TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / bb4aaf1bbcae87e295cd26ced964d35e4093a1cf / . / tests / ssl-opt.sh
blob: 9e87f7183f6608ced3e9606bdc198c38ca3cf3ae [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]9# Assumes a build with default options.
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]16: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]17: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]18: ${GNUTLS_CLI:=gnutls-cli}
19: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]20: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]22O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]23O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]24G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]25G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]26TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]27
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]28TESTS=0
29FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]30SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]33
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]35FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]36EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]37
38print_usage() {
39 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]40 printf " -h|--help\tPrint this help.\n"
41 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
42 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
43 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame^]44 printf " --seed\tInteger seed value to use for this test run (default: random)\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45}
46
47get_options() {
48 while [ $# -gt 0 ]; do
49 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]50 -f|--filter)
51 shift; FILTER=$1
52 ;;
53 -e|--exclude)
54 shift; EXCLUDE=$1
55 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]56 -m|--memcheck)
57 MEMCHECK=1
58 ;;
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame^]59 --seed)
60 shift; SEED="$1"
61 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]62 -h|--help)
63 print_usage
64 exit 0
65 ;;
66 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]67 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]68 print_usage
69 exit 1
70 ;;
71 esac
72 shift
73 done
74}
75
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]76# skip next test if the flag is not enabled in config.h
77requires_config_enabled() {
78 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
79 SKIP_NEXT="YES"
80 fi
81}
82
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]83# skip next test if the flag is enabled in config.h
84requires_config_disabled() {
85 if grep "^#define $1" $CONFIG_H > /dev/null; then
86 SKIP_NEXT="YES"
87 fi
88}
89
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]90# skip next test if OpenSSL doesn't support FALLBACK_SCSV
91requires_openssl_with_fallback_scsv() {
92 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
93 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
94 then
95 OPENSSL_HAS_FBSCSV="YES"
96 else
97 OPENSSL_HAS_FBSCSV="NO"
98 fi
99 fi
100 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
101 SKIP_NEXT="YES"
102 fi
103}
104
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]105# skip next test if GnuTLS isn't available
106requires_gnutls() {
107 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]108 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]109 GNUTLS_AVAILABLE="YES"
110 else
111 GNUTLS_AVAILABLE="NO"
112 fi
113 fi
114 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
115 SKIP_NEXT="YES"
116 fi
117}
118
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]119# skip next test if IPv6 isn't available on this host
120requires_ipv6() {
121 if [ -z "${HAS_IPV6:-}" ]; then
122 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
123 SRV_PID=$!
124 sleep 1
125 kill $SRV_PID >/dev/null 2>&1
126 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
127 HAS_IPV6="NO"
128 else
129 HAS_IPV6="YES"
130 fi
131 rm -r $SRV_OUT
132 fi
133
134 if [ "$HAS_IPV6" = "NO" ]; then
135 SKIP_NEXT="YES"
136 fi
137}
138
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]139# skip the next test if valgrind is in use
140not_with_valgrind() {
141 if [ "$MEMCHECK" -gt 0 ]; then
142 SKIP_NEXT="YES"
143 fi
144}
145
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]146# skip the next test if valgrind is NOT in use
147only_with_valgrind() {
148 if [ "$MEMCHECK" -eq 0 ]; then
149 SKIP_NEXT="YES"
150 fi
151}
152
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]153# multiply the client timeout delay by the given factor for the next test
154needs_more_time() {
155 CLI_DELAY_FACTOR=$1
156}
157
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]158# print_name <name>
159print_name() {
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]160 printf "$1 "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]161 LEN=$(( 72 - `echo "$1" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]162 for i in `seq 1 $LEN`; do printf '.'; done
163 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]164
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]165 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]166}
167
168# fail <message>
169fail() {
170 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]171 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]172
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]173 mv $SRV_OUT o-srv-${TESTS}.log
174 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]175 if [ -n "$PXY_CMD" ]; then
176 mv $PXY_OUT o-pxy-${TESTS}.log
177 fi
178 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]179
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]180 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
181 echo " ! server output:"
182 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]183 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]184 echo " ! client output:"
185 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]186 if [ -n "$PXY_CMD" ]; then
187 echo " ! ========================================================"
188 echo " ! proxy output:"
189 cat o-pxy-${TESTS}.log
190 fi
191 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]192 fi
193
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]194 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]195}
196
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]197# is_polar <cmd_line>
198is_polar() {
199 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
200}
201
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]202# openssl s_server doesn't have -www with DTLS
203check_osrv_dtls() {
204 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
205 NEEDS_INPUT=1
206 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
207 else
208 NEEDS_INPUT=0
209 fi
210}
211
212# provide input to commands that need it
213provide_input() {
214 if [ $NEEDS_INPUT -eq 0 ]; then
215 return
216 fi
217
218 while true; do
219 echo "HTTP/1.0 200 OK"
220 sleep 1
221 done
222}
223
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]224# has_mem_err <log_file_name>
225has_mem_err() {
226 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
227 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
228 then
229 return 1 # false: does not have errors
230 else
231 return 0 # true: has errors
232 fi
233}
234
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]235# wait for server to start: two versions depending on lsof availability
236wait_server_start() {
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]237 if which lsof >/dev/null 2>&1; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]238 START_TIME=$( date +%s )
239 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]240
241 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]242 if [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]243 while [ $DONE -eq 0 ]; do
244 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
245 then
246 DONE=1
247 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
248 echo "SERVERSTART TIMEOUT"
249 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
250 DONE=1
251 fi
252 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]253 else
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]254 while [ $DONE -eq 0 ]; do
255 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
256 then
257 DONE=1
258 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
259 echo "SERVERSTART TIMEOUT"
260 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
261 DONE=1
262 fi
263 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]264 fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]265 else
266 sleep "$START_DELAY"
267 fi
268}
269
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]270# wait for client to terminate and set CLI_EXIT
271# must be called right after starting the client
272wait_client_done() {
273 CLI_PID=$!
274
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]275 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
276 CLI_DELAY_FACTOR=1
277
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]278 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]279 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]280
281 wait $CLI_PID
282 CLI_EXIT=$?
283
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]284 kill $DOG_PID >/dev/null 2>&1
285 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]286
287 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
288}
289
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]290# check if the given command uses dtls and sets global variable DTLS
291detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]292 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]293 DTLS=1
294 else
295 DTLS=0
296 fi
297}
298
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]299# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]300# Options: -s pattern pattern that must be present in server output
301# -c pattern pattern that must be present in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]302# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]303# -S pattern pattern that must be absent in server output
304# -C pattern pattern that must be absent in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]305# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]306run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]307 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]308 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]309
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]310 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
311 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]312 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]313 return
314 fi
315
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]316 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]317
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]318 # should we skip?
319 if [ "X$SKIP_NEXT" = "XYES" ]; then
320 SKIP_NEXT="NO"
321 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]322 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]323 return
324 fi
325
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]326 # does this test use a proxy?
327 if [ "X$1" = "X-p" ]; then
328 PXY_CMD="$2"
329 shift 2
330 else
331 PXY_CMD=""
332 fi
333
334 # get commands and client output
335 SRV_CMD="$1"
336 CLI_CMD="$2"
337 CLI_EXPECT="$3"
338 shift 3
339
340 # fix client port
341 if [ -n "$PXY_CMD" ]; then
342 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
343 else
344 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
345 fi
346
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]347 # update DTLS variable
348 detect_dtls "$SRV_CMD"
349
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]350 # prepend valgrind to our commands if active
351 if [ "$MEMCHECK" -gt 0 ]; then
352 if is_polar "$SRV_CMD"; then
353 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
354 fi
355 if is_polar "$CLI_CMD"; then
356 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
357 fi
358 fi
359
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]360 TIMES_LEFT=2
361 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]362 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]363
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]364 # run the commands
365 if [ -n "$PXY_CMD" ]; then
366 echo "$PXY_CMD" > $PXY_OUT
367 $PXY_CMD >> $PXY_OUT 2>&1 &
368 PXY_PID=$!
369 # assume proxy starts faster than server
370 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]371
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]372 check_osrv_dtls
373 echo "$SRV_CMD" > $SRV_OUT
374 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
375 SRV_PID=$!
376 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]377
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]378 echo "$CLI_CMD" > $CLI_OUT
379 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
380 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]381
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]382 # terminate the server (and the proxy)
383 kill $SRV_PID
384 wait $SRV_PID
385 if [ -n "$PXY_CMD" ]; then
386 kill $PXY_PID >/dev/null 2>&1
387 wait $PXY_PID
388 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]389
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]390 # retry only on timeouts
391 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
392 printf "RETRY "
393 else
394 TIMES_LEFT=0
395 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]396 done
397
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]398 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]399 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]400 # expected client exit to incorrectly succeed in case of catastrophic
401 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]402 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]403 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]404 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]405 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]406 return
407 fi
408 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]409 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]410 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]411 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]412 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]413 return
414 fi
415 fi
416
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]417 # check server exit code
418 if [ $? != 0 ]; then
419 fail "server fail"
420 return
421 fi
422
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]423 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]424 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
425 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]426 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]427 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]428 return
429 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]430
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]431 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]432 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]433 while [ $# -gt 0 ]
434 do
435 case $1 in
436 "-s")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]437 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
438 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]439 return
440 fi
441 ;;
442
443 "-c")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]444 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
445 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]446 return
447 fi
448 ;;
449
450 "-S")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]451 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
452 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]453 return
454 fi
455 ;;
456
457 "-C")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]458 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
459 fail "pattern '$2' MUST NOT be present in the Client output"
460 return
461 fi
462 ;;
463
464 # The filtering in the following two options (-u and -U) do the following
465 # - ignore valgrind output
466 # - filter out everything but lines right after the pattern occurances
467 # - keep one of each non-unique line
468 # - count how many lines remain
469 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
470 # if there were no duplicates.
471 "-U")
472 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
473 fail "lines following pattern '$2' must be unique in Server output"
474 return
475 fi
476 ;;
477
478 "-u")
479 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
480 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]481 return
482 fi
483 ;;
484
485 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]486 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]487 exit 1
488 esac
489 shift 2
490 done
491
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]492 # check valgrind's results
493 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]494 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]495 fail "Server has memory errors"
496 return
497 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]498 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]499 fail "Client has memory errors"
500 return
501 fi
502 fi
503
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]504 # if we're here, everything is ok
505 echo "PASS"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]506 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]507}
508
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]509cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]510 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]511 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
512 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
513 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
514 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]515 exit 1
516}
517
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]518#
519# MAIN
520#
521
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]522if cd $( dirname $0 ); then :; else
523 echo "cd $( dirname $0 ) failed" >&2
524 exit 1
525fi
526
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]527get_options "$@"
528
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]529# sanity checks, avoid an avalanche of errors
530if [ ! -x "$P_SRV" ]; then
531 echo "Command '$P_SRV' is not an executable file"
532 exit 1
533fi
534if [ ! -x "$P_CLI" ]; then
535 echo "Command '$P_CLI' is not an executable file"
536 exit 1
537fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]538if [ ! -x "$P_PXY" ]; then
539 echo "Command '$P_PXY' is not an executable file"
540 exit 1
541fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]542if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
543 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]544 exit 1
545fi
546
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]547# used by watchdog
548MAIN_PID="$$"
549
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]550# be more patient with valgrind
551if [ "$MEMCHECK" -gt 0 ]; then
552 START_DELAY=3
553 DOG_DELAY=30
554else
555 START_DELAY=1
556 DOG_DELAY=10
557fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]558CLI_DELAY_FACTOR=1
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]559
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]560# Pick a "unique" server port in the range 10000-19999, and a proxy port
561PORT_BASE="0000$$"
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]562PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]563SRV_PORT="1$PORT_BASE"
564PXY_PORT="2$PORT_BASE"
565unset PORT_BASE
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]566
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]567# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]568# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]569P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
570P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Gilles Peskinebb4aaf12017-11-30 15:56:20 +0100[diff] [blame^]571P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]572O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]573O_CLI="$O_CLI -connect localhost:+SRV_PORT"
574G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]575G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]576
Gilles Peskine35db5ba2017-05-10 10:13:59 +0200[diff] [blame]577# Allow SHA-1, because many of our test certificates use it
578P_SRV="$P_SRV allow_sha1=1"
579P_CLI="$P_CLI allow_sha1=1"
580
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]581# Also pick a unique name for intermediate files
582SRV_OUT="srv_out.$$"
583CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]584PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]585SESSION="session.$$"
586
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]587SKIP_NEXT="NO"
588
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]589trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]590
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]591# Basic test
592
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]593# Checks that:
594# - things work with all ciphersuites active (used with config-full in all.sh)
595# - the expected (highest security) parameters are selected
596# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]597run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]598 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]599 "$P_CLI" \
600 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]601 -s "Protocol is TLSv1.2" \
602 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
603 -s "client hello v3, signature_algorithm ext: 6" \
604 -s "ECDHE curve: secp521r1" \
605 -S "error" \
606 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]607
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]608run_test "Default, DTLS" \
609 "$P_SRV dtls=1" \
610 "$P_CLI dtls=1" \
611 0 \
612 -s "Protocol is DTLSv1.2" \
613 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
614
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]615# Test for uniqueness of IVs in AEAD ciphersuites
616run_test "Unique IV in GCM" \
617 "$P_SRV exchanges=20 debug_level=4" \
618 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
619 0 \
620 -u "IV used" \
621 -U "IV used"
622
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]623# Tests for rc4 option
624
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]625requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]626run_test "RC4: server disabled, client enabled" \
627 "$P_SRV" \
628 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
629 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]630 -s "SSL - The server has no ciphersuites in common"
631
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]632requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]633run_test "RC4: server half, client enabled" \
634 "$P_SRV arc4=1" \
635 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
636 1 \
637 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]638
639run_test "RC4: server enabled, client disabled" \
640 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
641 "$P_CLI" \
642 1 \
643 -s "SSL - The server has no ciphersuites in common"
644
645run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]646 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]647 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
648 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]649 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]650 -S "SSL - The server has no ciphersuites in common"
651
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]652# Tests for SHA-1 support
653
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]654requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]655run_test "SHA-1 forbidden by default in server certificate" \
656 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
657 "$P_CLI debug_level=2 allow_sha1=0" \
658 1 \
659 -c "The certificate is signed with an unacceptable hash"
660
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]661requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
662run_test "SHA-1 forbidden by default in server certificate" \
663 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
664 "$P_CLI debug_level=2 allow_sha1=0" \
665 0
666
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]667run_test "SHA-1 explicitly allowed in server certificate" \
668 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
669 "$P_CLI allow_sha1=1" \
670 0
671
672run_test "SHA-256 allowed by default in server certificate" \
673 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
674 "$P_CLI allow_sha1=0" \
675 0
676
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]677requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]678run_test "SHA-1 forbidden by default in client certificate" \
679 "$P_SRV auth_mode=required allow_sha1=0" \
680 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
681 1 \
682 -s "The certificate is signed with an unacceptable hash"
683
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]684requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
685run_test "SHA-1 forbidden by default in client certificate" \
686 "$P_SRV auth_mode=required allow_sha1=0" \
687 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
688 0
689
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]690run_test "SHA-1 explicitly allowed in client certificate" \
691 "$P_SRV auth_mode=required allow_sha1=1" \
692 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
693 0
694
695run_test "SHA-256 allowed by default in client certificate" \
696 "$P_SRV auth_mode=required allow_sha1=0" \
697 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
698 0
699
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]700# Tests for Truncated HMAC extension
701
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]702run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]703 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]704 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]705 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]706 -s "dumping 'computed mac' (20 bytes)" \
707 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]708
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]709run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]710 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]711 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
712 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]713 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]714 -s "dumping 'computed mac' (20 bytes)" \
715 -S "dumping 'computed mac' (10 bytes)"
716
717run_test "Truncated HMAC: client enabled, server default" \
718 "$P_SRV debug_level=4" \
719 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
720 trunc_hmac=1" \
721 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]722 -s "dumping 'computed mac' (20 bytes)" \
723 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]724
725run_test "Truncated HMAC: client enabled, server disabled" \
726 "$P_SRV debug_level=4 trunc_hmac=0" \
727 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
728 trunc_hmac=1" \
729 0 \
730 -s "dumping 'computed mac' (20 bytes)" \
731 -S "dumping 'computed mac' (10 bytes)"
732
733run_test "Truncated HMAC: client enabled, server enabled" \
734 "$P_SRV debug_level=4 trunc_hmac=1" \
735 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
736 trunc_hmac=1" \
737 0 \
738 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]739 -s "dumping 'computed mac' (10 bytes)"
740
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]741# Tests for Encrypt-then-MAC extension
742
743run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]744 "$P_SRV debug_level=3 \
745 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]746 "$P_CLI debug_level=3" \
747 0 \
748 -c "client hello, adding encrypt_then_mac extension" \
749 -s "found encrypt then mac extension" \
750 -s "server hello, adding encrypt then mac extension" \
751 -c "found encrypt_then_mac extension" \
752 -c "using encrypt then mac" \
753 -s "using encrypt then mac"
754
755run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]756 "$P_SRV debug_level=3 etm=0 \
757 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]758 "$P_CLI debug_level=3 etm=1" \
759 0 \
760 -c "client hello, adding encrypt_then_mac extension" \
761 -s "found encrypt then mac extension" \
762 -S "server hello, adding encrypt then mac extension" \
763 -C "found encrypt_then_mac extension" \
764 -C "using encrypt then mac" \
765 -S "using encrypt then mac"
766
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]767run_test "Encrypt then MAC: client enabled, aead cipher" \
768 "$P_SRV debug_level=3 etm=1 \
769 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
770 "$P_CLI debug_level=3 etm=1" \
771 0 \
772 -c "client hello, adding encrypt_then_mac extension" \
773 -s "found encrypt then mac extension" \
774 -S "server hello, adding encrypt then mac extension" \
775 -C "found encrypt_then_mac extension" \
776 -C "using encrypt then mac" \
777 -S "using encrypt then mac"
778
779run_test "Encrypt then MAC: client enabled, stream cipher" \
780 "$P_SRV debug_level=3 etm=1 \
781 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]782 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]783 0 \
784 -c "client hello, adding encrypt_then_mac extension" \
785 -s "found encrypt then mac extension" \
786 -S "server hello, adding encrypt then mac extension" \
787 -C "found encrypt_then_mac extension" \
788 -C "using encrypt then mac" \
789 -S "using encrypt then mac"
790
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]791run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]792 "$P_SRV debug_level=3 etm=1 \
793 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]794 "$P_CLI debug_level=3 etm=0" \
795 0 \
796 -C "client hello, adding encrypt_then_mac extension" \
797 -S "found encrypt then mac extension" \
798 -S "server hello, adding encrypt then mac extension" \
799 -C "found encrypt_then_mac extension" \
800 -C "using encrypt then mac" \
801 -S "using encrypt then mac"
802
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]803requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]804run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]805 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]806 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]807 "$P_CLI debug_level=3 force_version=ssl3" \
808 0 \
809 -C "client hello, adding encrypt_then_mac extension" \
810 -S "found encrypt then mac extension" \
811 -S "server hello, adding encrypt then mac extension" \
812 -C "found encrypt_then_mac extension" \
813 -C "using encrypt then mac" \
814 -S "using encrypt then mac"
815
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]816requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]817run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]818 "$P_SRV debug_level=3 force_version=ssl3 \
819 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]820 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]821 0 \
822 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]823 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]824 -S "server hello, adding encrypt then mac extension" \
825 -C "found encrypt_then_mac extension" \
826 -C "using encrypt then mac" \
827 -S "using encrypt then mac"
828
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]829# Tests for Extended Master Secret extension
830
831run_test "Extended Master Secret: default" \
832 "$P_SRV debug_level=3" \
833 "$P_CLI debug_level=3" \
834 0 \
835 -c "client hello, adding extended_master_secret extension" \
836 -s "found extended master secret extension" \
837 -s "server hello, adding extended master secret extension" \
838 -c "found extended_master_secret extension" \
839 -c "using extended master secret" \
840 -s "using extended master secret"
841
842run_test "Extended Master Secret: client enabled, server disabled" \
843 "$P_SRV debug_level=3 extended_ms=0" \
844 "$P_CLI debug_level=3 extended_ms=1" \
845 0 \
846 -c "client hello, adding extended_master_secret extension" \
847 -s "found extended master secret extension" \
848 -S "server hello, adding extended master secret extension" \
849 -C "found extended_master_secret extension" \
850 -C "using extended master secret" \
851 -S "using extended master secret"
852
853run_test "Extended Master Secret: client disabled, server enabled" \
854 "$P_SRV debug_level=3 extended_ms=1" \
855 "$P_CLI debug_level=3 extended_ms=0" \
856 0 \
857 -C "client hello, adding extended_master_secret extension" \
858 -S "found extended master secret extension" \
859 -S "server hello, adding extended master secret extension" \
860 -C "found extended_master_secret extension" \
861 -C "using extended master secret" \
862 -S "using extended master secret"
863
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]864requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]865run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]866 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]867 "$P_CLI debug_level=3 force_version=ssl3" \
868 0 \
869 -C "client hello, adding extended_master_secret extension" \
870 -S "found extended master secret extension" \
871 -S "server hello, adding extended master secret extension" \
872 -C "found extended_master_secret extension" \
873 -C "using extended master secret" \
874 -S "using extended master secret"
875
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]876requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]877run_test "Extended Master Secret: client enabled, server SSLv3" \
878 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]879 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]880 0 \
881 -c "client hello, adding extended_master_secret extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]882 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]883 -S "server hello, adding extended master secret extension" \
884 -C "found extended_master_secret extension" \
885 -C "using extended master secret" \
886 -S "using extended master secret"
887
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]888# Tests for FALLBACK_SCSV
889
890run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]891 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]892 "$P_CLI debug_level=3 force_version=tls1_1" \
893 0 \
894 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]895 -S "received FALLBACK_SCSV" \
896 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]897 -C "is a fatal alert message (msg 86)"
898
899run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]900 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]901 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
902 0 \
903 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]904 -S "received FALLBACK_SCSV" \
905 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]906 -C "is a fatal alert message (msg 86)"
907
908run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]909 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]910 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]911 1 \
912 -c "adding FALLBACK_SCSV" \
913 -s "received FALLBACK_SCSV" \
914 -s "inapropriate fallback" \
915 -c "is a fatal alert message (msg 86)"
916
917run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]918 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]919 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]920 0 \
921 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]922 -s "received FALLBACK_SCSV" \
923 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]924 -C "is a fatal alert message (msg 86)"
925
926requires_openssl_with_fallback_scsv
927run_test "Fallback SCSV: default, openssl server" \
928 "$O_SRV" \
929 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
930 0 \
931 -C "adding FALLBACK_SCSV" \
932 -C "is a fatal alert message (msg 86)"
933
934requires_openssl_with_fallback_scsv
935run_test "Fallback SCSV: enabled, openssl server" \
936 "$O_SRV" \
937 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
938 1 \
939 -c "adding FALLBACK_SCSV" \
940 -c "is a fatal alert message (msg 86)"
941
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]942requires_openssl_with_fallback_scsv
943run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]944 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]945 "$O_CLI -tls1_1" \
946 0 \
947 -S "received FALLBACK_SCSV" \
948 -S "inapropriate fallback"
949
950requires_openssl_with_fallback_scsv
951run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]952 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]953 "$O_CLI -tls1_1 -fallback_scsv" \
954 1 \
955 -s "received FALLBACK_SCSV" \
956 -s "inapropriate fallback"
957
958requires_openssl_with_fallback_scsv
959run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]960 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]961 "$O_CLI -fallback_scsv" \
962 0 \
963 -s "received FALLBACK_SCSV" \
964 -S "inapropriate fallback"
965
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]966## ClientHello generated with
967## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
968## then manually twiddling the ciphersuite list.
969## The ClientHello content is spelled out below as a hex string as
970## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
971## The expected response is an inappropriate_fallback alert.
972requires_openssl_with_fallback_scsv
973run_test "Fallback SCSV: beginning of list" \
974 "$P_SRV debug_level=2" \
975 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
976 0 \
977 -s "received FALLBACK_SCSV" \
978 -s "inapropriate fallback"
979
980requires_openssl_with_fallback_scsv
981run_test "Fallback SCSV: end of list" \
982 "$P_SRV debug_level=2" \
983 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
984 0 \
985 -s "received FALLBACK_SCSV" \
986 -s "inapropriate fallback"
987
988## Here the expected response is a valid ServerHello prefix, up to the random.
989requires_openssl_with_fallback_scsv
990run_test "Fallback SCSV: not in list" \
991 "$P_SRV debug_level=2" \
992 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
993 0 \
994 -S "received FALLBACK_SCSV" \
995 -S "inapropriate fallback"
996
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]997# Tests for CBC 1/n-1 record splitting
998
999run_test "CBC Record splitting: TLS 1.2, no splitting" \
1000 "$P_SRV" \
1001 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1002 request_size=123 force_version=tls1_2" \
1003 0 \
1004 -s "Read from client: 123 bytes read" \
1005 -S "Read from client: 1 bytes read" \
1006 -S "122 bytes read"
1007
1008run_test "CBC Record splitting: TLS 1.1, no splitting" \
1009 "$P_SRV" \
1010 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1011 request_size=123 force_version=tls1_1" \
1012 0 \
1013 -s "Read from client: 123 bytes read" \
1014 -S "Read from client: 1 bytes read" \
1015 -S "122 bytes read"
1016
1017run_test "CBC Record splitting: TLS 1.0, splitting" \
1018 "$P_SRV" \
1019 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1020 request_size=123 force_version=tls1" \
1021 0 \
1022 -S "Read from client: 123 bytes read" \
1023 -s "Read from client: 1 bytes read" \
1024 -s "122 bytes read"
1025
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]1026requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1027run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1028 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1029 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1030 request_size=123 force_version=ssl3" \
1031 0 \
1032 -S "Read from client: 123 bytes read" \
1033 -s "Read from client: 1 bytes read" \
1034 -s "122 bytes read"
1035
1036run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1037 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1038 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1039 request_size=123 force_version=tls1" \
1040 0 \
1041 -s "Read from client: 123 bytes read" \
1042 -S "Read from client: 1 bytes read" \
1043 -S "122 bytes read"
1044
1045run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1046 "$P_SRV" \
1047 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1048 request_size=123 force_version=tls1 recsplit=0" \
1049 0 \
1050 -s "Read from client: 123 bytes read" \
1051 -S "Read from client: 1 bytes read" \
1052 -S "122 bytes read"
1053
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1054run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1055 "$P_SRV nbio=2" \
1056 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1057 request_size=123 force_version=tls1" \
1058 0 \
1059 -S "Read from client: 123 bytes read" \
1060 -s "Read from client: 1 bytes read" \
1061 -s "122 bytes read"
1062
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1063# Tests for Session Tickets
1064
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1065run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1066 "$P_SRV debug_level=3 tickets=1" \
1067 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1068 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1069 -c "client hello, adding session ticket extension" \
1070 -s "found session ticket extension" \
1071 -s "server hello, adding session ticket extension" \
1072 -c "found session_ticket extension" \
1073 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1074 -S "session successfully restored from cache" \
1075 -s "session successfully restored from ticket" \
1076 -s "a session has been resumed" \
1077 -c "a session has been resumed"
1078
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1079run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1080 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1081 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1082 0 \
1083 -c "client hello, adding session ticket extension" \
1084 -s "found session ticket extension" \
1085 -s "server hello, adding session ticket extension" \
1086 -c "found session_ticket extension" \
1087 -c "parse new session ticket" \
1088 -S "session successfully restored from cache" \
1089 -s "session successfully restored from ticket" \
1090 -s "a session has been resumed" \
1091 -c "a session has been resumed"
1092
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1093run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1094 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1095 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1096 0 \
1097 -c "client hello, adding session ticket extension" \
1098 -s "found session ticket extension" \
1099 -s "server hello, adding session ticket extension" \
1100 -c "found session_ticket extension" \
1101 -c "parse new session ticket" \
1102 -S "session successfully restored from cache" \
1103 -S "session successfully restored from ticket" \
1104 -S "a session has been resumed" \
1105 -C "a session has been resumed"
1106
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1107run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1108 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1109 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1110 0 \
1111 -c "client hello, adding session ticket extension" \
1112 -c "found session_ticket extension" \
1113 -c "parse new session ticket" \
1114 -c "a session has been resumed"
1115
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1116run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1117 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1118 "( $O_CLI -sess_out $SESSION; \
1119 $O_CLI -sess_in $SESSION; \
1120 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1121 0 \
1122 -s "found session ticket extension" \
1123 -s "server hello, adding session ticket extension" \
1124 -S "session successfully restored from cache" \
1125 -s "session successfully restored from ticket" \
1126 -s "a session has been resumed"
1127
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1128# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1129
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1130run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1131 "$P_SRV debug_level=3 tickets=0" \
1132 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1133 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1134 -c "client hello, adding session ticket extension" \
1135 -s "found session ticket extension" \
1136 -S "server hello, adding session ticket extension" \
1137 -C "found session_ticket extension" \
1138 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1139 -s "session successfully restored from cache" \
1140 -S "session successfully restored from ticket" \
1141 -s "a session has been resumed" \
1142 -c "a session has been resumed"
1143
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1144run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1145 "$P_SRV debug_level=3 tickets=1" \
1146 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1147 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1148 -C "client hello, adding session ticket extension" \
1149 -S "found session ticket extension" \
1150 -S "server hello, adding session ticket extension" \
1151 -C "found session_ticket extension" \
1152 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1153 -s "session successfully restored from cache" \
1154 -S "session successfully restored from ticket" \
1155 -s "a session has been resumed" \
1156 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1157
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1158run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1159 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1160 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1161 0 \
1162 -S "session successfully restored from cache" \
1163 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1164 -S "a session has been resumed" \
1165 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1166
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1167run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1168 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1169 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1170 0 \
1171 -s "session successfully restored from cache" \
1172 -S "session successfully restored from ticket" \
1173 -s "a session has been resumed" \
1174 -c "a session has been resumed"
1175
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1176run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1177 "$P_SRV debug_level=3 tickets=0" \
1178 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1179 0 \
1180 -s "session successfully restored from cache" \
1181 -S "session successfully restored from ticket" \
1182 -s "a session has been resumed" \
1183 -c "a session has been resumed"
1184
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1185run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1186 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1187 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1188 0 \
1189 -S "session successfully restored from cache" \
1190 -S "session successfully restored from ticket" \
1191 -S "a session has been resumed" \
1192 -C "a session has been resumed"
1193
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1194run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1195 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1196 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1197 0 \
1198 -s "session successfully restored from cache" \
1199 -S "session successfully restored from ticket" \
1200 -s "a session has been resumed" \
1201 -c "a session has been resumed"
1202
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1203run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1204 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1205 "( $O_CLI -sess_out $SESSION; \
1206 $O_CLI -sess_in $SESSION; \
1207 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1208 0 \
1209 -s "found session ticket extension" \
1210 -S "server hello, adding session ticket extension" \
1211 -s "session successfully restored from cache" \
1212 -S "session successfully restored from ticket" \
1213 -s "a session has been resumed"
1214
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1215run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1216 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1217 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1218 0 \
1219 -C "found session_ticket extension" \
1220 -C "parse new session ticket" \
1221 -c "a session has been resumed"
1222
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1223# Tests for Max Fragment Length extension
1224
Hanno Becker64691dc2017-09-22 16:58:50 +0100[diff] [blame]1225MAX_CONTENT_LEN_EXPECT='16384'
1226MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1227
1228if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1229 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1230 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1231 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1232 printf "\n"
1233 printf "The tests assume this value and if it changes, the tests in this\n"
1234 printf "script should also be adjusted.\n"
1235 printf "\n"
1236
1237 exit 1
1238fi
1239
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1240requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1241run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1242 "$P_SRV debug_level=3" \
1243 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1244 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1245 -c "Maximum fragment length is 16384" \
1246 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1247 -C "client hello, adding max_fragment_length extension" \
1248 -S "found max fragment length extension" \
1249 -S "server hello, max_fragment_length extension" \
1250 -C "found max_fragment_length extension"
1251
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1252requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1253run_test "Max fragment length: enabled, default, larger message" \
1254 "$P_SRV debug_level=3" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1255 "$P_CLI debug_level=3 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1256 0 \
1257 -c "Maximum fragment length is 16384" \
1258 -s "Maximum fragment length is 16384" \
1259 -C "client hello, adding max_fragment_length extension" \
1260 -S "found max fragment length extension" \
1261 -S "server hello, max_fragment_length extension" \
1262 -C "found max_fragment_length extension" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1263 -c "16385 bytes written in 2 fragments" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1264 -s "16384 bytes read" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1265 -s "1 bytes read"
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1266
1267requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1268run_test "Max fragment length, DTLS: enabled, default, larger message" \
1269 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1270 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1271 1 \
1272 -c "Maximum fragment length is 16384" \
1273 -s "Maximum fragment length is 16384" \
1274 -C "client hello, adding max_fragment_length extension" \
1275 -S "found max fragment length extension" \
1276 -S "server hello, max_fragment_length extension" \
1277 -C "found max_fragment_length extension" \
1278 -c "fragment larger than.*maximum "
1279
1280requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1281run_test "Max fragment length: disabled, larger message" \
1282 "$P_SRV debug_level=3" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1283 "$P_CLI debug_level=3 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1284 0 \
1285 -C "Maximum fragment length is 16384" \
1286 -S "Maximum fragment length is 16384" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1287 -c "16385 bytes written in 2 fragments" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1288 -s "16384 bytes read" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1289 -s "1 bytes read"
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1290
1291requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1292run_test "Max fragment length DTLS: disabled, larger message" \
1293 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker6ed76f72017-10-18 14:42:01 +0100[diff] [blame]1294 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Becker2fabe5f2017-09-18 15:01:50 +0100[diff] [blame]1295 1 \
1296 -C "Maximum fragment length is 16384" \
1297 -S "Maximum fragment length is 16384" \
1298 -c "fragment larger than.*maximum "
1299
1300requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1301run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1302 "$P_SRV debug_level=3" \
1303 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1304 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1305 -c "Maximum fragment length is 4096" \
1306 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1307 -c "client hello, adding max_fragment_length extension" \
1308 -s "found max fragment length extension" \
1309 -s "server hello, max_fragment_length extension" \
1310 -c "found max_fragment_length extension"
1311
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1312requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1313run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1314 "$P_SRV debug_level=3 max_frag_len=4096" \
1315 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1316 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1317 -c "Maximum fragment length is 16384" \
1318 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1319 -C "client hello, adding max_fragment_length extension" \
1320 -S "found max fragment length extension" \
1321 -S "server hello, max_fragment_length extension" \
1322 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1323
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1324requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1325requires_gnutls
1326run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1327 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1328 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1329 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1330 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1331 -c "client hello, adding max_fragment_length extension" \
1332 -c "found max_fragment_length extension"
1333
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1334requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1335run_test "Max fragment length: client, message just fits" \
1336 "$P_SRV debug_level=3" \
1337 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1338 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1339 -c "Maximum fragment length is 2048" \
1340 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1341 -c "client hello, adding max_fragment_length extension" \
1342 -s "found max fragment length extension" \
1343 -s "server hello, max_fragment_length extension" \
1344 -c "found max_fragment_length extension" \
1345 -c "2048 bytes written in 1 fragments" \
1346 -s "2048 bytes read"
1347
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1348requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1349run_test "Max fragment length: client, larger message" \
1350 "$P_SRV debug_level=3" \
1351 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1352 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1353 -c "Maximum fragment length is 2048" \
1354 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1355 -c "client hello, adding max_fragment_length extension" \
1356 -s "found max fragment length extension" \
1357 -s "server hello, max_fragment_length extension" \
1358 -c "found max_fragment_length extension" \
1359 -c "2345 bytes written in 2 fragments" \
1360 -s "2048 bytes read" \
1361 -s "297 bytes read"
1362
Hanno Becker05607782017-09-18 15:00:34 +0100[diff] [blame]1363requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1364run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1365 "$P_SRV debug_level=3 dtls=1" \
1366 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1367 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1368 -c "Maximum fragment length is 2048" \
1369 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1370 -c "client hello, adding max_fragment_length extension" \
1371 -s "found max fragment length extension" \
1372 -s "server hello, max_fragment_length extension" \
1373 -c "found max_fragment_length extension" \
1374 -c "fragment larger than.*maximum"
1375
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1376# Tests for renegotiation
1377
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1378run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1379 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1380 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1381 0 \
1382 -C "client hello, adding renegotiation extension" \
1383 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1384 -S "found renegotiation extension" \
1385 -s "server hello, secure renegotiation extension" \
1386 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1387 -C "=> renegotiate" \
1388 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1389 -S "write hello request"
1390
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1391requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1392run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1393 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1394 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1395 0 \
1396 -c "client hello, adding renegotiation extension" \
1397 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1398 -s "found renegotiation extension" \
1399 -s "server hello, secure renegotiation extension" \
1400 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1401 -c "=> renegotiate" \
1402 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1403 -S "write hello request"
1404
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1405requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1406run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1407 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1408 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1409 0 \
1410 -c "client hello, adding renegotiation extension" \
1411 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1412 -s "found renegotiation extension" \
1413 -s "server hello, secure renegotiation extension" \
1414 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1415 -c "=> renegotiate" \
1416 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1417 -s "write hello request"
1418
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1419# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1420# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1421# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1422requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1423run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1424 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1425 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1426 0 \
1427 -c "client hello, adding renegotiation extension" \
1428 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1429 -s "found renegotiation extension" \
1430 -s "server hello, secure renegotiation extension" \
1431 -c "found renegotiation extension" \
1432 -c "=> renegotiate" \
1433 -s "=> renegotiate" \
1434 -S "write hello request" \
1435 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1436
1437# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1438# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1439# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1440requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1441run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1442 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1443 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1444 0 \
1445 -c "client hello, adding renegotiation extension" \
1446 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1447 -s "found renegotiation extension" \
1448 -s "server hello, secure renegotiation extension" \
1449 -c "found renegotiation extension" \
1450 -c "=> renegotiate" \
1451 -s "=> renegotiate" \
1452 -s "write hello request" \
1453 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1454
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1455requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1456run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1457 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1458 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1459 0 \
1460 -c "client hello, adding renegotiation extension" \
1461 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1462 -s "found renegotiation extension" \
1463 -s "server hello, secure renegotiation extension" \
1464 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1465 -c "=> renegotiate" \
1466 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1467 -s "write hello request"
1468
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1469requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1470run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1471 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1472 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1473 1 \
1474 -c "client hello, adding renegotiation extension" \
1475 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1476 -S "found renegotiation extension" \
1477 -s "server hello, secure renegotiation extension" \
1478 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1479 -c "=> renegotiate" \
1480 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1481 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1482 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1483 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1484
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1485requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1486run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1487 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1488 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1489 0 \
1490 -C "client hello, adding renegotiation extension" \
1491 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1492 -S "found renegotiation extension" \
1493 -s "server hello, secure renegotiation extension" \
1494 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1495 -C "=> renegotiate" \
1496 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1497 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1498 -S "SSL - An unexpected message was received from our peer" \
1499 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1500
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1501requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1502run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1503 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1504 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1505 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1506 0 \
1507 -C "client hello, adding renegotiation extension" \
1508 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1509 -S "found renegotiation extension" \
1510 -s "server hello, secure renegotiation extension" \
1511 -c "found renegotiation extension" \
1512 -C "=> renegotiate" \
1513 -S "=> renegotiate" \
1514 -s "write hello request" \
1515 -S "SSL - An unexpected message was received from our peer" \
1516 -S "failed"
1517
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1518# delay 2 for 1 alert record + 1 application data record
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1519requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1520run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1521 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1522 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1523 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1524 0 \
1525 -C "client hello, adding renegotiation extension" \
1526 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1527 -S "found renegotiation extension" \
1528 -s "server hello, secure renegotiation extension" \
1529 -c "found renegotiation extension" \
1530 -C "=> renegotiate" \
1531 -S "=> renegotiate" \
1532 -s "write hello request" \
1533 -S "SSL - An unexpected message was received from our peer" \
1534 -S "failed"
1535
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1536requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1537run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1538 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1539 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1540 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1541 0 \
1542 -C "client hello, adding renegotiation extension" \
1543 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1544 -S "found renegotiation extension" \
1545 -s "server hello, secure renegotiation extension" \
1546 -c "found renegotiation extension" \
1547 -C "=> renegotiate" \
1548 -S "=> renegotiate" \
1549 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1550 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1551
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1552requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1553run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1554 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1555 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1556 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1557 0 \
1558 -c "client hello, adding renegotiation extension" \
1559 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1560 -s "found renegotiation extension" \
1561 -s "server hello, secure renegotiation extension" \
1562 -c "found renegotiation extension" \
1563 -c "=> renegotiate" \
1564 -s "=> renegotiate" \
1565 -s "write hello request" \
1566 -S "SSL - An unexpected message was received from our peer" \
1567 -S "failed"
1568
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1569requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1570run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1571 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1572 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1573 0 \
1574 -C "client hello, adding renegotiation extension" \
1575 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1576 -S "found renegotiation extension" \
1577 -s "server hello, secure renegotiation extension" \
1578 -c "found renegotiation extension" \
1579 -S "record counter limit reached: renegotiate" \
1580 -C "=> renegotiate" \
1581 -S "=> renegotiate" \
1582 -S "write hello request" \
1583 -S "SSL - An unexpected message was received from our peer" \
1584 -S "failed"
1585
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1586# one extra exchange to be able to complete renego
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1587requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1588run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1589 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1590 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1591 0 \
1592 -c "client hello, adding renegotiation extension" \
1593 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1594 -s "found renegotiation extension" \
1595 -s "server hello, secure renegotiation extension" \
1596 -c "found renegotiation extension" \
1597 -s "record counter limit reached: renegotiate" \
1598 -c "=> renegotiate" \
1599 -s "=> renegotiate" \
1600 -s "write hello request" \
1601 -S "SSL - An unexpected message was received from our peer" \
1602 -S "failed"
1603
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1604requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1605run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1606 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1607 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1608 0 \
1609 -c "client hello, adding renegotiation extension" \
1610 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1611 -s "found renegotiation extension" \
1612 -s "server hello, secure renegotiation extension" \
1613 -c "found renegotiation extension" \
1614 -s "record counter limit reached: renegotiate" \
1615 -c "=> renegotiate" \
1616 -s "=> renegotiate" \
1617 -s "write hello request" \
1618 -S "SSL - An unexpected message was received from our peer" \
1619 -S "failed"
1620
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1621requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1622run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1623 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1624 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1625 0 \
1626 -C "client hello, adding renegotiation extension" \
1627 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1628 -S "found renegotiation extension" \
1629 -s "server hello, secure renegotiation extension" \
1630 -c "found renegotiation extension" \
1631 -S "record counter limit reached: renegotiate" \
1632 -C "=> renegotiate" \
1633 -S "=> renegotiate" \
1634 -S "write hello request" \
1635 -S "SSL - An unexpected message was received from our peer" \
1636 -S "failed"
1637
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1638requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1639run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1640 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1641 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1642 0 \
1643 -c "client hello, adding renegotiation extension" \
1644 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1645 -s "found renegotiation extension" \
1646 -s "server hello, secure renegotiation extension" \
1647 -c "found renegotiation extension" \
1648 -c "=> renegotiate" \
1649 -s "=> renegotiate" \
1650 -S "write hello request"
1651
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1652requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1653run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1654 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1655 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1656 0 \
1657 -c "client hello, adding renegotiation extension" \
1658 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1659 -s "found renegotiation extension" \
1660 -s "server hello, secure renegotiation extension" \
1661 -c "found renegotiation extension" \
1662 -c "=> renegotiate" \
1663 -s "=> renegotiate" \
1664 -s "write hello request"
1665
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1666requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1667run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1668 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1669 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1670 0 \
1671 -c "client hello, adding renegotiation extension" \
1672 -c "found renegotiation extension" \
1673 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1674 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1675 -C "error" \
1676 -c "HTTP/1.0 200 [Oo][Kk]"
1677
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1678requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1679requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1680run_test "Renegotiation: gnutls server strict, client-initiated" \
1681 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1682 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1683 0 \
1684 -c "client hello, adding renegotiation extension" \
1685 -c "found renegotiation extension" \
1686 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1687 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1688 -C "error" \
1689 -c "HTTP/1.0 200 [Oo][Kk]"
1690
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1691requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1692requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1693run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1694 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1695 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1696 1 \
1697 -c "client hello, adding renegotiation extension" \
1698 -C "found renegotiation extension" \
1699 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1700 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1701 -c "error" \
1702 -C "HTTP/1.0 200 [Oo][Kk]"
1703
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1704requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1705requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1706run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1707 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1708 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1709 allow_legacy=0" \
1710 1 \
1711 -c "client hello, adding renegotiation extension" \
1712 -C "found renegotiation extension" \
1713 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1714 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1715 -c "error" \
1716 -C "HTTP/1.0 200 [Oo][Kk]"
1717
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1718requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1719requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1720run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1721 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1722 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1723 allow_legacy=1" \
1724 0 \
1725 -c "client hello, adding renegotiation extension" \
1726 -C "found renegotiation extension" \
1727 -c "=> renegotiate" \
1728 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1729 -C "error" \
1730 -c "HTTP/1.0 200 [Oo][Kk]"
1731
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1732requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1733run_test "Renegotiation: DTLS, client-initiated" \
1734 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1735 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1736 0 \
1737 -c "client hello, adding renegotiation extension" \
1738 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1739 -s "found renegotiation extension" \
1740 -s "server hello, secure renegotiation extension" \
1741 -c "found renegotiation extension" \
1742 -c "=> renegotiate" \
1743 -s "=> renegotiate" \
1744 -S "write hello request"
1745
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1746requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1747run_test "Renegotiation: DTLS, server-initiated" \
1748 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1749 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1750 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1751 0 \
1752 -c "client hello, adding renegotiation extension" \
1753 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1754 -s "found renegotiation extension" \
1755 -s "server hello, secure renegotiation extension" \
1756 -c "found renegotiation extension" \
1757 -c "=> renegotiate" \
1758 -s "=> renegotiate" \
1759 -s "write hello request"
1760
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1761requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]1762run_test "Renegotiation: DTLS, renego_period overflow" \
1763 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1764 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1765 0 \
1766 -c "client hello, adding renegotiation extension" \
1767 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1768 -s "found renegotiation extension" \
1769 -s "server hello, secure renegotiation extension" \
1770 -s "record counter limit reached: renegotiate" \
1771 -c "=> renegotiate" \
1772 -s "=> renegotiate" \
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1773 -s "write hello request"
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]1774
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1775requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]1776requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1777run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1778 "$G_SRV -u --mtu 4096" \
1779 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1780 0 \
1781 -c "client hello, adding renegotiation extension" \
1782 -c "found renegotiation extension" \
1783 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1784 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1785 -C "error" \
1786 -s "Extra-header:"
1787
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1788# Test for the "secure renegotation" extension only (no actual renegotiation)
1789
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1790requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1791run_test "Renego ext: gnutls server strict, client default" \
1792 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1793 "$P_CLI debug_level=3" \
1794 0 \
1795 -c "found renegotiation extension" \
1796 -C "error" \
1797 -c "HTTP/1.0 200 [Oo][Kk]"
1798
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1799requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1800run_test "Renego ext: gnutls server unsafe, client default" \
1801 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1802 "$P_CLI debug_level=3" \
1803 0 \
1804 -C "found renegotiation extension" \
1805 -C "error" \
1806 -c "HTTP/1.0 200 [Oo][Kk]"
1807
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1808requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1809run_test "Renego ext: gnutls server unsafe, client break legacy" \
1810 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1811 "$P_CLI debug_level=3 allow_legacy=-1" \
1812 1 \
1813 -C "found renegotiation extension" \
1814 -c "error" \
1815 -C "HTTP/1.0 200 [Oo][Kk]"
1816
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1817requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1818run_test "Renego ext: gnutls client strict, server default" \
1819 "$P_SRV debug_level=3" \
1820 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1821 0 \
1822 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1823 -s "server hello, secure renegotiation extension"
1824
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1825requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1826run_test "Renego ext: gnutls client unsafe, server default" \
1827 "$P_SRV debug_level=3" \
1828 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1829 0 \
1830 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1831 -S "server hello, secure renegotiation extension"
1832
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1833requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1834run_test "Renego ext: gnutls client unsafe, server break legacy" \
1835 "$P_SRV debug_level=3 allow_legacy=-1" \
1836 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1837 1 \
1838 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1839 -S "server hello, secure renegotiation extension"
1840
Janos Follath365b2262016-02-17 10:11:21 +0000[diff] [blame]1841# Tests for silently dropping trailing extra bytes in .der certificates
1842
1843requires_gnutls
1844run_test "DER format: no trailing bytes" \
1845 "$P_SRV crt_file=data_files/server5-der0.crt \
1846 key_file=data_files/server5.key" \
1847 "$G_CLI " \
1848 0 \
1849 -c "Handshake was completed" \
1850
1851requires_gnutls
1852run_test "DER format: with a trailing zero byte" \
1853 "$P_SRV crt_file=data_files/server5-der1a.crt \
1854 key_file=data_files/server5.key" \
1855 "$G_CLI " \
1856 0 \
1857 -c "Handshake was completed" \
1858
1859requires_gnutls
1860run_test "DER format: with a trailing random byte" \
1861 "$P_SRV crt_file=data_files/server5-der1b.crt \
1862 key_file=data_files/server5.key" \
1863 "$G_CLI " \
1864 0 \
1865 -c "Handshake was completed" \
1866
1867requires_gnutls
1868run_test "DER format: with 2 trailing random bytes" \
1869 "$P_SRV crt_file=data_files/server5-der2.crt \
1870 key_file=data_files/server5.key" \
1871 "$G_CLI " \
1872 0 \
1873 -c "Handshake was completed" \
1874
1875requires_gnutls
1876run_test "DER format: with 4 trailing random bytes" \
1877 "$P_SRV crt_file=data_files/server5-der4.crt \
1878 key_file=data_files/server5.key" \
1879 "$G_CLI " \
1880 0 \
1881 -c "Handshake was completed" \
1882
1883requires_gnutls
1884run_test "DER format: with 8 trailing random bytes" \
1885 "$P_SRV crt_file=data_files/server5-der8.crt \
1886 key_file=data_files/server5.key" \
1887 "$G_CLI " \
1888 0 \
1889 -c "Handshake was completed" \
1890
1891requires_gnutls
1892run_test "DER format: with 9 trailing random bytes" \
1893 "$P_SRV crt_file=data_files/server5-der9.crt \
1894 key_file=data_files/server5.key" \
1895 "$G_CLI " \
1896 0 \
1897 -c "Handshake was completed" \
1898
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1899# Tests for auth_mode
1900
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1901run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1902 "$P_SRV crt_file=data_files/server5-badsign.crt \
1903 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1904 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1905 1 \
1906 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1907 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1908 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1909 -c "X509 - Certificate verification failed"
1910
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1911run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1912 "$P_SRV crt_file=data_files/server5-badsign.crt \
1913 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1914 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1915 0 \
1916 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1917 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1918 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1919 -C "X509 - Certificate verification failed"
1920
Hanno Becker61c0c702017-05-15 16:05:15 +0100[diff] [blame]1921run_test "Authentication: server goodcert, client optional, no trusted CA" \
1922 "$P_SRV" \
1923 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1924 0 \
1925 -c "x509_verify_cert() returned" \
1926 -c "! The certificate is not correctly signed by the trusted CA" \
1927 -c "! Certificate verification flags"\
1928 -C "! mbedtls_ssl_handshake returned" \
1929 -C "X509 - Certificate verification failed" \
1930 -C "SSL - No CA Chain is set, but required to operate"
1931
1932run_test "Authentication: server goodcert, client required, no trusted CA" \
1933 "$P_SRV" \
1934 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1935 1 \
1936 -c "x509_verify_cert() returned" \
1937 -c "! The certificate is not correctly signed by the trusted CA" \
1938 -c "! Certificate verification flags"\
1939 -c "! mbedtls_ssl_handshake returned" \
1940 -c "SSL - No CA Chain is set, but required to operate"
1941
1942# The purpose of the next two tests is to test the client's behaviour when receiving a server
1943# certificate with an unsupported elliptic curve. This should usually not happen because
1944# the client informs the server about the supported curves - it does, though, in the
1945# corner case of a static ECDH suite, because the server doesn't check the curve on that
1946# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1947# different means to have the server ignoring the client's supported curve list.
1948
1949requires_config_enabled MBEDTLS_ECP_C
1950run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1951 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1952 crt_file=data_files/server5.ku-ka.crt" \
1953 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1954 1 \
1955 -c "bad certificate (EC key curve)"\
1956 -c "! Certificate verification flags"\
1957 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1958
1959requires_config_enabled MBEDTLS_ECP_C
1960run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1961 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1962 crt_file=data_files/server5.ku-ka.crt" \
1963 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1964 1 \
1965 -c "bad certificate (EC key curve)"\
1966 -c "! Certificate verification flags"\
1967 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1968
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1969run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1970 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1971 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1972 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1973 0 \
1974 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1975 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1976 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1977 -C "X509 - Certificate verification failed"
1978
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1979run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1980 "$P_SRV debug_level=3 auth_mode=required" \
1981 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1982 key_file=data_files/server5.key" \
1983 1 \
1984 -S "skip write certificate request" \
1985 -C "skip parse certificate request" \
1986 -c "got a certificate request" \
1987 -C "skip write certificate" \
1988 -C "skip write certificate verify" \
1989 -S "skip parse certificate verify" \
1990 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]1991 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1992 -s "! mbedtls_ssl_handshake returned" \
1993 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1994 -s "X509 - Certificate verification failed"
1995
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1996run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1997 "$P_SRV debug_level=3 auth_mode=optional" \
1998 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1999 key_file=data_files/server5.key" \
2000 0 \
2001 -S "skip write certificate request" \
2002 -C "skip parse certificate request" \
2003 -c "got a certificate request" \
2004 -C "skip write certificate" \
2005 -C "skip write certificate verify" \
2006 -S "skip parse certificate verify" \
2007 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2008 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2009 -S "! mbedtls_ssl_handshake returned" \
2010 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2011 -S "X509 - Certificate verification failed"
2012
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2013run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2014 "$P_SRV debug_level=3 auth_mode=none" \
2015 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2016 key_file=data_files/server5.key" \
2017 0 \
2018 -s "skip write certificate request" \
2019 -C "skip parse certificate request" \
2020 -c "got no certificate request" \
2021 -c "skip write certificate" \
2022 -c "skip write certificate verify" \
2023 -s "skip parse certificate verify" \
2024 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2025 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2026 -S "! mbedtls_ssl_handshake returned" \
2027 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2028 -S "X509 - Certificate verification failed"
2029
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2030run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2031 "$P_SRV debug_level=3 auth_mode=optional" \
2032 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2033 0 \
2034 -S "skip write certificate request" \
2035 -C "skip parse certificate request" \
2036 -c "got a certificate request" \
2037 -C "skip write certificate$" \
2038 -C "got no certificate to send" \
2039 -S "SSLv3 client has no certificate" \
2040 -c "skip write certificate verify" \
2041 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2042 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2043 -S "! mbedtls_ssl_handshake returned" \
2044 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2045 -S "X509 - Certificate verification failed"
2046
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2047run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2048 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2049 "$O_CLI" \
2050 0 \
2051 -S "skip write certificate request" \
2052 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2053 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2054 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2055 -S "X509 - Certificate verification failed"
2056
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2057run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2058 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2059 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2060 0 \
2061 -C "skip parse certificate request" \
2062 -c "got a certificate request" \
2063 -C "skip write certificate$" \
2064 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2065 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2066
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2067requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2068run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2069 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2070 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2071 0 \
2072 -S "skip write certificate request" \
2073 -C "skip parse certificate request" \
2074 -c "got a certificate request" \
2075 -C "skip write certificate$" \
2076 -c "skip write certificate verify" \
2077 -c "got no certificate to send" \
2078 -s "SSLv3 client has no certificate" \
2079 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2080 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2081 -S "! mbedtls_ssl_handshake returned" \
2082 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2083 -S "X509 - Certificate verification failed"
2084
Manuel Pégourié-Gonnard591035d2017-06-26 10:45:33 +0200[diff] [blame]2085run_test "Authentication: server max_int chain, client default" \
2086 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2087 key_file=data_files/dir-maxpath/09.key" \
2088 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2089 0 \
2090 -C "X509 - A fatal error occured"
2091
2092run_test "Authentication: server max_int+1 chain, client default" \
2093 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2094 key_file=data_files/dir-maxpath/10.key" \
2095 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2096 1 \
2097 -c "X509 - A fatal error occured"
2098
2099run_test "Authentication: server max_int+1 chain, client optional" \
2100 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2101 key_file=data_files/dir-maxpath/10.key" \
2102 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2103 auth_mode=optional" \
2104 1 \
2105 -c "X509 - A fatal error occured"
2106
2107run_test "Authentication: server max_int+1 chain, client none" \
2108 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2109 key_file=data_files/dir-maxpath/10.key" \
2110 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2111 auth_mode=none" \
2112 0 \
2113 -C "X509 - A fatal error occured"
2114
2115run_test "Authentication: client max_int+1 chain, server default" \
2116 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2117 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2118 key_file=data_files/dir-maxpath/10.key" \
2119 0 \
2120 -S "X509 - A fatal error occured"
2121
2122run_test "Authentication: client max_int+1 chain, server optional" \
2123 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2124 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2125 key_file=data_files/dir-maxpath/10.key" \
2126 1 \
2127 -s "X509 - A fatal error occured"
2128
2129run_test "Authentication: client max_int+1 chain, server required" \
2130 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2131 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2132 key_file=data_files/dir-maxpath/10.key" \
2133 1 \
2134 -s "X509 - A fatal error occured"
2135
2136run_test "Authentication: client max_int chain, server required" \
2137 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2138 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2139 key_file=data_files/dir-maxpath/09.key" \
2140 0 \
2141 -S "X509 - A fatal error occured"
2142
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2143# Tests for certificate selection based on SHA verson
2144
2145run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2146 "$P_SRV crt_file=data_files/server5.crt \
2147 key_file=data_files/server5.key \
2148 crt_file2=data_files/server5-sha1.crt \
2149 key_file2=data_files/server5.key" \
2150 "$P_CLI force_version=tls1_2" \
2151 0 \
2152 -c "signed using.*ECDSA with SHA256" \
2153 -C "signed using.*ECDSA with SHA1"
2154
2155run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2156 "$P_SRV crt_file=data_files/server5.crt \
2157 key_file=data_files/server5.key \
2158 crt_file2=data_files/server5-sha1.crt \
2159 key_file2=data_files/server5.key" \
2160 "$P_CLI force_version=tls1_1" \
2161 0 \
2162 -C "signed using.*ECDSA with SHA256" \
2163 -c "signed using.*ECDSA with SHA1"
2164
2165run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2166 "$P_SRV crt_file=data_files/server5.crt \
2167 key_file=data_files/server5.key \
2168 crt_file2=data_files/server5-sha1.crt \
2169 key_file2=data_files/server5.key" \
2170 "$P_CLI force_version=tls1" \
2171 0 \
2172 -C "signed using.*ECDSA with SHA256" \
2173 -c "signed using.*ECDSA with SHA1"
2174
2175run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2176 "$P_SRV crt_file=data_files/server5.crt \
2177 key_file=data_files/server5.key \
2178 crt_file2=data_files/server6.crt \
2179 key_file2=data_files/server6.key" \
2180 "$P_CLI force_version=tls1_1" \
2181 0 \
2182 -c "serial number.*09" \
2183 -c "signed using.*ECDSA with SHA256" \
2184 -C "signed using.*ECDSA with SHA1"
2185
2186run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2187 "$P_SRV crt_file=data_files/server6.crt \
2188 key_file=data_files/server6.key \
2189 crt_file2=data_files/server5.crt \
2190 key_file2=data_files/server5.key" \
2191 "$P_CLI force_version=tls1_1" \
2192 0 \
2193 -c "serial number.*0A" \
2194 -c "signed using.*ECDSA with SHA256" \
2195 -C "signed using.*ECDSA with SHA1"
2196
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2197# tests for SNI
2198
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2199run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2200 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2201 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2202 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2203 0 \
2204 -S "parse ServerName extension" \
2205 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2206 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2207
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2208run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2209 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2210 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2211 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2212 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2213 0 \
2214 -s "parse ServerName extension" \
2215 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2216 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2217
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2218run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2219 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2220 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2221 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2222 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2223 0 \
2224 -s "parse ServerName extension" \
2225 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2226 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2227
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2228run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2229 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2230 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2231 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2232 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2233 1 \
2234 -s "parse ServerName extension" \
2235 -s "ssl_sni_wrapper() returned" \
2236 -s "mbedtls_ssl_handshake returned" \
2237 -c "mbedtls_ssl_handshake returned" \
2238 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2239
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2240run_test "SNI: client auth no override: optional" \
2241 "$P_SRV debug_level=3 auth_mode=optional \
2242 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2243 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2244 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2245 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2246 -S "skip write certificate request" \
2247 -C "skip parse certificate request" \
2248 -c "got a certificate request" \
2249 -C "skip write certificate" \
2250 -C "skip write certificate verify" \
2251 -S "skip parse certificate verify"
2252
2253run_test "SNI: client auth override: none -> optional" \
2254 "$P_SRV debug_level=3 auth_mode=none \
2255 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2256 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2257 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2258 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2259 -S "skip write certificate request" \
2260 -C "skip parse certificate request" \
2261 -c "got a certificate request" \
2262 -C "skip write certificate" \
2263 -C "skip write certificate verify" \
2264 -S "skip parse certificate verify"
2265
2266run_test "SNI: client auth override: optional -> none" \
2267 "$P_SRV debug_level=3 auth_mode=optional \
2268 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2269 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2270 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2271 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2272 -s "skip write certificate request" \
2273 -C "skip parse certificate request" \
2274 -c "got no certificate request" \
2275 -c "skip write certificate" \
2276 -c "skip write certificate verify" \
2277 -s "skip parse certificate verify"
2278
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2279run_test "SNI: CA no override" \
2280 "$P_SRV debug_level=3 auth_mode=optional \
2281 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2282 ca_file=data_files/test-ca.crt \
2283 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2284 "$P_CLI debug_level=3 server_name=localhost \
2285 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2286 1 \
2287 -S "skip write certificate request" \
2288 -C "skip parse certificate request" \
2289 -c "got a certificate request" \
2290 -C "skip write certificate" \
2291 -C "skip write certificate verify" \
2292 -S "skip parse certificate verify" \
2293 -s "x509_verify_cert() returned" \
2294 -s "! The certificate is not correctly signed by the trusted CA" \
2295 -S "The certificate has been revoked (is on a CRL)"
2296
2297run_test "SNI: CA override" \
2298 "$P_SRV debug_level=3 auth_mode=optional \
2299 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2300 ca_file=data_files/test-ca.crt \
2301 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2302 "$P_CLI debug_level=3 server_name=localhost \
2303 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2304 0 \
2305 -S "skip write certificate request" \
2306 -C "skip parse certificate request" \
2307 -c "got a certificate request" \
2308 -C "skip write certificate" \
2309 -C "skip write certificate verify" \
2310 -S "skip parse certificate verify" \
2311 -S "x509_verify_cert() returned" \
2312 -S "! The certificate is not correctly signed by the trusted CA" \
2313 -S "The certificate has been revoked (is on a CRL)"
2314
2315run_test "SNI: CA override with CRL" \
2316 "$P_SRV debug_level=3 auth_mode=optional \
2317 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2318 ca_file=data_files/test-ca.crt \
2319 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2320 "$P_CLI debug_level=3 server_name=localhost \
2321 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2322 1 \
2323 -S "skip write certificate request" \
2324 -C "skip parse certificate request" \
2325 -c "got a certificate request" \
2326 -C "skip write certificate" \
2327 -C "skip write certificate verify" \
2328 -S "skip parse certificate verify" \
2329 -s "x509_verify_cert() returned" \
2330 -S "! The certificate is not correctly signed by the trusted CA" \
2331 -s "The certificate has been revoked (is on a CRL)"
2332
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2333# Tests for non-blocking I/O: exercise a variety of handshake flows
2334
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2335run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2336 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2337 "$P_CLI nbio=2 tickets=0" \
2338 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2339 -S "mbedtls_ssl_handshake returned" \
2340 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2341 -c "Read from server: .* bytes read"
2342
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2343run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2344 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2345 "$P_CLI nbio=2 tickets=0" \
2346 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2347 -S "mbedtls_ssl_handshake returned" \
2348 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2349 -c "Read from server: .* bytes read"
2350
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2351run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2352 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2353 "$P_CLI nbio=2 tickets=1" \
2354 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2355 -S "mbedtls_ssl_handshake returned" \
2356 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2357 -c "Read from server: .* bytes read"
2358
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2359run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2360 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2361 "$P_CLI nbio=2 tickets=1" \
2362 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2363 -S "mbedtls_ssl_handshake returned" \
2364 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2365 -c "Read from server: .* bytes read"
2366
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2367run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2368 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2369 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2370 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2371 -S "mbedtls_ssl_handshake returned" \
2372 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2373 -c "Read from server: .* bytes read"
2374
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2375run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2376 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2377 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2378 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2379 -S "mbedtls_ssl_handshake returned" \
2380 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2381 -c "Read from server: .* bytes read"
2382
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2383run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2384 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2385 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2386 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2387 -S "mbedtls_ssl_handshake returned" \
2388 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2389 -c "Read from server: .* bytes read"
2390
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2391# Tests for version negotiation
2392
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2393run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2394 "$P_SRV" \
2395 "$P_CLI" \
2396 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2397 -S "mbedtls_ssl_handshake returned" \
2398 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2399 -s "Protocol is TLSv1.2" \
2400 -c "Protocol is TLSv1.2"
2401
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2402run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2403 "$P_SRV" \
2404 "$P_CLI max_version=tls1_1" \
2405 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2406 -S "mbedtls_ssl_handshake returned" \
2407 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2408 -s "Protocol is TLSv1.1" \
2409 -c "Protocol is TLSv1.1"
2410
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2411run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2412 "$P_SRV max_version=tls1_1" \
2413 "$P_CLI" \
2414 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2415 -S "mbedtls_ssl_handshake returned" \
2416 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2417 -s "Protocol is TLSv1.1" \
2418 -c "Protocol is TLSv1.1"
2419
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2420run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2421 "$P_SRV max_version=tls1_1" \
2422 "$P_CLI max_version=tls1_1" \
2423 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2424 -S "mbedtls_ssl_handshake returned" \
2425 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2426 -s "Protocol is TLSv1.1" \
2427 -c "Protocol is TLSv1.1"
2428
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2429run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2430 "$P_SRV min_version=tls1_1" \
2431 "$P_CLI max_version=tls1_1" \
2432 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2433 -S "mbedtls_ssl_handshake returned" \
2434 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2435 -s "Protocol is TLSv1.1" \
2436 -c "Protocol is TLSv1.1"
2437
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2438run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2439 "$P_SRV max_version=tls1_1" \
2440 "$P_CLI min_version=tls1_1" \
2441 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2442 -S "mbedtls_ssl_handshake returned" \
2443 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2444 -s "Protocol is TLSv1.1" \
2445 -c "Protocol is TLSv1.1"
2446
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2447run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2448 "$P_SRV max_version=tls1_1" \
2449 "$P_CLI min_version=tls1_2" \
2450 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2451 -s "mbedtls_ssl_handshake returned" \
2452 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2453 -c "SSL - Handshake protocol not within min/max boundaries"
2454
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2455run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2456 "$P_SRV min_version=tls1_2" \
2457 "$P_CLI max_version=tls1_1" \
2458 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2459 -s "mbedtls_ssl_handshake returned" \
2460 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2461 -s "SSL - Handshake protocol not within min/max boundaries"
2462
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2463# Tests for ALPN extension
2464
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2465run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2466 "$P_SRV debug_level=3" \
2467 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2468 0 \
2469 -C "client hello, adding alpn extension" \
2470 -S "found alpn extension" \
2471 -C "got an alert message, type: \\[2:120]" \
2472 -S "server hello, adding alpn extension" \
2473 -C "found alpn extension " \
2474 -C "Application Layer Protocol is" \
2475 -S "Application Layer Protocol is"
2476
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2477run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2478 "$P_SRV debug_level=3" \
2479 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2480 0 \
2481 -c "client hello, adding alpn extension" \
2482 -s "found alpn extension" \
2483 -C "got an alert message, type: \\[2:120]" \
2484 -S "server hello, adding alpn extension" \
2485 -C "found alpn extension " \
2486 -c "Application Layer Protocol is (none)" \
2487 -S "Application Layer Protocol is"
2488
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2489run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2490 "$P_SRV debug_level=3 alpn=abc,1234" \
2491 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2492 0 \
2493 -C "client hello, adding alpn extension" \
2494 -S "found alpn extension" \
2495 -C "got an alert message, type: \\[2:120]" \
2496 -S "server hello, adding alpn extension" \
2497 -C "found alpn extension " \
2498 -C "Application Layer Protocol is" \
2499 -s "Application Layer Protocol is (none)"
2500
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2501run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2502 "$P_SRV debug_level=3 alpn=abc,1234" \
2503 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2504 0 \
2505 -c "client hello, adding alpn extension" \
2506 -s "found alpn extension" \
2507 -C "got an alert message, type: \\[2:120]" \
2508 -s "server hello, adding alpn extension" \
2509 -c "found alpn extension" \
2510 -c "Application Layer Protocol is abc" \
2511 -s "Application Layer Protocol is abc"
2512
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2513run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2514 "$P_SRV debug_level=3 alpn=abc,1234" \
2515 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2516 0 \
2517 -c "client hello, adding alpn extension" \
2518 -s "found alpn extension" \
2519 -C "got an alert message, type: \\[2:120]" \
2520 -s "server hello, adding alpn extension" \
2521 -c "found alpn extension" \
2522 -c "Application Layer Protocol is abc" \
2523 -s "Application Layer Protocol is abc"
2524
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2525run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2526 "$P_SRV debug_level=3 alpn=abc,1234" \
2527 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2528 0 \
2529 -c "client hello, adding alpn extension" \
2530 -s "found alpn extension" \
2531 -C "got an alert message, type: \\[2:120]" \
2532 -s "server hello, adding alpn extension" \
2533 -c "found alpn extension" \
2534 -c "Application Layer Protocol is 1234" \
2535 -s "Application Layer Protocol is 1234"
2536
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2537run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2538 "$P_SRV debug_level=3 alpn=abc,123" \
2539 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2540 1 \
2541 -c "client hello, adding alpn extension" \
2542 -s "found alpn extension" \
2543 -c "got an alert message, type: \\[2:120]" \
2544 -S "server hello, adding alpn extension" \
2545 -C "found alpn extension" \
2546 -C "Application Layer Protocol is 1234" \
2547 -S "Application Layer Protocol is 1234"
2548
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2549
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2550# Tests for keyUsage in leaf certificates, part 1:
2551# server-side certificate/suite selection
2552
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2553run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2554 "$P_SRV key_file=data_files/server2.key \
2555 crt_file=data_files/server2.ku-ds.crt" \
2556 "$P_CLI" \
2557 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2558 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2559
2560
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2561run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2562 "$P_SRV key_file=data_files/server2.key \
2563 crt_file=data_files/server2.ku-ke.crt" \
2564 "$P_CLI" \
2565 0 \
2566 -c "Ciphersuite is TLS-RSA-WITH-"
2567
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2568run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2569 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2570 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2571 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2572 1 \
2573 -C "Ciphersuite is "
2574
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2575run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2576 "$P_SRV key_file=data_files/server5.key \
2577 crt_file=data_files/server5.ku-ds.crt" \
2578 "$P_CLI" \
2579 0 \
2580 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2581
2582
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2583run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2584 "$P_SRV key_file=data_files/server5.key \
2585 crt_file=data_files/server5.ku-ka.crt" \
2586 "$P_CLI" \
2587 0 \
2588 -c "Ciphersuite is TLS-ECDH-"
2589
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2590run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2591 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2592 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2593 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2594 1 \
2595 -C "Ciphersuite is "
2596
2597# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2598# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2599
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2600run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2601 "$O_SRV -key data_files/server2.key \
2602 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2603 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2604 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2605 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2606 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2607 -C "Processing of the Certificate handshake message failed" \
2608 -c "Ciphersuite is TLS-"
2609
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2610run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2611 "$O_SRV -key data_files/server2.key \
2612 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2613 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2614 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2615 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2616 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2617 -C "Processing of the Certificate handshake message failed" \
2618 -c "Ciphersuite is TLS-"
2619
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2620run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2621 "$O_SRV -key data_files/server2.key \
2622 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2623 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2624 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2625 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2626 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2627 -C "Processing of the Certificate handshake message failed" \
2628 -c "Ciphersuite is TLS-"
2629
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2630run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2631 "$O_SRV -key data_files/server2.key \
2632 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2633 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2634 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2635 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2636 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2637 -c "Processing of the Certificate handshake message failed" \
2638 -C "Ciphersuite is TLS-"
2639
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2640run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2641 "$O_SRV -key data_files/server2.key \
2642 -cert data_files/server2.ku-ke.crt" \
2643 "$P_CLI debug_level=1 auth_mode=optional \
2644 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2645 0 \
2646 -c "bad certificate (usage extensions)" \
2647 -C "Processing of the Certificate handshake message failed" \
2648 -c "Ciphersuite is TLS-" \
2649 -c "! Usage does not match the keyUsage extension"
2650
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2651run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2652 "$O_SRV -key data_files/server2.key \
2653 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2654 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2655 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2656 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2657 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2658 -C "Processing of the Certificate handshake message failed" \
2659 -c "Ciphersuite is TLS-"
2660
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2661run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2662 "$O_SRV -key data_files/server2.key \
2663 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2664 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2665 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2666 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2667 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2668 -c "Processing of the Certificate handshake message failed" \
2669 -C "Ciphersuite is TLS-"
2670
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2671run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2672 "$O_SRV -key data_files/server2.key \
2673 -cert data_files/server2.ku-ds.crt" \
2674 "$P_CLI debug_level=1 auth_mode=optional \
2675 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2676 0 \
2677 -c "bad certificate (usage extensions)" \
2678 -C "Processing of the Certificate handshake message failed" \
2679 -c "Ciphersuite is TLS-" \
2680 -c "! Usage does not match the keyUsage extension"
2681
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2682# Tests for keyUsage in leaf certificates, part 3:
2683# server-side checking of client cert
2684
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2685run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2686 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2687 "$O_CLI -key data_files/server2.key \
2688 -cert data_files/server2.ku-ds.crt" \
2689 0 \
2690 -S "bad certificate (usage extensions)" \
2691 -S "Processing of the Certificate handshake message failed"
2692
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2693run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2694 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2695 "$O_CLI -key data_files/server2.key \
2696 -cert data_files/server2.ku-ke.crt" \
2697 0 \
2698 -s "bad certificate (usage extensions)" \
2699 -S "Processing of the Certificate handshake message failed"
2700
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2701run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2702 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2703 "$O_CLI -key data_files/server2.key \
2704 -cert data_files/server2.ku-ke.crt" \
2705 1 \
2706 -s "bad certificate (usage extensions)" \
2707 -s "Processing of the Certificate handshake message failed"
2708
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2709run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2710 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2711 "$O_CLI -key data_files/server5.key \
2712 -cert data_files/server5.ku-ds.crt" \
2713 0 \
2714 -S "bad certificate (usage extensions)" \
2715 -S "Processing of the Certificate handshake message failed"
2716
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2717run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2718 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2719 "$O_CLI -key data_files/server5.key \
2720 -cert data_files/server5.ku-ka.crt" \
2721 0 \
2722 -s "bad certificate (usage extensions)" \
2723 -S "Processing of the Certificate handshake message failed"
2724
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2725# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2726
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2727run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2728 "$P_SRV key_file=data_files/server5.key \
2729 crt_file=data_files/server5.eku-srv.crt" \
2730 "$P_CLI" \
2731 0
2732
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2733run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2734 "$P_SRV key_file=data_files/server5.key \
2735 crt_file=data_files/server5.eku-srv.crt" \
2736 "$P_CLI" \
2737 0
2738
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2739run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2740 "$P_SRV key_file=data_files/server5.key \
2741 crt_file=data_files/server5.eku-cs_any.crt" \
2742 "$P_CLI" \
2743 0
2744
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2745run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2746 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2747 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2748 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2749 1
2750
2751# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2752
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2753run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2754 "$O_SRV -key data_files/server5.key \
2755 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2756 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2757 0 \
2758 -C "bad certificate (usage extensions)" \
2759 -C "Processing of the Certificate handshake message failed" \
2760 -c "Ciphersuite is TLS-"
2761
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2762run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2763 "$O_SRV -key data_files/server5.key \
2764 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2765 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2766 0 \
2767 -C "bad certificate (usage extensions)" \
2768 -C "Processing of the Certificate handshake message failed" \
2769 -c "Ciphersuite is TLS-"
2770
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2771run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2772 "$O_SRV -key data_files/server5.key \
2773 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2774 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2775 0 \
2776 -C "bad certificate (usage extensions)" \
2777 -C "Processing of the Certificate handshake message failed" \
2778 -c "Ciphersuite is TLS-"
2779
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2780run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2781 "$O_SRV -key data_files/server5.key \
2782 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2783 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2784 1 \
2785 -c "bad certificate (usage extensions)" \
2786 -c "Processing of the Certificate handshake message failed" \
2787 -C "Ciphersuite is TLS-"
2788
2789# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2790
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2791run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2792 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2793 "$O_CLI -key data_files/server5.key \
2794 -cert data_files/server5.eku-cli.crt" \
2795 0 \
2796 -S "bad certificate (usage extensions)" \
2797 -S "Processing of the Certificate handshake message failed"
2798
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2799run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2800 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2801 "$O_CLI -key data_files/server5.key \
2802 -cert data_files/server5.eku-srv_cli.crt" \
2803 0 \
2804 -S "bad certificate (usage extensions)" \
2805 -S "Processing of the Certificate handshake message failed"
2806
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2807run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2808 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2809 "$O_CLI -key data_files/server5.key \
2810 -cert data_files/server5.eku-cs_any.crt" \
2811 0 \
2812 -S "bad certificate (usage extensions)" \
2813 -S "Processing of the Certificate handshake message failed"
2814
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2815run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2816 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2817 "$O_CLI -key data_files/server5.key \
2818 -cert data_files/server5.eku-cs.crt" \
2819 0 \
2820 -s "bad certificate (usage extensions)" \
2821 -S "Processing of the Certificate handshake message failed"
2822
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2823run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2824 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2825 "$O_CLI -key data_files/server5.key \
2826 -cert data_files/server5.eku-cs.crt" \
2827 1 \
2828 -s "bad certificate (usage extensions)" \
2829 -s "Processing of the Certificate handshake message failed"
2830
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2831# Tests for DHM parameters loading
2832
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2833run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2834 "$P_SRV" \
2835 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2836 debug_level=3" \
2837 0 \
2838 -c "value of 'DHM: P ' (2048 bits)" \
2839 -c "value of 'DHM: G ' (2048 bits)"
2840
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2841run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2842 "$P_SRV dhm_file=data_files/dhparams.pem" \
2843 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2844 debug_level=3" \
2845 0 \
2846 -c "value of 'DHM: P ' (1024 bits)" \
2847 -c "value of 'DHM: G ' (2 bits)"
2848
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2849# Tests for DHM client-side size checking
2850
2851run_test "DHM size: server default, client default, OK" \
2852 "$P_SRV" \
2853 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2854 debug_level=1" \
2855 0 \
2856 -C "DHM prime too short:"
2857
2858run_test "DHM size: server default, client 2048, OK" \
2859 "$P_SRV" \
2860 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2861 debug_level=1 dhmlen=2048" \
2862 0 \
2863 -C "DHM prime too short:"
2864
2865run_test "DHM size: server 1024, client default, OK" \
2866 "$P_SRV dhm_file=data_files/dhparams.pem" \
2867 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2868 debug_level=1" \
2869 0 \
2870 -C "DHM prime too short:"
2871
2872run_test "DHM size: server 1000, client default, rejected" \
2873 "$P_SRV dhm_file=data_files/dh.1000.pem" \
2874 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2875 debug_level=1" \
2876 1 \
2877 -c "DHM prime too short:"
2878
2879run_test "DHM size: server default, client 2049, rejected" \
2880 "$P_SRV" \
2881 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2882 debug_level=1 dhmlen=2049" \
2883 1 \
2884 -c "DHM prime too short:"
2885
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2886# Tests for PSK callback
2887
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2888run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2889 "$P_SRV psk=abc123 psk_identity=foo" \
2890 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2891 psk_identity=foo psk=abc123" \
2892 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2893 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2894 -S "SSL - Unknown identity received" \
2895 -S "SSL - Verification of the message MAC failed"
2896
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2897run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2898 "$P_SRV" \
2899 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2900 psk_identity=foo psk=abc123" \
2901 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2902 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2903 -S "SSL - Unknown identity received" \
2904 -S "SSL - Verification of the message MAC failed"
2905
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2906run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2907 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2908 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2909 psk_identity=foo psk=abc123" \
2910 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2911 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2912 -s "SSL - Unknown identity received" \
2913 -S "SSL - Verification of the message MAC failed"
2914
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2915run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2916 "$P_SRV psk_list=abc,dead,def,beef" \
2917 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2918 psk_identity=abc psk=dead" \
2919 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2920 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2921 -S "SSL - Unknown identity received" \
2922 -S "SSL - Verification of the message MAC failed"
2923
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2924run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2925 "$P_SRV psk_list=abc,dead,def,beef" \
2926 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2927 psk_identity=def psk=beef" \
2928 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2929 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2930 -S "SSL - Unknown identity received" \
2931 -S "SSL - Verification of the message MAC failed"
2932
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2933run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2934 "$P_SRV psk_list=abc,dead,def,beef" \
2935 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2936 psk_identity=ghi psk=beef" \
2937 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2938 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2939 -s "SSL - Unknown identity received" \
2940 -S "SSL - Verification of the message MAC failed"
2941
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2942run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2943 "$P_SRV psk_list=abc,dead,def,beef" \
2944 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2945 psk_identity=abc psk=beef" \
2946 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2947 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2948 -S "SSL - Unknown identity received" \
2949 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2950
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2951# Tests for ciphersuites per version
2952
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2953requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2954run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2955 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2956 "$P_CLI force_version=ssl3" \
2957 0 \
2958 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
2959
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2960run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2961 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2962 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2963 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2964 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2965
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2966run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2967 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2968 "$P_CLI force_version=tls1_1" \
2969 0 \
2970 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
2971
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2972run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2973 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2974 "$P_CLI force_version=tls1_2" \
2975 0 \
2976 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
2977
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2978# Test for ClientHello without extensions
2979
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]2980requires_gnutls
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2981run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2982 "$P_SRV debug_level=3" \
2983 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2984 0 \
2985 -s "dumping 'client hello extensions' (0 bytes)"
2986
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2987requires_gnutls
2988run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
2989 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
2990 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2991 0 \
2992 -s "dumping 'client hello extensions' (0 bytes)"
2993
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2994# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2995
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2996run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2997 "$P_SRV" \
2998 "$P_CLI request_size=100" \
2999 0 \
3000 -s "Read from client: 100 bytes read$"
3001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3002run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3003 "$P_SRV" \
3004 "$P_CLI request_size=500" \
3005 0 \
3006 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3007
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3008# Tests for small packets
3009
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3010requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3011run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3012 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3013 "$P_CLI request_size=1 force_version=ssl3 \
3014 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3015 0 \
3016 -s "Read from client: 1 bytes read"
3017
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3018requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3019run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3020 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3021 "$P_CLI request_size=1 force_version=ssl3 \
3022 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3023 0 \
3024 -s "Read from client: 1 bytes read"
3025
3026run_test "Small packet TLS 1.0 BlockCipher" \
3027 "$P_SRV" \
3028 "$P_CLI request_size=1 force_version=tls1 \
3029 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3030 0 \
3031 -s "Read from client: 1 bytes read"
3032
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3033run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3034 "$P_SRV" \
3035 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3036 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3037 0 \
3038 -s "Read from client: 1 bytes read"
3039
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3040run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3041 "$P_SRV" \
3042 "$P_CLI request_size=1 force_version=tls1 \
3043 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3044 trunc_hmac=1" \
3045 0 \
3046 -s "Read from client: 1 bytes read"
3047
3048run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3049 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3050 "$P_CLI request_size=1 force_version=tls1 \
3051 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3052 trunc_hmac=1" \
3053 0 \
3054 -s "Read from client: 1 bytes read"
3055
3056run_test "Small packet TLS 1.1 BlockCipher" \
3057 "$P_SRV" \
3058 "$P_CLI request_size=1 force_version=tls1_1 \
3059 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3060 0 \
3061 -s "Read from client: 1 bytes read"
3062
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3063run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3064 "$P_SRV" \
3065 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3066 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3067 0 \
3068 -s "Read from client: 1 bytes read"
3069
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3070run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3071 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3072 "$P_CLI request_size=1 force_version=tls1_1 \
3073 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3074 0 \
3075 -s "Read from client: 1 bytes read"
3076
3077run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3078 "$P_SRV" \
3079 "$P_CLI request_size=1 force_version=tls1_1 \
3080 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3081 trunc_hmac=1" \
3082 0 \
3083 -s "Read from client: 1 bytes read"
3084
3085run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3086 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3087 "$P_CLI request_size=1 force_version=tls1_1 \
3088 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3089 trunc_hmac=1" \
3090 0 \
3091 -s "Read from client: 1 bytes read"
3092
3093run_test "Small packet TLS 1.2 BlockCipher" \
3094 "$P_SRV" \
3095 "$P_CLI request_size=1 force_version=tls1_2 \
3096 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3097 0 \
3098 -s "Read from client: 1 bytes read"
3099
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3100run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3101 "$P_SRV" \
3102 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3103 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3104 0 \
3105 -s "Read from client: 1 bytes read"
3106
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3107run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3108 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3109 "$P_CLI request_size=1 force_version=tls1_2 \
3110 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3111 0 \
3112 -s "Read from client: 1 bytes read"
3113
3114run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3115 "$P_SRV" \
3116 "$P_CLI request_size=1 force_version=tls1_2 \
3117 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3118 trunc_hmac=1" \
3119 0 \
3120 -s "Read from client: 1 bytes read"
3121
3122run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3123 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3124 "$P_CLI request_size=1 force_version=tls1_2 \
3125 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3126 0 \
3127 -s "Read from client: 1 bytes read"
3128
3129run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3130 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3131 "$P_CLI request_size=1 force_version=tls1_2 \
3132 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3133 trunc_hmac=1" \
3134 0 \
3135 -s "Read from client: 1 bytes read"
3136
3137run_test "Small packet TLS 1.2 AEAD" \
3138 "$P_SRV" \
3139 "$P_CLI request_size=1 force_version=tls1_2 \
3140 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3141 0 \
3142 -s "Read from client: 1 bytes read"
3143
3144run_test "Small packet TLS 1.2 AEAD shorter tag" \
3145 "$P_SRV" \
3146 "$P_CLI request_size=1 force_version=tls1_2 \
3147 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3148 0 \
3149 -s "Read from client: 1 bytes read"
3150
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]3151# A test for extensions in SSLv3
3152
3153requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3154run_test "SSLv3 with extensions, server side" \
3155 "$P_SRV min_version=ssl3 debug_level=3" \
3156 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3157 0 \
3158 -S "dumping 'client hello extensions'" \
3159 -S "server hello, total extension length:"
3160
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3161# Test for large packets
3162
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3163requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3164run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3165 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3166 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3167 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3168 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3169 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3170 -s "Read from client: 16384 bytes read"
3171
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3172requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3173run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3174 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3175 "$P_CLI request_size=16384 force_version=ssl3 \
3176 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3177 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3178 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3179 -s "Read from client: 16384 bytes read"
3180
3181run_test "Large packet TLS 1.0 BlockCipher" \
3182 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3183 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3184 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3185 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3186 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3187 -s "Read from client: 16384 bytes read"
3188
3189run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3190 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3191 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3192 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3193 trunc_hmac=1" \
3194 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3195 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3196 -s "Read from client: 16384 bytes read"
3197
3198run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3199 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3200 "$P_CLI request_size=16384 force_version=tls1 \
3201 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3202 trunc_hmac=1" \
3203 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3204 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3205 -s "Read from client: 16384 bytes read"
3206
3207run_test "Large packet TLS 1.1 BlockCipher" \
3208 "$P_SRV" \
3209 "$P_CLI request_size=16384 force_version=tls1_1 \
3210 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3211 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3212 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3213 -s "Read from client: 16384 bytes read"
3214
3215run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3216 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3217 "$P_CLI request_size=16384 force_version=tls1_1 \
3218 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3219 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3220 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3221 -s "Read from client: 16384 bytes read"
3222
3223run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3224 "$P_SRV" \
3225 "$P_CLI request_size=16384 force_version=tls1_1 \
3226 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3227 trunc_hmac=1" \
3228 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3229 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3230 -s "Read from client: 16384 bytes read"
3231
3232run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3233 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3234 "$P_CLI request_size=16384 force_version=tls1_1 \
3235 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3236 trunc_hmac=1" \
3237 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3238 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3239 -s "Read from client: 16384 bytes read"
3240
3241run_test "Large packet TLS 1.2 BlockCipher" \
3242 "$P_SRV" \
3243 "$P_CLI request_size=16384 force_version=tls1_2 \
3244 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3245 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3246 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3247 -s "Read from client: 16384 bytes read"
3248
3249run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3250 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3251 "$P_CLI request_size=16384 force_version=tls1_2 \
3252 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3253 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3254 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3255 -s "Read from client: 16384 bytes read"
3256
3257run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3258 "$P_SRV" \
3259 "$P_CLI request_size=16384 force_version=tls1_2 \
3260 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3261 trunc_hmac=1" \
3262 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3263 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3264 -s "Read from client: 16384 bytes read"
3265
3266run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3267 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3268 "$P_CLI request_size=16384 force_version=tls1_2 \
3269 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3270 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3271 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3272 -s "Read from client: 16384 bytes read"
3273
3274run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3275 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3276 "$P_CLI request_size=16384 force_version=tls1_2 \
3277 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3278 trunc_hmac=1" \
3279 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3280 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3281 -s "Read from client: 16384 bytes read"
3282
3283run_test "Large packet TLS 1.2 AEAD" \
3284 "$P_SRV" \
3285 "$P_CLI request_size=16384 force_version=tls1_2 \
3286 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3287 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3288 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3289 -s "Read from client: 16384 bytes read"
3290
3291run_test "Large packet TLS 1.2 AEAD shorter tag" \
3292 "$P_SRV" \
3293 "$P_CLI request_size=16384 force_version=tls1_2 \
3294 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3295 0 \
Hanno Becker0d885d32017-09-18 15:04:19 +0100[diff] [blame]3296 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3297 -s "Read from client: 16384 bytes read"
3298
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3299# Tests for DTLS HelloVerifyRequest
3300
3301run_test "DTLS cookie: enabled" \
3302 "$P_SRV dtls=1 debug_level=2" \
3303 "$P_CLI dtls=1 debug_level=2" \
3304 0 \
3305 -s "cookie verification failed" \
3306 -s "cookie verification passed" \
3307 -S "cookie verification skipped" \
3308 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3309 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3310 -S "SSL - The requested feature is not available"
3311
3312run_test "DTLS cookie: disabled" \
3313 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3314 "$P_CLI dtls=1 debug_level=2" \
3315 0 \
3316 -S "cookie verification failed" \
3317 -S "cookie verification passed" \
3318 -s "cookie verification skipped" \
3319 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3320 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3321 -S "SSL - The requested feature is not available"
3322
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3323run_test "DTLS cookie: default (failing)" \
3324 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3325 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3326 1 \
3327 -s "cookie verification failed" \
3328 -S "cookie verification passed" \
3329 -S "cookie verification skipped" \
3330 -C "received hello verify request" \
3331 -S "hello verification requested" \
3332 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3333
3334requires_ipv6
3335run_test "DTLS cookie: enabled, IPv6" \
3336 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3337 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3338 0 \
3339 -s "cookie verification failed" \
3340 -s "cookie verification passed" \
3341 -S "cookie verification skipped" \
3342 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3343 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3344 -S "SSL - The requested feature is not available"
3345
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3346run_test "DTLS cookie: enabled, nbio" \
3347 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3348 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3349 0 \
3350 -s "cookie verification failed" \
3351 -s "cookie verification passed" \
3352 -S "cookie verification skipped" \
3353 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3354 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3355 -S "SSL - The requested feature is not available"
3356
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3357# Tests for client reconnecting from the same port with DTLS
3358
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3359not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3360run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3361 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3362 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3363 0 \
3364 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3365 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3366 -S "Client initiated reconnection from same port"
3367
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3368not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3369run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3370 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3371 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3372 0 \
3373 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3374 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3375 -s "Client initiated reconnection from same port"
3376
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3377not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3378run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3379 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3380 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3381 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3382 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3383 -s "Client initiated reconnection from same port"
3384
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3385only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3386run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3387 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3388 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3389 0 \
3390 -S "The operation timed out" \
3391 -s "Client initiated reconnection from same port"
3392
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3393run_test "DTLS client reconnect from same port: no cookies" \
3394 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3395 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3396 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3397 -s "The operation timed out" \
3398 -S "Client initiated reconnection from same port"
3399
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3400# Tests for various cases of client authentication with DTLS
3401# (focused on handshake flows and message parsing)
3402
3403run_test "DTLS client auth: required" \
3404 "$P_SRV dtls=1 auth_mode=required" \
3405 "$P_CLI dtls=1" \
3406 0 \
3407 -s "Verifying peer X.509 certificate... ok"
3408
3409run_test "DTLS client auth: optional, client has no cert" \
3410 "$P_SRV dtls=1 auth_mode=optional" \
3411 "$P_CLI dtls=1 crt_file=none key_file=none" \
3412 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3413 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3414
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3415run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3416 "$P_SRV dtls=1 auth_mode=none" \
3417 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3418 0 \
3419 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3420 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3421
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3422run_test "DTLS wrong PSK: badmac alert" \
3423 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3424 "$P_CLI dtls=1 psk=abc124" \
3425 1 \
3426 -s "SSL - Verification of the message MAC failed" \
3427 -c "SSL - A fatal alert message was received from our peer"
3428
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3429# Tests for receiving fragmented handshake messages with DTLS
3430
3431requires_gnutls
3432run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3433 "$G_SRV -u --mtu 2048 -a" \
3434 "$P_CLI dtls=1 debug_level=2" \
3435 0 \
3436 -C "found fragmented DTLS handshake message" \
3437 -C "error"
3438
3439requires_gnutls
3440run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3441 "$G_SRV -u --mtu 512" \
3442 "$P_CLI dtls=1 debug_level=2" \
3443 0 \
3444 -c "found fragmented DTLS handshake message" \
3445 -C "error"
3446
3447requires_gnutls
3448run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3449 "$G_SRV -u --mtu 128" \
3450 "$P_CLI dtls=1 debug_level=2" \
3451 0 \
3452 -c "found fragmented DTLS handshake message" \
3453 -C "error"
3454
3455requires_gnutls
3456run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3457 "$G_SRV -u --mtu 128" \
3458 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3459 0 \
3460 -c "found fragmented DTLS handshake message" \
3461 -C "error"
3462
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3463requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3464requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3465run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3466 "$G_SRV -u --mtu 256" \
3467 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3468 0 \
3469 -c "found fragmented DTLS handshake message" \
3470 -c "client hello, adding renegotiation extension" \
3471 -c "found renegotiation extension" \
3472 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3473 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3474 -C "error" \
3475 -s "Extra-header:"
3476
3477requires_gnutls
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3478requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3479run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3480 "$G_SRV -u --mtu 256" \
3481 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3482 0 \
3483 -c "found fragmented DTLS handshake message" \
3484 -c "client hello, adding renegotiation extension" \
3485 -c "found renegotiation extension" \
3486 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3487 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3488 -C "error" \
3489 -s "Extra-header:"
3490
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3491run_test "DTLS reassembly: no fragmentation (openssl server)" \
3492 "$O_SRV -dtls1 -mtu 2048" \
3493 "$P_CLI dtls=1 debug_level=2" \
3494 0 \
3495 -C "found fragmented DTLS handshake message" \
3496 -C "error"
3497
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3498run_test "DTLS reassembly: some fragmentation (openssl server)" \
3499 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3500 "$P_CLI dtls=1 debug_level=2" \
3501 0 \
3502 -c "found fragmented DTLS handshake message" \
3503 -C "error"
3504
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3505run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3506 "$O_SRV -dtls1 -mtu 256" \
3507 "$P_CLI dtls=1 debug_level=2" \
3508 0 \
3509 -c "found fragmented DTLS handshake message" \
3510 -C "error"
3511
3512run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3513 "$O_SRV -dtls1 -mtu 256" \
3514 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3515 0 \
3516 -c "found fragmented DTLS handshake message" \
3517 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3518
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3519# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3520
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3521not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3522run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3523 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3524 "$P_SRV dtls=1 debug_level=2" \
3525 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3526 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3527 -C "replayed record" \
3528 -S "replayed record" \
3529 -C "record from another epoch" \
3530 -S "record from another epoch" \
3531 -C "discarding invalid record" \
3532 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3533 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3534 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3535 -c "HTTP/1.0 200 OK"
3536
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3537not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3538run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3539 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3540 "$P_SRV dtls=1 debug_level=2" \
3541 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3542 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3543 -c "replayed record" \
3544 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3545 -c "discarding invalid record" \
3546 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3547 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3548 -s "Extra-header:" \
3549 -c "HTTP/1.0 200 OK"
3550
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3551run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3552 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3553 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3554 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3555 0 \
3556 -c "replayed record" \
3557 -S "replayed record" \
3558 -c "discarding invalid record" \
3559 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3560 -c "resend" \
3561 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3562 -s "Extra-header:" \
3563 -c "HTTP/1.0 200 OK"
3564
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3565run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3566 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3567 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3568 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3569 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3570 -c "discarding invalid record (mac)" \
3571 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3572 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3573 -c "HTTP/1.0 200 OK" \
3574 -S "too many records with bad MAC" \
3575 -S "Verification of the message MAC failed"
3576
3577run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3578 -p "$P_PXY bad_ad=1" \
3579 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3580 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3581 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3582 -C "discarding invalid record (mac)" \
3583 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3584 -S "Extra-header:" \
3585 -C "HTTP/1.0 200 OK" \
3586 -s "too many records with bad MAC" \
3587 -s "Verification of the message MAC failed"
3588
3589run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3590 -p "$P_PXY bad_ad=1" \
3591 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3592 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3593 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3594 -c "discarding invalid record (mac)" \
3595 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3596 -s "Extra-header:" \
3597 -c "HTTP/1.0 200 OK" \
3598 -S "too many records with bad MAC" \
3599 -S "Verification of the message MAC failed"
3600
3601run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3602 -p "$P_PXY bad_ad=1" \
3603 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3604 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3605 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3606 -c "discarding invalid record (mac)" \
3607 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3608 -s "Extra-header:" \
3609 -c "HTTP/1.0 200 OK" \
3610 -s "too many records with bad MAC" \
3611 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3612
3613run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3614 -p "$P_PXY delay_ccs=1" \
3615 "$P_SRV dtls=1 debug_level=1" \
3616 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3617 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3618 -c "record from another epoch" \
3619 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3620 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3621 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3622 -s "Extra-header:" \
3623 -c "HTTP/1.0 200 OK"
3624
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3625# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3626
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3627needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3628run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3629 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3630 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3631 psk=abc123" \
3632 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3633 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3634 0 \
3635 -s "Extra-header:" \
3636 -c "HTTP/1.0 200 OK"
3637
3638needs_more_time 2
3639run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3640 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3641 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3642 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3643 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3644 0 \
3645 -s "Extra-header:" \
3646 -c "HTTP/1.0 200 OK"
3647
3648needs_more_time 2
3649run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3650 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3651 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3652 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3653 0 \
3654 -s "Extra-header:" \
3655 -c "HTTP/1.0 200 OK"
3656
3657needs_more_time 2
3658run_test "DTLS proxy: 3d, FS, client auth" \
3659 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3660 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3661 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3662 0 \
3663 -s "Extra-header:" \
3664 -c "HTTP/1.0 200 OK"
3665
3666needs_more_time 2
3667run_test "DTLS proxy: 3d, FS, ticket" \
3668 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3669 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3670 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3671 0 \
3672 -s "Extra-header:" \
3673 -c "HTTP/1.0 200 OK"
3674
3675needs_more_time 2
3676run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3677 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3678 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3679 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3680 0 \
3681 -s "Extra-header:" \
3682 -c "HTTP/1.0 200 OK"
3683
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3684needs_more_time 2
3685run_test "DTLS proxy: 3d, max handshake, nbio" \
3686 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3687 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3688 auth_mode=required" \
3689 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3690 0 \
3691 -s "Extra-header:" \
3692 -c "HTTP/1.0 200 OK"
3693
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3694needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3695run_test "DTLS proxy: 3d, min handshake, resumption" \
3696 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3697 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3698 psk=abc123 debug_level=3" \
3699 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3700 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3701 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3702 0 \
3703 -s "a session has been resumed" \
3704 -c "a session has been resumed" \
3705 -s "Extra-header:" \
3706 -c "HTTP/1.0 200 OK"
3707
3708needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3709run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3710 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3711 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3712 psk=abc123 debug_level=3 nbio=2" \
3713 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3714 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3715 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3716 0 \
3717 -s "a session has been resumed" \
3718 -c "a session has been resumed" \
3719 -s "Extra-header:" \
3720 -c "HTTP/1.0 200 OK"
3721
3722needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3723requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3724run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3725 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3726 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3727 psk=abc123 renegotiation=1 debug_level=2" \
3728 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3729 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3730 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3731 0 \
3732 -c "=> renegotiate" \
3733 -s "=> renegotiate" \
3734 -s "Extra-header:" \
3735 -c "HTTP/1.0 200 OK"
3736
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3737needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3738requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3739run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3740 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3741 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3742 psk=abc123 renegotiation=1 debug_level=2" \
3743 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3744 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3745 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3746 0 \
3747 -c "=> renegotiate" \
3748 -s "=> renegotiate" \
3749 -s "Extra-header:" \
3750 -c "HTTP/1.0 200 OK"
3751
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3752needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3753requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3754run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3755 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3756 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3757 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3758 debug_level=2" \
3759 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3760 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3761 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3762 0 \
3763 -c "=> renegotiate" \
3764 -s "=> renegotiate" \
3765 -s "Extra-header:" \
3766 -c "HTTP/1.0 200 OK"
3767
3768needs_more_time 4
Hanno Becker78891132017-10-24 11:54:55 +0100[diff] [blame]3769requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3770run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3771 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3772 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3773 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3774 debug_level=2 nbio=2" \
3775 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3776 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3777 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3778 0 \
3779 -c "=> renegotiate" \
3780 -s "=> renegotiate" \
3781 -s "Extra-header:" \
3782 -c "HTTP/1.0 200 OK"
3783
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3784needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3785not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3786run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3787 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3788 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3789 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3790 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3791 -c "HTTP/1.0 200 OK"
3792
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3793needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3794not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3795run_test "DTLS proxy: 3d, openssl server, fragmentation" \
3796 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3797 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3798 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3799 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3800 -c "HTTP/1.0 200 OK"
3801
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3802needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3803not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3804run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
3805 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3806 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3807 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3808 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3809 -c "HTTP/1.0 200 OK"
3810
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3811requires_gnutls
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3812needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3813not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3814run_test "DTLS proxy: 3d, gnutls server" \
3815 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3816 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3817 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3818 0 \
3819 -s "Extra-header:" \
3820 -c "Extra-header:"
3821
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3822requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3823needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3824not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3825run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
3826 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3827 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3828 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3829 0 \
3830 -s "Extra-header:" \
3831 -c "Extra-header:"
3832
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3833requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3834needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3835not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3836run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
3837 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3838 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3839 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3840 0 \
3841 -s "Extra-header:" \
3842 -c "Extra-header:"
3843
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3844# Final report
3845
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3846echo "------------------------------------------------------------------------"
3847
3848if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3849 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3850else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3851 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3852fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]3853PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]3854echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3855
3856exit $FAILS