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2339run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2340 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2341 "$P_CLI nbio=2 tickets=0" \
2342 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2343 -S "mbedtls_ssl_handshake returned" \
2344 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2345 -c "Read from server: .* bytes read"
2346
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2347run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2348 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2349 "$P_CLI nbio=2 tickets=1" \
2350 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2351 -S "mbedtls_ssl_handshake returned" \
2352 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2353 -c "Read from server: .* bytes read"
2354
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2355run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2356 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2357 "$P_CLI nbio=2 tickets=1" \
2358 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2359 -S "mbedtls_ssl_handshake returned" \
2360 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2361 -c "Read from server: .* bytes read"
2362
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2363run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2364 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2365 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2366 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2367 -S "mbedtls_ssl_handshake returned" \
2368 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2369 -c "Read from server: .* bytes read"
2370
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2371run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2372 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2373 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2374 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2375 -S "mbedtls_ssl_handshake returned" \
2376 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2377 -c "Read from server: .* bytes read"
2378
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2379run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2380 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2381 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2382 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2383 -S "mbedtls_ssl_handshake returned" \
2384 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2385 -c "Read from server: .* bytes read"
2386
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2387# Tests for version negotiation
2388
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2389run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2390 "$P_SRV" \
2391 "$P_CLI" \
2392 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2393 -S "mbedtls_ssl_handshake returned" \
2394 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2395 -s "Protocol is TLSv1.2" \
2396 -c "Protocol is TLSv1.2"
2397
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2398run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2399 "$P_SRV" \
2400 "$P_CLI max_version=tls1_1" \
2401 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2402 -S "mbedtls_ssl_handshake returned" \
2403 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2404 -s "Protocol is TLSv1.1" \
2405 -c "Protocol is TLSv1.1"
2406
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2407run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2408 "$P_SRV max_version=tls1_1" \
2409 "$P_CLI" \
2410 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2411 -S "mbedtls_ssl_handshake returned" \
2412 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2413 -s "Protocol is TLSv1.1" \
2414 -c "Protocol is TLSv1.1"
2415
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2416run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2417 "$P_SRV max_version=tls1_1" \
2418 "$P_CLI max_version=tls1_1" \
2419 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2420 -S "mbedtls_ssl_handshake returned" \
2421 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2422 -s "Protocol is TLSv1.1" \
2423 -c "Protocol is TLSv1.1"
2424
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2425run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2426 "$P_SRV min_version=tls1_1" \
2427 "$P_CLI max_version=tls1_1" \
2428 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2429 -S "mbedtls_ssl_handshake returned" \
2430 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2431 -s "Protocol is TLSv1.1" \
2432 -c "Protocol is TLSv1.1"
2433
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2434run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2435 "$P_SRV max_version=tls1_1" \
2436 "$P_CLI min_version=tls1_1" \
2437 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2438 -S "mbedtls_ssl_handshake returned" \
2439 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2440 -s "Protocol is TLSv1.1" \
2441 -c "Protocol is TLSv1.1"
2442
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2443run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2444 "$P_SRV max_version=tls1_1" \
2445 "$P_CLI min_version=tls1_2" \
2446 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2447 -s "mbedtls_ssl_handshake returned" \
2448 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2449 -c "SSL - Handshake protocol not within min/max boundaries"
2450
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2451run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2452 "$P_SRV min_version=tls1_2" \
2453 "$P_CLI max_version=tls1_1" \
2454 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2455 -s "mbedtls_ssl_handshake returned" \
2456 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2457 -s "SSL - Handshake protocol not within min/max boundaries"
2458
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2459# Tests for ALPN extension
2460
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2461run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2462 "$P_SRV debug_level=3" \
2463 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2464 0 \
2465 -C "client hello, adding alpn extension" \
2466 -S "found alpn extension" \
2467 -C "got an alert message, type: \\[2:120]" \
2468 -S "server hello, adding alpn extension" \
2469 -C "found alpn extension " \
2470 -C "Application Layer Protocol is" \
2471 -S "Application Layer Protocol is"
2472
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2473run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2474 "$P_SRV debug_level=3" \
2475 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2476 0 \
2477 -c "client hello, adding alpn extension" \
2478 -s "found alpn extension" \
2479 -C "got an alert message, type: \\[2:120]" \
2480 -S "server hello, adding alpn extension" \
2481 -C "found alpn extension " \
2482 -c "Application Layer Protocol is (none)" \
2483 -S "Application Layer Protocol is"
2484
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2485run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2486 "$P_SRV debug_level=3 alpn=abc,1234" \
2487 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2488 0 \
2489 -C "client hello, adding alpn extension" \
2490 -S "found alpn extension" \
2491 -C "got an alert message, type: \\[2:120]" \
2492 -S "server hello, adding alpn extension" \
2493 -C "found alpn extension " \
2494 -C "Application Layer Protocol is" \
2495 -s "Application Layer Protocol is (none)"
2496
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2497run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2498 "$P_SRV debug_level=3 alpn=abc,1234" \
2499 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2500 0 \
2501 -c "client hello, adding alpn extension" \
2502 -s "found alpn extension" \
2503 -C "got an alert message, type: \\[2:120]" \
2504 -s "server hello, adding alpn extension" \
2505 -c "found alpn extension" \
2506 -c "Application Layer Protocol is abc" \
2507 -s "Application Layer Protocol is abc"
2508
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2509run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2510 "$P_SRV debug_level=3 alpn=abc,1234" \
2511 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2512 0 \
2513 -c "client hello, adding alpn extension" \
2514 -s "found alpn extension" \
2515 -C "got an alert message, type: \\[2:120]" \
2516 -s "server hello, adding alpn extension" \
2517 -c "found alpn extension" \
2518 -c "Application Layer Protocol is abc" \
2519 -s "Application Layer Protocol is abc"
2520
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2521run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2522 "$P_SRV debug_level=3 alpn=abc,1234" \
2523 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2524 0 \
2525 -c "client hello, adding alpn extension" \
2526 -s "found alpn extension" \
2527 -C "got an alert message, type: \\[2:120]" \
2528 -s "server hello, adding alpn extension" \
2529 -c "found alpn extension" \
2530 -c "Application Layer Protocol is 1234" \
2531 -s "Application Layer Protocol is 1234"
2532
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2533run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2534 "$P_SRV debug_level=3 alpn=abc,123" \
2535 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2536 1 \
2537 -c "client hello, adding alpn extension" \
2538 -s "found alpn extension" \
2539 -c "got an alert message, type: \\[2:120]" \
2540 -S "server hello, adding alpn extension" \
2541 -C "found alpn extension" \
2542 -C "Application Layer Protocol is 1234" \
2543 -S "Application Layer Protocol is 1234"
2544
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2545
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2546# Tests for keyUsage in leaf certificates, part 1:
2547# server-side certificate/suite selection
2548
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2549run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2550 "$P_SRV key_file=data_files/server2.key \
2551 crt_file=data_files/server2.ku-ds.crt" \
2552 "$P_CLI" \
2553 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2554 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2555
2556
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2557run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2558 "$P_SRV key_file=data_files/server2.key \
2559 crt_file=data_files/server2.ku-ke.crt" \
2560 "$P_CLI" \
2561 0 \
2562 -c "Ciphersuite is TLS-RSA-WITH-"
2563
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2564run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2565 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2566 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2567 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2568 1 \
2569 -C "Ciphersuite is "
2570
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2571run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2572 "$P_SRV key_file=data_files/server5.key \
2573 crt_file=data_files/server5.ku-ds.crt" \
2574 "$P_CLI" \
2575 0 \
2576 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2577
2578
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2579run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2580 "$P_SRV key_file=data_files/server5.key \
2581 crt_file=data_files/server5.ku-ka.crt" \
2582 "$P_CLI" \
2583 0 \
2584 -c "Ciphersuite is TLS-ECDH-"
2585
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2586run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2587 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2588 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2589 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2590 1 \
2591 -C "Ciphersuite is "
2592
2593# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2594# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2595
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2596run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2597 "$O_SRV -key data_files/server2.key \
2598 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2599 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2600 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2601 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2602 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2603 -C "Processing of the Certificate handshake message failed" \
2604 -c "Ciphersuite is TLS-"
2605
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2606run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2607 "$O_SRV -key data_files/server2.key \
2608 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2609 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2610 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2611 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2612 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2613 -C "Processing of the Certificate handshake message failed" \
2614 -c "Ciphersuite is TLS-"
2615
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2616run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2617 "$O_SRV -key data_files/server2.key \
2618 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2619 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2620 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2621 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2622 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2623 -C "Processing of the Certificate handshake message failed" \
2624 -c "Ciphersuite is TLS-"
2625
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2626run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2627 "$O_SRV -key data_files/server2.key \
2628 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2629 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2630 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2631 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2632 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2633 -c "Processing of the Certificate handshake message failed" \
2634 -C "Ciphersuite is TLS-"
2635
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2636run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2637 "$O_SRV -key data_files/server2.key \
2638 -cert data_files/server2.ku-ke.crt" \
2639 "$P_CLI debug_level=1 auth_mode=optional \
2640 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2641 0 \
2642 -c "bad certificate (usage extensions)" \
2643 -C "Processing of the Certificate handshake message failed" \
2644 -c "Ciphersuite is TLS-" \
2645 -c "! Usage does not match the keyUsage extension"
2646
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2647run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2648 "$O_SRV -key data_files/server2.key \
2649 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2650 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2651 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2652 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2653 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2654 -C "Processing of the Certificate handshake message failed" \
2655 -c "Ciphersuite is TLS-"
2656
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2657run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2658 "$O_SRV -key data_files/server2.key \
2659 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2660 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2661 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2662 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2663 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2664 -c "Processing of the Certificate handshake message failed" \
2665 -C "Ciphersuite is TLS-"
2666
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2667run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2668 "$O_SRV -key data_files/server2.key \
2669 -cert data_files/server2.ku-ds.crt" \
2670 "$P_CLI debug_level=1 auth_mode=optional \
2671 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2672 0 \
2673 -c "bad certificate (usage extensions)" \
2674 -C "Processing of the Certificate handshake message failed" \
2675 -c "Ciphersuite is TLS-" \
2676 -c "! Usage does not match the keyUsage extension"
2677
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2678# Tests for keyUsage in leaf certificates, part 3:
2679# server-side checking of client cert
2680
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2681run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2682 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2683 "$O_CLI -key data_files/server2.key \
2684 -cert data_files/server2.ku-ds.crt" \
2685 0 \
2686 -S "bad certificate (usage extensions)" \
2687 -S "Processing of the Certificate handshake message failed"
2688
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2689run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2690 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2691 "$O_CLI -key data_files/server2.key \
2692 -cert data_files/server2.ku-ke.crt" \
2693 0 \
2694 -s "bad certificate (usage extensions)" \
2695 -S "Processing of the Certificate handshake message failed"
2696
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2697run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2698 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2699 "$O_CLI -key data_files/server2.key \
2700 -cert data_files/server2.ku-ke.crt" \
2701 1 \
2702 -s "bad certificate (usage extensions)" \
2703 -s "Processing of the Certificate handshake message failed"
2704
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2705run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2706 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2707 "$O_CLI -key data_files/server5.key \
2708 -cert data_files/server5.ku-ds.crt" \
2709 0 \
2710 -S "bad certificate (usage extensions)" \
2711 -S "Processing of the Certificate handshake message failed"
2712
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2713run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2714 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2715 "$O_CLI -key data_files/server5.key \
2716 -cert data_files/server5.ku-ka.crt" \
2717 0 \
2718 -s "bad certificate (usage extensions)" \
2719 -S "Processing of the Certificate handshake message failed"
2720
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2721# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2722
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2723run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2724 "$P_SRV key_file=data_files/server5.key \
2725 crt_file=data_files/server5.eku-srv.crt" \
2726 "$P_CLI" \
2727 0
2728
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2729run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2730 "$P_SRV key_file=data_files/server5.key \
2731 crt_file=data_files/server5.eku-srv.crt" \
2732 "$P_CLI" \
2733 0
2734
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2735run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2736 "$P_SRV key_file=data_files/server5.key \
2737 crt_file=data_files/server5.eku-cs_any.crt" \
2738 "$P_CLI" \
2739 0
2740
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2741run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2742 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2743 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2744 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2745 1
2746
2747# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2748
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2749run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2750 "$O_SRV -key data_files/server5.key \
2751 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2752 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2753 0 \
2754 -C "bad certificate (usage extensions)" \
2755 -C "Processing of the Certificate handshake message failed" \
2756 -c "Ciphersuite is TLS-"
2757
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2758run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2759 "$O_SRV -key data_files/server5.key \
2760 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2761 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2762 0 \
2763 -C "bad certificate (usage extensions)" \
2764 -C "Processing of the Certificate handshake message failed" \
2765 -c "Ciphersuite is TLS-"
2766
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2767run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2768 "$O_SRV -key data_files/server5.key \
2769 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2770 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2771 0 \
2772 -C "bad certificate (usage extensions)" \
2773 -C "Processing of the Certificate handshake message failed" \
2774 -c "Ciphersuite is TLS-"
2775
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2776run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2777 "$O_SRV -key data_files/server5.key \
2778 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2779 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2780 1 \
2781 -c "bad certificate (usage extensions)" \
2782 -c "Processing of the Certificate handshake message failed" \
2783 -C "Ciphersuite is TLS-"
2784
2785# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2786
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2787run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2788 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2789 "$O_CLI -key data_files/server5.key \
2790 -cert data_files/server5.eku-cli.crt" \
2791 0 \
2792 -S "bad certificate (usage extensions)" \
2793 -S "Processing of the Certificate handshake message failed"
2794
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2795run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2796 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2797 "$O_CLI -key data_files/server5.key \
2798 -cert data_files/server5.eku-srv_cli.crt" \
2799 0 \
2800 -S "bad certificate (usage extensions)" \
2801 -S "Processing of the Certificate handshake message failed"
2802
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2803run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2804 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2805 "$O_CLI -key data_files/server5.key \
2806 -cert data_files/server5.eku-cs_any.crt" \
2807 0 \
2808 -S "bad certificate (usage extensions)" \
2809 -S "Processing of the Certificate handshake message failed"
2810
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2811run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2812 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2813 "$O_CLI -key data_files/server5.key \
2814 -cert data_files/server5.eku-cs.crt" \
2815 0 \
2816 -s "bad certificate (usage extensions)" \
2817 -S "Processing of the Certificate handshake message failed"
2818
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2819run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2820 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2821 "$O_CLI -key data_files/server5.key \
2822 -cert data_files/server5.eku-cs.crt" \
2823 1 \
2824 -s "bad certificate (usage extensions)" \
2825 -s "Processing of the Certificate handshake message failed"
2826
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2827# Tests for DHM parameters loading
2828
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2829run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2830 "$P_SRV" \
2831 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2832 debug_level=3" \
2833 0 \
2834 -c "value of 'DHM: P ' (2048 bits)" \
2835 -c "value of 'DHM: G ' (2048 bits)"
2836
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2837run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2838 "$P_SRV dhm_file=data_files/dhparams.pem" \
2839 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2840 debug_level=3" \
2841 0 \
2842 -c "value of 'DHM: P ' (1024 bits)" \
2843 -c "value of 'DHM: G ' (2 bits)"
2844
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2845# Tests for DHM client-side size checking
2846
2847run_test "DHM size: server default, client default, OK" \
2848 "$P_SRV" \
2849 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2850 debug_level=1" \
2851 0 \
2852 -C "DHM prime too short:"
2853
2854run_test "DHM size: server default, client 2048, OK" \
2855 "$P_SRV" \
2856 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2857 debug_level=1 dhmlen=2048" \
2858 0 \
2859 -C "DHM prime too short:"
2860
2861run_test "DHM size: server 1024, client default, OK" \
2862 "$P_SRV dhm_file=data_files/dhparams.pem" \
2863 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2864 debug_level=1" \
2865 0 \
2866 -C "DHM prime too short:"
2867
2868run_test "DHM size: server 1000, client default, rejected" \
2869 "$P_SRV dhm_file=data_files/dh.1000.pem" \
2870 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2871 debug_level=1" \
2872 1 \
2873 -c "DHM prime too short:"
2874
2875run_test "DHM size: server default, client 2049, rejected" \
2876 "$P_SRV" \
2877 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2878 debug_level=1 dhmlen=2049" \
2879 1 \
2880 -c "DHM prime too short:"
2881
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2882# Tests for PSK callback
2883
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2884run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2885 "$P_SRV psk=abc123 psk_identity=foo" \
2886 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2887 psk_identity=foo psk=abc123" \
2888 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2889 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2890 -S "SSL - Unknown identity received" \
2891 -S "SSL - Verification of the message MAC failed"
2892
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2893run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2894 "$P_SRV" \
2895 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2896 psk_identity=foo psk=abc123" \
2897 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2898 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2899 -S "SSL - Unknown identity received" \
2900 -S "SSL - Verification of the message MAC failed"
2901
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2902run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2903 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2904 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2905 psk_identity=foo psk=abc123" \
2906 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2907 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2908 -s "SSL - Unknown identity received" \
2909 -S "SSL - Verification of the message MAC failed"
2910
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2911run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2912 "$P_SRV psk_list=abc,dead,def,beef" \
2913 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2914 psk_identity=abc psk=dead" \
2915 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2916 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2917 -S "SSL - Unknown identity received" \
2918 -S "SSL - Verification of the message MAC failed"
2919
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2920run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2921 "$P_SRV psk_list=abc,dead,def,beef" \
2922 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2923 psk_identity=def psk=beef" \
2924 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2925 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2926 -S "SSL - Unknown identity received" \
2927 -S "SSL - Verification of the message MAC failed"
2928
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2929run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2930 "$P_SRV psk_list=abc,dead,def,beef" \
2931 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2932 psk_identity=ghi psk=beef" \
2933 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2934 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2935 -s "SSL - Unknown identity received" \
2936 -S "SSL - Verification of the message MAC failed"
2937
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2938run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2939 "$P_SRV psk_list=abc,dead,def,beef" \
2940 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2941 psk_identity=abc psk=beef" \
2942 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2943 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2944 -S "SSL - Unknown identity received" \
2945 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2946
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2947# Tests for ciphersuites per version
2948
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2949requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2950run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2951 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2952 "$P_CLI force_version=ssl3" \
2953 0 \
2954 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
2955
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2956run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2957 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2958 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2959 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2960 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2961
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2962run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2963 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2964 "$P_CLI force_version=tls1_1" \
2965 0 \
2966 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
2967
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2968run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2969 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2970 "$P_CLI force_version=tls1_2" \
2971 0 \
2972 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
2973
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2974# Test for ClientHello without extensions
2975
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]2976requires_gnutls
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2977run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2978 "$P_SRV debug_level=3" \
2979 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2980 0 \
2981 -s "dumping 'client hello extensions' (0 bytes)"
2982
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2983requires_gnutls
2984run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
2985 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
2986 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2987 0 \
2988 -s "dumping 'client hello extensions' (0 bytes)"
2989
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2990# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2991
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2992run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2993 "$P_SRV" \
2994 "$P_CLI request_size=100" \
2995 0 \
2996 -s "Read from client: 100 bytes read$"
2997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2998run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2999 "$P_SRV" \
3000 "$P_CLI request_size=500" \
3001 0 \
3002 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3003
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3004# Tests for small packets
3005
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3006requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3007run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3008 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3009 "$P_CLI request_size=1 force_version=ssl3 \
3010 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3011 0 \
3012 -s "Read from client: 1 bytes read"
3013
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3014requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3015run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3016 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3017 "$P_CLI request_size=1 force_version=ssl3 \
3018 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3019 0 \
3020 -s "Read from client: 1 bytes read"
3021
3022run_test "Small packet TLS 1.0 BlockCipher" \
3023 "$P_SRV" \
3024 "$P_CLI request_size=1 force_version=tls1 \
3025 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3026 0 \
3027 -s "Read from client: 1 bytes read"
3028
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3029run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3030 "$P_SRV" \
3031 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3032 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3033 0 \
3034 -s "Read from client: 1 bytes read"
3035
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3036run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3037 "$P_SRV" \
3038 "$P_CLI request_size=1 force_version=tls1 \
3039 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3040 trunc_hmac=1" \
3041 0 \
3042 -s "Read from client: 1 bytes read"
3043
3044run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3045 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3046 "$P_CLI request_size=1 force_version=tls1 \
3047 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3048 trunc_hmac=1" \
3049 0 \
3050 -s "Read from client: 1 bytes read"
3051
3052run_test "Small packet TLS 1.1 BlockCipher" \
3053 "$P_SRV" \
3054 "$P_CLI request_size=1 force_version=tls1_1 \
3055 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3056 0 \
3057 -s "Read from client: 1 bytes read"
3058
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3059run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3060 "$P_SRV" \
3061 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3062 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3063 0 \
3064 -s "Read from client: 1 bytes read"
3065
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3066run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3067 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3068 "$P_CLI request_size=1 force_version=tls1_1 \
3069 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3070 0 \
3071 -s "Read from client: 1 bytes read"
3072
3073run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3074 "$P_SRV" \
3075 "$P_CLI request_size=1 force_version=tls1_1 \
3076 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3077 trunc_hmac=1" \
3078 0 \
3079 -s "Read from client: 1 bytes read"
3080
3081run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3082 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3083 "$P_CLI request_size=1 force_version=tls1_1 \
3084 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3085 trunc_hmac=1" \
3086 0 \
3087 -s "Read from client: 1 bytes read"
3088
3089run_test "Small packet TLS 1.2 BlockCipher" \
3090 "$P_SRV" \
3091 "$P_CLI request_size=1 force_version=tls1_2 \
3092 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3093 0 \
3094 -s "Read from client: 1 bytes read"
3095
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3096run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3097 "$P_SRV" \
3098 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3099 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3100 0 \
3101 -s "Read from client: 1 bytes read"
3102
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3103run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3104 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3105 "$P_CLI request_size=1 force_version=tls1_2 \
3106 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3107 0 \
3108 -s "Read from client: 1 bytes read"
3109
3110run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3111 "$P_SRV" \
3112 "$P_CLI request_size=1 force_version=tls1_2 \
3113 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3114 trunc_hmac=1" \
3115 0 \
3116 -s "Read from client: 1 bytes read"
3117
3118run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3119 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3120 "$P_CLI request_size=1 force_version=tls1_2 \
3121 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3122 0 \
3123 -s "Read from client: 1 bytes read"
3124
3125run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3126 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3127 "$P_CLI request_size=1 force_version=tls1_2 \
3128 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3129 trunc_hmac=1" \
3130 0 \
3131 -s "Read from client: 1 bytes read"
3132
3133run_test "Small packet TLS 1.2 AEAD" \
3134 "$P_SRV" \
3135 "$P_CLI request_size=1 force_version=tls1_2 \
3136 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3137 0 \
3138 -s "Read from client: 1 bytes read"
3139
3140run_test "Small packet TLS 1.2 AEAD shorter tag" \
3141 "$P_SRV" \
3142 "$P_CLI request_size=1 force_version=tls1_2 \
3143 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3144 0 \
3145 -s "Read from client: 1 bytes read"
3146
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]3147# A test for extensions in SSLv3
3148
3149requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3150run_test "SSLv3 with extensions, server side" \
3151 "$P_SRV min_version=ssl3 debug_level=3" \
3152 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3153 0 \
3154 -S "dumping 'client hello extensions'" \
3155 -S "server hello, total extension length:"
3156
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3157# Test for large packets
3158
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3159requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3160run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3161 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3162 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3163 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3164 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3165 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3166 -s "Read from client: 16384 bytes read"
3167
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3168requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3169run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3170 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3171 "$P_CLI request_size=16384 force_version=ssl3 \
3172 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3173 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3174 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3175 -s "Read from client: 16384 bytes read"
3176
3177run_test "Large packet TLS 1.0 BlockCipher" \
3178 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3179 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3180 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3181 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3182 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3183 -s "Read from client: 16384 bytes read"
3184
3185run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3186 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3187 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3188 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3189 trunc_hmac=1" \
3190 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3191 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3192 -s "Read from client: 16384 bytes read"
3193
3194run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3195 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3196 "$P_CLI request_size=16384 force_version=tls1 \
3197 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3198 trunc_hmac=1" \
3199 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3200 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3201 -s "Read from client: 16384 bytes read"
3202
3203run_test "Large packet TLS 1.1 BlockCipher" \
3204 "$P_SRV" \
3205 "$P_CLI request_size=16384 force_version=tls1_1 \
3206 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3207 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3208 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3209 -s "Read from client: 16384 bytes read"
3210
3211run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3212 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3213 "$P_CLI request_size=16384 force_version=tls1_1 \
3214 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3215 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3216 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3217 -s "Read from client: 16384 bytes read"
3218
3219run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3220 "$P_SRV" \
3221 "$P_CLI request_size=16384 force_version=tls1_1 \
3222 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3223 trunc_hmac=1" \
3224 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3225 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3226 -s "Read from client: 16384 bytes read"
3227
3228run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3229 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3230 "$P_CLI request_size=16384 force_version=tls1_1 \
3231 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3232 trunc_hmac=1" \
3233 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3234 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3235 -s "Read from client: 16384 bytes read"
3236
3237run_test "Large packet TLS 1.2 BlockCipher" \
3238 "$P_SRV" \
3239 "$P_CLI request_size=16384 force_version=tls1_2 \
3240 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3241 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3242 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3243 -s "Read from client: 16384 bytes read"
3244
3245run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3246 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3247 "$P_CLI request_size=16384 force_version=tls1_2 \
3248 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3249 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3250 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3251 -s "Read from client: 16384 bytes read"
3252
3253run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3254 "$P_SRV" \
3255 "$P_CLI request_size=16384 force_version=tls1_2 \
3256 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3257 trunc_hmac=1" \
3258 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3259 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3260 -s "Read from client: 16384 bytes read"
3261
3262run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3263 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3264 "$P_CLI request_size=16384 force_version=tls1_2 \
3265 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3266 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3267 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3268 -s "Read from client: 16384 bytes read"
3269
3270run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3271 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3272 "$P_CLI request_size=16384 force_version=tls1_2 \
3273 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3274 trunc_hmac=1" \
3275 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3276 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3277 -s "Read from client: 16384 bytes read"
3278
3279run_test "Large packet TLS 1.2 AEAD" \
3280 "$P_SRV" \
3281 "$P_CLI request_size=16384 force_version=tls1_2 \
3282 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3283 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3284 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3285 -s "Read from client: 16384 bytes read"
3286
3287run_test "Large packet TLS 1.2 AEAD shorter tag" \
3288 "$P_SRV" \
3289 "$P_CLI request_size=16384 force_version=tls1_2 \
3290 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3291 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3292 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3293 -s "Read from client: 16384 bytes read"
3294
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3295# Tests for DTLS HelloVerifyRequest
3296
3297run_test "DTLS cookie: enabled" \
3298 "$P_SRV dtls=1 debug_level=2" \
3299 "$P_CLI dtls=1 debug_level=2" \
3300 0 \
3301 -s "cookie verification failed" \
3302 -s "cookie verification passed" \
3303 -S "cookie verification skipped" \
3304 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3305 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3306 -S "SSL - The requested feature is not available"
3307
3308run_test "DTLS cookie: disabled" \
3309 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3310 "$P_CLI dtls=1 debug_level=2" \
3311 0 \
3312 -S "cookie verification failed" \
3313 -S "cookie verification passed" \
3314 -s "cookie verification skipped" \
3315 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3316 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3317 -S "SSL - The requested feature is not available"
3318
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3319run_test "DTLS cookie: default (failing)" \
3320 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3321 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3322 1 \
3323 -s "cookie verification failed" \
3324 -S "cookie verification passed" \
3325 -S "cookie verification skipped" \
3326 -C "received hello verify request" \
3327 -S "hello verification requested" \
3328 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3329
3330requires_ipv6
3331run_test "DTLS cookie: enabled, IPv6" \
3332 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3333 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3334 0 \
3335 -s "cookie verification failed" \
3336 -s "cookie verification passed" \
3337 -S "cookie verification skipped" \
3338 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3339 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3340 -S "SSL - The requested feature is not available"
3341
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3342run_test "DTLS cookie: enabled, nbio" \
3343 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3344 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3345 0 \
3346 -s "cookie verification failed" \
3347 -s "cookie verification passed" \
3348 -S "cookie verification skipped" \
3349 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3350 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3351 -S "SSL - The requested feature is not available"
3352
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3353# Tests for client reconnecting from the same port with DTLS
3354
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3355not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3356run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3357 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3358 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3359 0 \
3360 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3361 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3362 -S "Client initiated reconnection from same port"
3363
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3364not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3365run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3366 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3367 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3368 0 \
3369 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3370 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3371 -s "Client initiated reconnection from same port"
3372
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3373not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3374run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3375 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3376 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3377 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3378 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3379 -s "Client initiated reconnection from same port"
3380
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3381only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3382run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3383 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3384 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3385 0 \
3386 -S "The operation timed out" \
3387 -s "Client initiated reconnection from same port"
3388
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3389run_test "DTLS client reconnect from same port: no cookies" \
3390 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3391 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3392 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3393 -s "The operation timed out" \
3394 -S "Client initiated reconnection from same port"
3395
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3396# Tests for various cases of client authentication with DTLS
3397# (focused on handshake flows and message parsing)
3398
3399run_test "DTLS client auth: required" \
3400 "$P_SRV dtls=1 auth_mode=required" \
3401 "$P_CLI dtls=1" \
3402 0 \
3403 -s "Verifying peer X.509 certificate... ok"
3404
3405run_test "DTLS client auth: optional, client has no cert" \
3406 "$P_SRV dtls=1 auth_mode=optional" \
3407 "$P_CLI dtls=1 crt_file=none key_file=none" \
3408 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3409 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3410
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3411run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3412 "$P_SRV dtls=1 auth_mode=none" \
3413 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3414 0 \
3415 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3416 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3417
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3418run_test "DTLS wrong PSK: badmac alert" \
3419 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3420 "$P_CLI dtls=1 psk=abc124" \
3421 1 \
3422 -s "SSL - Verification of the message MAC failed" \
3423 -c "SSL - A fatal alert message was received from our peer"
3424
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3425# Tests for receiving fragmented handshake messages with DTLS
3426
3427requires_gnutls
3428run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3429 "$G_SRV -u --mtu 2048 -a" \
3430 "$P_CLI dtls=1 debug_level=2" \
3431 0 \
3432 -C "found fragmented DTLS handshake message" \
3433 -C "error"
3434
3435requires_gnutls
3436run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3437 "$G_SRV -u --mtu 512" \
3438 "$P_CLI dtls=1 debug_level=2" \
3439 0 \
3440 -c "found fragmented DTLS handshake message" \
3441 -C "error"
3442
3443requires_gnutls
3444run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3445 "$G_SRV -u --mtu 128" \
3446 "$P_CLI dtls=1 debug_level=2" \
3447 0 \
3448 -c "found fragmented DTLS handshake message" \
3449 -C "error"
3450
3451requires_gnutls
3452run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3453 "$G_SRV -u --mtu 128" \
3454 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3455 0 \
3456 -c "found fragmented DTLS handshake message" \
3457 -C "error"
3458
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3459requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3460requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3461run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3462 "$G_SRV -u --mtu 256" \
3463 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3464 0 \
3465 -c "found fragmented DTLS handshake message" \
3466 -c "client hello, adding renegotiation extension" \
3467 -c "found renegotiation extension" \
3468 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3469 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3470 -C "error" \
3471 -s "Extra-header:"
3472
3473requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3474requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3475run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3476 "$G_SRV -u --mtu 256" \
3477 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3478 0 \
3479 -c "found fragmented DTLS handshake message" \
3480 -c "client hello, adding renegotiation extension" \
3481 -c "found renegotiation extension" \
3482 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3483 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3484 -C "error" \
3485 -s "Extra-header:"
3486
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3487run_test "DTLS reassembly: no fragmentation (openssl server)" \
3488 "$O_SRV -dtls1 -mtu 2048" \
3489 "$P_CLI dtls=1 debug_level=2" \
3490 0 \
3491 -C "found fragmented DTLS handshake message" \
3492 -C "error"
3493
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3494run_test "DTLS reassembly: some fragmentation (openssl server)" \
3495 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3496 "$P_CLI dtls=1 debug_level=2" \
3497 0 \
3498 -c "found fragmented DTLS handshake message" \
3499 -C "error"
3500
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3501run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3502 "$O_SRV -dtls1 -mtu 256" \
3503 "$P_CLI dtls=1 debug_level=2" \
3504 0 \
3505 -c "found fragmented DTLS handshake message" \
3506 -C "error"
3507
3508run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3509 "$O_SRV -dtls1 -mtu 256" \
3510 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3511 0 \
3512 -c "found fragmented DTLS handshake message" \
3513 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3514
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3515# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3516
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3517not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3518run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3519 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3520 "$P_SRV dtls=1 debug_level=2" \
3521 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3522 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3523 -C "replayed record" \
3524 -S "replayed record" \
3525 -C "record from another epoch" \
3526 -S "record from another epoch" \
3527 -C "discarding invalid record" \
3528 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3529 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3530 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3531 -c "HTTP/1.0 200 OK"
3532
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3533not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3534run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3535 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3536 "$P_SRV dtls=1 debug_level=2" \
3537 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3538 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3539 -c "replayed record" \
3540 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3541 -c "discarding invalid record" \
3542 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3543 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3544 -s "Extra-header:" \
3545 -c "HTTP/1.0 200 OK"
3546
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3547run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3548 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3549 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3550 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3551 0 \
3552 -c "replayed record" \
3553 -S "replayed record" \
3554 -c "discarding invalid record" \
3555 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3556 -c "resend" \
3557 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3558 -s "Extra-header:" \
3559 -c "HTTP/1.0 200 OK"
3560
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3561run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3562 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3563 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3564 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3565 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3566 -c "discarding invalid record (mac)" \
3567 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3568 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3569 -c "HTTP/1.0 200 OK" \
3570 -S "too many records with bad MAC" \
3571 -S "Verification of the message MAC failed"
3572
3573run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3574 -p "$P_PXY bad_ad=1" \
3575 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3576 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3577 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3578 -C "discarding invalid record (mac)" \
3579 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3580 -S "Extra-header:" \
3581 -C "HTTP/1.0 200 OK" \
3582 -s "too many records with bad MAC" \
3583 -s "Verification of the message MAC failed"
3584
3585run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3586 -p "$P_PXY bad_ad=1" \
3587 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3588 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3589 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3590 -c "discarding invalid record (mac)" \
3591 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3592 -s "Extra-header:" \
3593 -c "HTTP/1.0 200 OK" \
3594 -S "too many records with bad MAC" \
3595 -S "Verification of the message MAC failed"
3596
3597run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3598 -p "$P_PXY bad_ad=1" \
3599 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3600 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3601 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3602 -c "discarding invalid record (mac)" \
3603 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3604 -s "Extra-header:" \
3605 -c "HTTP/1.0 200 OK" \
3606 -s "too many records with bad MAC" \
3607 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3608
3609run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3610 -p "$P_PXY delay_ccs=1" \
3611 "$P_SRV dtls=1 debug_level=1" \
3612 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3613 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3614 -c "record from another epoch" \
3615 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3616 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3617 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3618 -s "Extra-header:" \
3619 -c "HTTP/1.0 200 OK"
3620
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3621# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3622
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3623needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3624run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3625 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3626 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3627 psk=abc123" \
3628 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3629 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3630 0 \
3631 -s "Extra-header:" \
3632 -c "HTTP/1.0 200 OK"
3633
3634needs_more_time 2
3635run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3636 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3637 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3638 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3639 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3640 0 \
3641 -s "Extra-header:" \
3642 -c "HTTP/1.0 200 OK"
3643
3644needs_more_time 2
3645run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3646 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3647 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3648 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3649 0 \
3650 -s "Extra-header:" \
3651 -c "HTTP/1.0 200 OK"
3652
3653needs_more_time 2
3654run_test "DTLS proxy: 3d, FS, client auth" \
3655 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3656 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3657 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3658 0 \
3659 -s "Extra-header:" \
3660 -c "HTTP/1.0 200 OK"
3661
3662needs_more_time 2
3663run_test "DTLS proxy: 3d, FS, ticket" \
3664 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3665 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3666 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3667 0 \
3668 -s "Extra-header:" \
3669 -c "HTTP/1.0 200 OK"
3670
3671needs_more_time 2
3672run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3673 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3674 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3675 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3676 0 \
3677 -s "Extra-header:" \
3678 -c "HTTP/1.0 200 OK"
3679
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3680needs_more_time 2
3681run_test "DTLS proxy: 3d, max handshake, nbio" \
3682 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3683 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3684 auth_mode=required" \
3685 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3686 0 \
3687 -s "Extra-header:" \
3688 -c "HTTP/1.0 200 OK"
3689
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3690needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3691run_test "DTLS proxy: 3d, min handshake, resumption" \
3692 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3693 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3694 psk=abc123 debug_level=3" \
3695 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3696 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3697 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3698 0 \
3699 -s "a session has been resumed" \
3700 -c "a session has been resumed" \
3701 -s "Extra-header:" \
3702 -c "HTTP/1.0 200 OK"
3703
3704needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3705run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3706 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3707 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3708 psk=abc123 debug_level=3 nbio=2" \
3709 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3710 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3711 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3712 0 \
3713 -s "a session has been resumed" \
3714 -c "a session has been resumed" \
3715 -s "Extra-header:" \
3716 -c "HTTP/1.0 200 OK"
3717
3718needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3719requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3720run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3721 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3722 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3723 psk=abc123 renegotiation=1 debug_level=2" \
3724 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3725 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3726 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3727 0 \
3728 -c "=> renegotiate" \
3729 -s "=> renegotiate" \
3730 -s "Extra-header:" \
3731 -c "HTTP/1.0 200 OK"
3732
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3733needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3734requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3735run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3736 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3737 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3738 psk=abc123 renegotiation=1 debug_level=2" \
3739 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3740 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3741 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3742 0 \
3743 -c "=> renegotiate" \
3744 -s "=> renegotiate" \
3745 -s "Extra-header:" \
3746 -c "HTTP/1.0 200 OK"
3747
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3748needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3749requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3750run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3751 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3752 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3753 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3754 debug_level=2" \
3755 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3756 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3757 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3758 0 \
3759 -c "=> renegotiate" \
3760 -s "=> renegotiate" \
3761 -s "Extra-header:" \
3762 -c "HTTP/1.0 200 OK"
3763
3764needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3765requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3766run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3767 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3768 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3769 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3770 debug_level=2 nbio=2" \
3771 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3772 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3773 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3774 0 \
3775 -c "=> renegotiate" \
3776 -s "=> renegotiate" \
3777 -s "Extra-header:" \
3778 -c "HTTP/1.0 200 OK"
3779
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3780needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3781not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3782run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3783 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3784 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3785 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3786 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3787 -c "HTTP/1.0 200 OK"
3788
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3789needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3790not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3791run_test "DTLS proxy: 3d, openssl server, fragmentation" \
3792 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3793 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3794 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3795 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3796 -c "HTTP/1.0 200 OK"
3797
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3798needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3799not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3800run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
3801 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3802 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3803 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3804 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3805 -c "HTTP/1.0 200 OK"
3806
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3807requires_gnutls
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3808needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3809not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3810run_test "DTLS proxy: 3d, gnutls server" \
3811 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3812 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3813 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3814 0 \
3815 -s "Extra-header:" \
3816 -c "Extra-header:"
3817
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3818requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3819needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3820not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3821run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
3822 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3823 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3824 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3825 0 \
3826 -s "Extra-header:" \
3827 -c "Extra-header:"
3828
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3829requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3830needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3831not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3832run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
3833 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3834 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3835 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3836 0 \
3837 -s "Extra-header:" \
3838 -c "Extra-header:"
3839
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3840# Final report
3841
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3842echo "------------------------------------------------------------------------"
3843
3844if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3845 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3846else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3847 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3848fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]3849PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]3850echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3851
3852exit $FAILS