TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a1e980695b33961bb0462a58c85aec150d26a509 / . / tests / ssl-opt.sh
blob: c423a4e2c64c7f6381081d7ee9d092748c3a8bb1 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Jaeden Ameroa258ccd2019-07-03 13:51:04 +0100[diff] [blame]24# Limit the size of each log to 10 GiB, in case of failures with this script
25# where it may output seemingly unlimited length error logs.
26ulimit -f 20971520
27
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]28if cd $( dirname $0 ); then :; else
29 echo "cd $( dirname $0 ) failed" >&2
30 exit 1
31fi
32
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]33# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]34: ${P_SRV:=../programs/ssl/ssl_server2}
35: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]36: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]37: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]38: ${GNUTLS_CLI:=gnutls-cli}
39: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]40: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]41
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]42O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]43O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]44G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]45G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]46TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]47
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]48# alternative versions of OpenSSL and GnuTLS (no default path)
49
50if [ -n "${OPENSSL_LEGACY:-}" ]; then
51 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
52 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
53else
54 O_LEGACY_SRV=false
55 O_LEGACY_CLI=false
56fi
57
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]58if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]59 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
60else
61 G_NEXT_SRV=false
62fi
63
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]64if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]65 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
66else
67 G_NEXT_CLI=false
68fi
69
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]70TESTS=0
71FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]72SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]73
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]74MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]75FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]76EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]77
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]78SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]79RUN_TEST_NUMBER=''
80
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]81PRESERVE_LOGS=0
82
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]83# Pick a "unique" server port in the range 10000-19999, and a proxy
84# port which is this plus 10000. Each port number may be independently
85# overridden by a command line option.
86SRV_PORT=$(($$ % 10000 + 10000))
87PXY_PORT=$((SRV_PORT + 10000))
88
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]89print_usage() {
90 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]91 printf " -h|--help\tPrint this help.\n"
92 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]93 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
94 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]95 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]96 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]97 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]98 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
99 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]100 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]101}
102
103get_options() {
104 while [ $# -gt 0 ]; do
105 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]106 -f|--filter)
107 shift; FILTER=$1
108 ;;
109 -e|--exclude)
110 shift; EXCLUDE=$1
111 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]112 -m|--memcheck)
113 MEMCHECK=1
114 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]115 -n|--number)
116 shift; RUN_TEST_NUMBER=$1
117 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]118 -s|--show-numbers)
119 SHOW_TEST_NUMBER=1
120 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]121 -p|--preserve-logs)
122 PRESERVE_LOGS=1
123 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]124 --port)
125 shift; SRV_PORT=$1
126 ;;
127 --proxy-port)
128 shift; PXY_PORT=$1
129 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]130 --seed)
131 shift; SEED="$1"
132 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]133 -h|--help)
134 print_usage
135 exit 0
136 ;;
137 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]138 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]139 print_usage
140 exit 1
141 ;;
142 esac
143 shift
144 done
145}
146
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]147# Skip next test; use this macro to skip tests which are legitimate
148# in theory and expected to be re-introduced at some point, but
149# aren't expected to succeed at the moment due to problems outside
150# our control (such as bugs in other TLS implementations).
151skip_next_test() {
152 SKIP_NEXT="YES"
153}
154
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]155requires_ciphersuite_enabled() {
156 if [ -z "$($P_CLI --help | grep "$1")" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]161get_config_value_or_default() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]162 # This function uses the query_config command line option to query the
163 # required Mbed TLS compile time configuration from the ssl_server2
164 # program. The command will always return a success value if the
165 # configuration is defined and the value will be printed to stdout.
166 #
167 # Note that if the configuration is not defined or is defined to nothing,
168 # the output of this function will be an empty string.
169 ${P_SRV} "query_config=${1}"
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]170}
171
Hanno Beckerab9a29b2019-09-24 16:14:39 +0100[diff] [blame]172# skip next test if the flag is enabled in config.h
173requires_config_disabled() {
174 if get_config_value_or_default $1; then
175 SKIP_NEXT="YES"
176 fi
177}
178
179requires_config_enabled() {
180 if ! get_config_value_or_default $1; then
181 SKIP_NEXT="YES"
182 fi
183}
184
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]185requires_config_value_at_least() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]186 VAL="$( get_config_value_or_default "$1" )"
187 if [ -z "$VAL" ]; then
188 # Should never happen
189 echo "Mbed TLS configuration $1 is not defined"
190 exit 1
191 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]192 SKIP_NEXT="YES"
193 fi
194}
195
196requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]197 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]198 if [ -z "$VAL" ]; then
199 # Should never happen
200 echo "Mbed TLS configuration $1 is not defined"
201 exit 1
202 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]203 SKIP_NEXT="YES"
204 fi
205}
206
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]207# skip next test if OpenSSL doesn't support FALLBACK_SCSV
208requires_openssl_with_fallback_scsv() {
209 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
210 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
211 then
212 OPENSSL_HAS_FBSCSV="YES"
213 else
214 OPENSSL_HAS_FBSCSV="NO"
215 fi
216 fi
217 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
218 SKIP_NEXT="YES"
219 fi
220}
221
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]222# skip next test if GnuTLS isn't available
223requires_gnutls() {
224 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]225 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]226 GNUTLS_AVAILABLE="YES"
227 else
228 GNUTLS_AVAILABLE="NO"
229 fi
230 fi
231 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
232 SKIP_NEXT="YES"
233 fi
234}
235
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]236# skip next test if GnuTLS-next isn't available
237requires_gnutls_next() {
238 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
239 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
240 GNUTLS_NEXT_AVAILABLE="YES"
241 else
242 GNUTLS_NEXT_AVAILABLE="NO"
243 fi
244 fi
245 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
246 SKIP_NEXT="YES"
247 fi
248}
249
250# skip next test if OpenSSL-legacy isn't available
251requires_openssl_legacy() {
252 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
253 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
254 OPENSSL_LEGACY_AVAILABLE="YES"
255 else
256 OPENSSL_LEGACY_AVAILABLE="NO"
257 fi
258 fi
259 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
260 SKIP_NEXT="YES"
261 fi
262}
263
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]264# skip next test if IPv6 isn't available on this host
265requires_ipv6() {
266 if [ -z "${HAS_IPV6:-}" ]; then
267 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
268 SRV_PID=$!
269 sleep 1
270 kill $SRV_PID >/dev/null 2>&1
271 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
272 HAS_IPV6="NO"
273 else
274 HAS_IPV6="YES"
275 fi
276 rm -r $SRV_OUT
277 fi
278
279 if [ "$HAS_IPV6" = "NO" ]; then
280 SKIP_NEXT="YES"
281 fi
282}
283
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]284# skip next test if it's i686 or uname is not available
285requires_not_i686() {
286 if [ -z "${IS_I686:-}" ]; then
287 IS_I686="YES"
288 if which "uname" >/dev/null 2>&1; then
289 if [ -z "$(uname -a | grep i686)" ]; then
290 IS_I686="NO"
291 fi
292 fi
293 fi
294 if [ "$IS_I686" = "YES" ]; then
295 SKIP_NEXT="YES"
296 fi
297}
298
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]299# Calculate the input & output maximum content lengths set in the config
Arto Kinnunen78213522019-09-26 11:06:39 +0300[diff] [blame]300MAX_CONTENT_LEN="$( get_config_value_or_default MBEDTLS_SSL_MAX_CONTENT_LEN )"
301if [ -z "$MAX_CONTENT_LEN" ]; then
302 MAX_CONTENT_LEN=16384
303fi
304
305MAX_IN_LEN="$( get_config_value_or_default MBEDTLS_SSL_IN_CONTENT_LEN )"
306if [ -z "$MAX_IN_LEN" ]; then
307 MAX_IN_LEN=$MAX_CONTENT_LEN
308fi
309
310MAX_OUT_LEN="$( get_config_value_or_default MBEDTLS_SSL_OUT_CONTENT_LEN )"
311if [ -z "$MAX_OUT_LEN" ]; then
312 MAX_OUT_LEN=$MAX_CONTENT_LEN
313fi
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]314
315if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
316 MAX_CONTENT_LEN="$MAX_IN_LEN"
317fi
318if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
319 MAX_CONTENT_LEN="$MAX_OUT_LEN"
320fi
321
322# skip the next test if the SSL output buffer is less than 16KB
323requires_full_size_output_buffer() {
324 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
325 SKIP_NEXT="YES"
326 fi
327}
328
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]329# skip the next test if valgrind is in use
330not_with_valgrind() {
331 if [ "$MEMCHECK" -gt 0 ]; then
332 SKIP_NEXT="YES"
333 fi
334}
335
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]336# skip the next test if valgrind is NOT in use
337only_with_valgrind() {
338 if [ "$MEMCHECK" -eq 0 ]; then
339 SKIP_NEXT="YES"
340 fi
341}
342
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]343# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]344client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]345 CLI_DELAY_FACTOR=$1
346}
347
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]348# wait for the given seconds after the client finished in the next test
349server_needs_more_time() {
350 SRV_DELAY_SECONDS=$1
351}
352
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]353# print_name <name>
354print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]355 TESTS=$(( $TESTS + 1 ))
356 LINE=""
357
358 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
359 LINE="$TESTS "
360 fi
361
362 LINE="$LINE$1"
363 printf "$LINE "
364 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]365 for i in `seq 1 $LEN`; do printf '.'; done
366 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]367
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]368}
369
370# fail <message>
371fail() {
372 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]373 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]374
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]375 mv $SRV_OUT o-srv-${TESTS}.log
376 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]377 if [ -n "$PXY_CMD" ]; then
378 mv $PXY_OUT o-pxy-${TESTS}.log
379 fi
380 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]381
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]382 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]383 echo " ! server output:"
384 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]385 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]386 echo " ! client output:"
387 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]388 if [ -n "$PXY_CMD" ]; then
389 echo " ! ========================================================"
390 echo " ! proxy output:"
391 cat o-pxy-${TESTS}.log
392 fi
393 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]394 fi
395
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]396 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]397}
398
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]399# is_polar <cmd_line>
400is_polar() {
401 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
402}
403
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]404# openssl s_server doesn't have -www with DTLS
405check_osrv_dtls() {
406 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
407 NEEDS_INPUT=1
408 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
409 else
410 NEEDS_INPUT=0
411 fi
412}
413
414# provide input to commands that need it
415provide_input() {
416 if [ $NEEDS_INPUT -eq 0 ]; then
417 return
418 fi
419
420 while true; do
421 echo "HTTP/1.0 200 OK"
422 sleep 1
423 done
424}
425
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]426# has_mem_err <log_file_name>
427has_mem_err() {
428 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
429 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
430 then
431 return 1 # false: does not have errors
432 else
433 return 0 # true: has errors
434 fi
435}
436
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]437# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]438if type lsof >/dev/null 2>/dev/null; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]439 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]440 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]441 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]442 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]443 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]444 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]445 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]446 # Make a tight loop, server normally takes less than 1s to start.
447 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
448 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]449 echo "$3 START TIMEOUT"
450 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]451 break
452 fi
453 # Linux and *BSD support decimal arguments to sleep. On other
454 # OSes this may be a tight loop.
455 sleep 0.1 2>/dev/null || true
456 done
457 }
458else
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]459 echo "Warning: lsof not available, wait_app_start = sleep"
460 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]461 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]462 }
463fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]464
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]465# Wait for server process $2 to be listening on port $1.
466wait_server_start() {
467 wait_app_start $1 $2 "SERVER" $SRV_OUT
468}
469
470# Wait for proxy process $2 to be listening on port $1.
471wait_proxy_start() {
472 wait_app_start $1 $2 "PROXY" $PXY_OUT
473}
474
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]475# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]476# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]477# acceptable bounds
478check_server_hello_time() {
479 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]480 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]481 # Get the Unix timestamp for now
482 CUR_TIME=$(date +'%s')
483 THRESHOLD_IN_SECS=300
484
485 # Check if the ServerHello time was printed
486 if [ -z "$SERVER_HELLO_TIME" ]; then
487 return 1
488 fi
489
490 # Check the time in ServerHello is within acceptable bounds
491 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
492 # The time in ServerHello is at least 5 minutes before now
493 return 1
494 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]495 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]496 return 1
497 else
498 return 0
499 fi
500}
501
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]502# wait for client to terminate and set CLI_EXIT
503# must be called right after starting the client
504wait_client_done() {
505 CLI_PID=$!
506
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]507 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
508 CLI_DELAY_FACTOR=1
509
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]510 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]511 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]512
513 wait $CLI_PID
514 CLI_EXIT=$?
515
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]516 kill $DOG_PID >/dev/null 2>&1
517 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]518
519 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]520
521 sleep $SRV_DELAY_SECONDS
522 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]525# check if the given command uses dtls and sets global variable DTLS
526detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]527 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]528 DTLS=1
529 else
530 DTLS=0
531 fi
532}
533
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]534# Strip off a particular parameter from the command line
535# and return its value.
536# Parameter 1: Command line parameter to strip off
537# ENV I/O: CMD command line to search and modify
538extract_cmdline_argument() {
539 __ARG=$(echo "$CMD" | sed -n "s/^.* $1=\([^ ]*\).*$/\1/p")
540 CMD=$(echo "$CMD" | sed "s/$1=\([^ ]*\)//")
541}
542
543# Check compatibility of the ssl_client2/ssl_server2 command-line
544# with a particular compile-time configurable option.
545# Parameter 1: Command-line argument (e.g. extended_ms)
546# Parameter 2: Corresponding compile-time configuration
547# (e.g. MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
548# ENV I/O: CMD command line to search and modify
549# SKIP_NEXT set to "YES" on a mismatch
550check_cmdline_param_compat() {
551 __VAL="$( get_config_value_or_default "$2" )"
552 if [ ! -z "$__VAL" ]; then
553 extract_cmdline_argument "$1"
554 if [ ! -z "$__ARG" ] && [ "$__ARG" != "$__VAL" ]; then
555 SKIP_NEXT="YES"
556 fi
557 fi
558}
559
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]560check_cmdline_check_tls_dtls() {
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]561 detect_dtls "$CMD"
562 if [ "$DTLS" = "0" ]; then
563 requires_config_disabled MBEDTLS_SSL_PROTO_NO_TLS
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]564 elif [ "$DTLS" = "1" ]; then
565 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]566 fi
567}
568
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]569check_cmdline_authmode_compat() {
570 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_AUTHMODE" )"
571 if [ ! -z "$__VAL" ]; then
572 extract_cmdline_argument "auth_mode"
573 if [ "$__ARG" = "none" ] && [ "$__VAL" != "0" ]; then
574 SKIP_NEXT="YES";
575 elif [ "$__ARG" = "optional" ] && [ "$__VAL" != "1" ]; then
576 SKIP_NEXT="YES"
577 elif [ "$__ARG" = "required" ] && [ "$__VAL" != "2" ]; then
578 SKIP_NEXT="YES"
579 fi
580 fi
581}
582
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]583check_cmdline_legacy_renego_compat() {
584 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )"
585 if [ ! -z "$__VAL" ]; then
586 extract_cmdline_argument "allow_legacy"
587 if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then
588 SKIP_NEXT="YES";
589 elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then
590 SKIP_NEXT="YES"
591 elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then
592 SKIP_NEXT="YES"
593 fi
594 fi
595}
596
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]597check_cmdline_min_minor_version_compat() {
598 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
599 if [ ! -z "$__VAL" ]; then
600 extract_cmdline_argument "min_version"
601 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
602 SKIP_NEXT="YES";
603 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
604 SKIP_NEXT="YES"
605 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
606 SKIP_NEXT="YES"
607 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
608 SKIP_NEXT="YES"
609 fi
610 fi
611}
612
613check_cmdline_max_minor_version_compat() {
614 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
615 if [ ! -z "$__VAL" ]; then
616 extract_cmdline_argument "max_version"
617 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
618 SKIP_NEXT="YES";
619 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
620 SKIP_NEXT="YES"
621 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
622 SKIP_NEXT="YES"
623 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
624 SKIP_NEXT="YES"
625 fi
626 fi
627}
628
629check_cmdline_force_version_compat() {
630 __VAL_MAX="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
631 __VAL_MIN="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
632 if [ ! -z "$__VAL_MIN" ]; then
633
634 # SSL cli/srv cmd line
635
636 extract_cmdline_argument "force_version"
637 if [ "$__ARG" = "ssl3" ] && \
638 ( [ "$__VAL_MIN" != "0" ] || [ "$__VAL_MAX" != "0" ] ); then
639 SKIP_NEXT="YES";
640 elif [ "$__ARG" = "tls1" ] && \
641 ( [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ] ); then
642 SKIP_NEXT="YES"
643 elif ( [ "$__ARG" = "tls1_1" ] || [ "$__ARG" = "dtls1" ] ) && \
644 ( [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ] ); then
645 SKIP_NEXT="YES"
646 elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
647 ( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
648 echo "FORCE SKIP"
649 SKIP_NEXT="YES"
650 fi
651
652 # OpenSSL cmd line
653
654 if echo "$CMD" | grep -e "-tls1\($\|[^_]\)" > /dev/null; then
655 if [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ]; then
656 SKIP_NEXT="YES"
657 fi
658 fi
659
660 if echo "$CMD" | grep -e "-\(dtls1\($\|[^_]\)\|tls1_1\)" > /dev/null; then
661 if [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ]; then
662 SKIP_NEXT="YES"
663 fi
664 fi
665
666 if echo "$CMD" | grep -e "-\(dtls1_2\($\|[^_]\)\|tls1_2\)" > /dev/null; then
667 if [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ]; then
668 SKIP_NEXT="YES"
669 fi
670 fi
671
672 fi
673}
674
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]675check_cmdline_crt_key_files_compat() {
676
677 # test-ca2.crt
678 if echo "$CMD" | grep -e "test-ca2" > /dev/null; then
679 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
680 fi
681
682 # Variants of server5.key and server5.crt
683 if echo "$CMD" | grep -e "server5" > /dev/null; then
684 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
685 fi
686
687 # Variants of server6.key and server6.crt
688 if echo "$CMD" | grep -e "server6" > /dev/null; then
689 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
690 fi
691
692}
693
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]694# Go through all options that can be hardcoded at compile-time and
695# detect whether the command line configures them in a conflicting
696# way. If so, skip the test. Otherwise, remove the corresponding
697# entry.
698# Parameter 1: Command line to inspect
699# Output: Modified command line
700# ENV I/O: SKIP_TEST set to 1 on mismatch.
701check_cmdline_compat() {
702 CMD="$1"
703
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]704 # Check that if we're specifying particular certificate and/or
705 # ECC key files, the corresponding curve is enabled.
706 check_cmdline_crt_key_files_compat
707
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]708 # ExtendedMasterSecret configuration
709 check_cmdline_param_compat "extended_ms" \
710 "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET"
711 check_cmdline_param_compat "enforce_extended_master_secret" \
712 "MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET"
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]713
714 # DTLS anti replay protection configuration
715 check_cmdline_param_compat "anti_replay" \
716 "MBEDTLS_SSL_CONF_ANTI_REPLAY"
717
Hanno Beckerde671542019-06-12 16:30:46 +0100[diff] [blame]718 # DTLS bad MAC limit
719 check_cmdline_param_compat "badmac_limit" \
720 "MBEDTLS_SSL_CONF_BADMAC_LIMIT"
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]721
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]722 # Skip tests relying on TLS/DTLS in configs that disable it.
723 check_cmdline_check_tls_dtls
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]724
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]725 # Authentication mode
726 check_cmdline_authmode_compat
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]727
728 # Legacy renegotiation
729 check_cmdline_legacy_renego_compat
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]730
731 # Version configuration
732 check_cmdline_min_minor_version_compat
733 check_cmdline_max_minor_version_compat
734 check_cmdline_force_version_compat
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]735}
736
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]737# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]738# Options: -s pattern pattern that must be present in server output
739# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]740# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]741# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]742# -S pattern pattern that must be absent in server output
743# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]744# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]745# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]746run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]747 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]748 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]749
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]750 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
751 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]752 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]753 return
754 fi
755
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]756 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]757
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]758 # Do we only run numbered tests?
759 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
760 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
761 else
762 SKIP_NEXT="YES"
763 fi
764
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]765 # does this test use a proxy?
766 if [ "X$1" = "X-p" ]; then
767 PXY_CMD="$2"
768 shift 2
769 else
770 PXY_CMD=""
771 fi
772
773 # get commands and client output
774 SRV_CMD="$1"
775 CLI_CMD="$2"
776 CLI_EXPECT="$3"
777 shift 3
778
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]779 check_cmdline_compat "$SRV_CMD"
780 SRV_CMD="$CMD"
781
782 check_cmdline_compat "$CLI_CMD"
783 CLI_CMD="$CMD"
784
Hanno Becker7a11e722019-05-10 14:38:42 +0100[diff] [blame]785 # Check if test uses files
786 TEST_USES_FILES=$(echo "$SRV_CMD $CLI_CMD" | grep "\.\(key\|crt\|pem\)" )
787 if [ ! -z "$TEST_USES_FILES" ]; then
788 requires_config_enabled MBEDTLS_FS_IO
789 fi
790
791 # should we skip?
792 if [ "X$SKIP_NEXT" = "XYES" ]; then
793 SKIP_NEXT="NO"
794 echo "SKIP"
795 SKIPS=$(( $SKIPS + 1 ))
796 return
797 fi
798
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]799 # fix client port
800 if [ -n "$PXY_CMD" ]; then
801 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
802 else
803 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
804 fi
805
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]806 # update DTLS variable
807 detect_dtls "$SRV_CMD"
808
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]809 # prepend valgrind to our commands if active
810 if [ "$MEMCHECK" -gt 0 ]; then
811 if is_polar "$SRV_CMD"; then
812 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
813 fi
814 if is_polar "$CLI_CMD"; then
815 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
816 fi
817 fi
818
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]819 TIMES_LEFT=2
820 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]821 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]822
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]823 # run the commands
824 if [ -n "$PXY_CMD" ]; then
825 echo "$PXY_CMD" > $PXY_OUT
826 $PXY_CMD >> $PXY_OUT 2>&1 &
827 PXY_PID=$!
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]828 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]829 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]830
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]831 check_osrv_dtls
832 echo "$SRV_CMD" > $SRV_OUT
833 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
834 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]835 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]836
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]837 echo "$CLI_CMD" > $CLI_OUT
838 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
839 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]840
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]841 sleep 0.05
842
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]843 # terminate the server (and the proxy)
844 kill $SRV_PID
845 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]846
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]847 if [ -n "$PXY_CMD" ]; then
848 kill $PXY_PID >/dev/null 2>&1
849 wait $PXY_PID
850 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]851
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]852 # retry only on timeouts
853 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
854 printf "RETRY "
855 else
856 TIMES_LEFT=0
857 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]858 done
859
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]860 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]861 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]862 # expected client exit to incorrectly succeed in case of catastrophic
863 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]864 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]865 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]866 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]867 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]868 return
869 fi
870 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]871 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]872 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]873 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]874 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]875 return
876 fi
877 fi
878
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]879 # check server exit code
880 if [ $? != 0 ]; then
881 fail "server fail"
882 return
883 fi
884
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]885 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]886 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
887 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]888 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]889 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]890 return
891 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]892
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]893 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]894 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]895 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]896 while [ $# -gt 0 ]
897 do
898 case $1 in
899 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]900 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]901 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]902 return
903 fi
904 ;;
905
906 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]907 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]908 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]909 return
910 fi
911 ;;
912
913 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]914 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]915 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]916 return
917 fi
918 ;;
919
920 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]921 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]922 fail "pattern '$2' MUST NOT be present in the Client output"
923 return
924 fi
925 ;;
926
927 # The filtering in the following two options (-u and -U) do the following
928 # - ignore valgrind output
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]929 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]930 # - keep one of each non-unique line
931 # - count how many lines remain
932 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
933 # if there were no duplicates.
934 "-U")
935 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
936 fail "lines following pattern '$2' must be unique in Server output"
937 return
938 fi
939 ;;
940
941 "-u")
942 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
943 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]944 return
945 fi
946 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]947 "-F")
948 if ! $2 "$SRV_OUT"; then
949 fail "function call to '$2' failed on Server output"
950 return
951 fi
952 ;;
953 "-f")
954 if ! $2 "$CLI_OUT"; then
955 fail "function call to '$2' failed on Client output"
956 return
957 fi
958 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]959
960 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]961 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]962 exit 1
963 esac
964 shift 2
965 done
966
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]967 # check valgrind's results
968 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]969 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]970 fail "Server has memory errors"
971 return
972 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]973 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]974 fail "Client has memory errors"
975 return
976 fi
977 fi
978
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]979 # if we're here, everything is ok
980 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]981 if [ "$PRESERVE_LOGS" -gt 0 ]; then
982 mv $SRV_OUT o-srv-${TESTS}.log
983 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]984 if [ -n "$PXY_CMD" ]; then
985 mv $PXY_OUT o-pxy-${TESTS}.log
986 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]987 fi
988
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]989 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]990}
991
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]992cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]993 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]994 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
995 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
996 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
997 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]998 exit 1
999}
1000
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]1001#
1002# MAIN
1003#
1004
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]1005get_options "$@"
1006
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1007# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]1008P_SRV_BIN="${P_SRV%%[ ]*}"
1009P_CLI_BIN="${P_CLI%%[ ]*}"
1010P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1011if [ ! -x "$P_SRV_BIN" ]; then
1012 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1013 exit 1
1014fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1015if [ ! -x "$P_CLI_BIN" ]; then
1016 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1017 exit 1
1018fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1019if [ ! -x "$P_PXY_BIN" ]; then
1020 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1021 exit 1
1022fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]1023if [ "$MEMCHECK" -gt 0 ]; then
1024 if which valgrind >/dev/null 2>&1; then :; else
1025 echo "Memcheck not possible. Valgrind not found"
1026 exit 1
1027 fi
1028fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1029if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
1030 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1031 exit 1
1032fi
1033
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]1034# used by watchdog
1035MAIN_PID="$$"
1036
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1037# We use somewhat arbitrary delays for tests:
1038# - how long do we wait for the server to start (when lsof not available)?
1039# - how long do we allow for the client to finish?
1040# (not to check performance, just to avoid waiting indefinitely)
1041# Things are slower with valgrind, so give extra time here.
1042#
1043# Note: without lsof, there is a trade-off between the running time of this
1044# script and the risk of spurious errors because we didn't wait long enough.
1045# The watchdog delay on the other hand doesn't affect normal running time of
1046# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1047if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1048 START_DELAY=6
1049 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1050else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1051 START_DELAY=2
1052 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1053fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1054
1055# some particular tests need more time:
1056# - for the client, we multiply the usual watchdog limit by a factor
1057# - for the server, we sleep for a number of seconds after the client exits
1058# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]1059CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]1060SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1061
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1062# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]1063# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1064P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
1065P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]1066P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]1067O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1068O_CLI="$O_CLI -connect localhost:+SRV_PORT"
1069G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1070G_CLI="$G_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1071
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1072if [ -n "${OPENSSL_LEGACY:-}" ]; then
1073 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
1074 O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
1075fi
1076
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1077if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1078 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
1079fi
1080
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1081if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1082 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1083fi
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1084
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]1085# Allow SHA-1, because many of our test certificates use it
1086P_SRV="$P_SRV allow_sha1=1"
1087P_CLI="$P_CLI allow_sha1=1"
1088
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1089# Also pick a unique name for intermediate files
1090SRV_OUT="srv_out.$$"
1091CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1092PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1093SESSION="session.$$"
1094
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]1095SKIP_NEXT="NO"
1096
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1097trap cleanup INT TERM HUP
1098
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1099# Basic test
1100
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1101run_test "Default" \
1102 "$P_SRV debug_level=3" \
1103 "$P_CLI" \
1104 0
1105
1106run_test "Default, DTLS" \
1107 "$P_SRV dtls=1" \
1108 "$P_CLI dtls=1" \
1109 0
1110
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1111# Checks that:
1112# - things work with all ciphersuites active (used with config-full in all.sh)
1113# - the expected (highest security) parameters are selected
1114# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1115requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1116requires_config_enabled MBEDTLS_SHA512_C
1117requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1118requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1119run_test "Default, choose highest security suite and hash" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1120 "$P_SRV debug_level=3" \
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1121 "$P_CLI" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1122 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1123 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1124 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1125 -s "client hello v3, signature_algorithm ext: 6" \
1126 -s "ECDHE curve: secp521r1" \
1127 -S "error" \
1128 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1129
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1130requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1131requires_config_enabled MBEDTLS_SHA512_C
1132requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1133requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1134run_test "Default, choose highest security suite and hash, DTLS" \
1135 "$P_SRV debug_level=3 dtls=1" \
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1136 "$P_CLI dtls=1" \
1137 0 \
1138 -s "Protocol is DTLSv1.2" \
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1139 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
1140 -s "client hello v3, signature_algorithm ext: 6" \
1141 -s "ECDHE curve: secp521r1"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1142
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1143# Test current time in ServerHello
1144requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1145run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1146 "$P_SRV debug_level=3" \
1147 "$P_CLI debug_level=3" \
1148 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1149 -f "check_server_hello_time" \
1150 -F "check_server_hello_time"
1151
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1152# Test for uniqueness of IVs in AEAD ciphersuites
1153run_test "Unique IV in GCM" \
1154 "$P_SRV exchanges=20 debug_level=4" \
1155 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1156 0 \
1157 -u "IV used" \
1158 -U "IV used"
1159
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1160# Tests for rc4 option
1161
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1162requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1163run_test "RC4: server disabled, client enabled" \
1164 "$P_SRV" \
1165 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1166 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1167 -s "SSL - The server has no ciphersuites in common"
1168
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1169requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1170run_test "RC4: server half, client enabled" \
1171 "$P_SRV arc4=1" \
1172 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1173 1 \
1174 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1175
1176run_test "RC4: server enabled, client disabled" \
1177 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1178 "$P_CLI" \
1179 1 \
1180 -s "SSL - The server has no ciphersuites in common"
1181
1182run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1183 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1184 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1185 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1186 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1187 -S "SSL - The server has no ciphersuites in common"
1188
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1189# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
1190
1191requires_gnutls
1192requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
1193run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
1194 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1195 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1196 0
1197
1198requires_gnutls
1199requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
1200run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
1201 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1202 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1203 0
1204
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1205# Tests for SHA-1 support
1206
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1207requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1208requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1209requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1210run_test "SHA-1 forbidden by default in server certificate" \
1211 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1212 "$P_CLI debug_level=2 allow_sha1=0" \
1213 1 \
1214 -c "The certificate is signed with an unacceptable hash"
1215
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1216requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1217run_test "SHA-1 forbidden by default in server certificate" \
1218 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1219 "$P_CLI debug_level=2 allow_sha1=0" \
1220 0
1221
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1222run_test "SHA-1 explicitly allowed in server certificate" \
1223 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1224 "$P_CLI allow_sha1=1" \
1225 0
1226
1227run_test "SHA-256 allowed by default in server certificate" \
1228 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
1229 "$P_CLI allow_sha1=0" \
1230 0
1231
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1232requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1233requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1234requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1235run_test "SHA-1 forbidden by default in client certificate" \
1236 "$P_SRV auth_mode=required allow_sha1=0" \
1237 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1238 1 \
1239 -s "The certificate is signed with an unacceptable hash"
1240
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1241requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1242run_test "SHA-1 forbidden by default in client certificate" \
1243 "$P_SRV auth_mode=required allow_sha1=0" \
1244 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1245 0
1246
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1247run_test "SHA-1 explicitly allowed in client certificate" \
1248 "$P_SRV auth_mode=required allow_sha1=1" \
1249 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1250 0
1251
1252run_test "SHA-256 allowed by default in client certificate" \
1253 "$P_SRV auth_mode=required allow_sha1=0" \
1254 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
1255 0
1256
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1257# Tests for datagram packing
1258run_test "DTLS: multiple records in same datagram, client and server" \
1259 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1260 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1261 0 \
1262 -c "next record in same datagram" \
1263 -s "next record in same datagram"
1264
1265run_test "DTLS: multiple records in same datagram, client only" \
1266 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1267 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1268 0 \
1269 -s "next record in same datagram" \
1270 -C "next record in same datagram"
1271
1272run_test "DTLS: multiple records in same datagram, server only" \
1273 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1274 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1275 0 \
1276 -S "next record in same datagram" \
1277 -c "next record in same datagram"
1278
1279run_test "DTLS: multiple records in same datagram, neither client nor server" \
1280 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1281 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1282 0 \
1283 -S "next record in same datagram" \
1284 -C "next record in same datagram"
1285
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1286# Tests for Truncated HMAC extension
1287
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1288run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1289 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1290 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1291 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1292 -s "dumping 'expected mac' (20 bytes)" \
1293 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1294
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1295requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1296run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1297 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1298 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1299 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1300 -s "dumping 'expected mac' (20 bytes)" \
1301 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1302
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1303requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1304run_test "Truncated HMAC: client enabled, server default" \
1305 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1306 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1307 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1308 -s "dumping 'expected mac' (20 bytes)" \
1309 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1310
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1311requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1312run_test "Truncated HMAC: client enabled, server disabled" \
1313 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1314 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1315 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1316 -s "dumping 'expected mac' (20 bytes)" \
1317 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1318
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1319requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1320run_test "Truncated HMAC: client disabled, server enabled" \
1321 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1322 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1323 0 \
1324 -s "dumping 'expected mac' (20 bytes)" \
1325 -S "dumping 'expected mac' (10 bytes)"
1326
1327requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1328run_test "Truncated HMAC: client enabled, server enabled" \
1329 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1330 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1331 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1332 -S "dumping 'expected mac' (20 bytes)" \
1333 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1334
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1335run_test "Truncated HMAC, DTLS: client default, server default" \
1336 "$P_SRV dtls=1 debug_level=4" \
1337 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1338 0 \
1339 -s "dumping 'expected mac' (20 bytes)" \
1340 -S "dumping 'expected mac' (10 bytes)"
1341
1342requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1343run_test "Truncated HMAC, DTLS: client disabled, server default" \
1344 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1345 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1346 0 \
1347 -s "dumping 'expected mac' (20 bytes)" \
1348 -S "dumping 'expected mac' (10 bytes)"
1349
1350requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1351run_test "Truncated HMAC, DTLS: client enabled, server default" \
1352 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1353 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1354 0 \
1355 -s "dumping 'expected mac' (20 bytes)" \
1356 -S "dumping 'expected mac' (10 bytes)"
1357
1358requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1359run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1360 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1361 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1362 0 \
1363 -s "dumping 'expected mac' (20 bytes)" \
1364 -S "dumping 'expected mac' (10 bytes)"
1365
1366requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1367run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1368 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1369 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1370 0 \
1371 -s "dumping 'expected mac' (20 bytes)" \
1372 -S "dumping 'expected mac' (10 bytes)"
1373
1374requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1375run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1376 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1377 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1378 0 \
1379 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1380 -s "dumping 'expected mac' (10 bytes)"
1381
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1382# Tests for Context serialization
1383
1384requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1385run_test "Context serialization, client serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1386 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1387 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1388 0 \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1389 -c "Deserializing connection..." \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1390 -S "Deserializing connection..."
1391
1392requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1393run_test "Context serialization, client serializes, ChaChaPoly" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1394 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1395 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1396 0 \
1397 -c "Deserializing connection..." \
1398 -S "Deserializing connection..."
1399
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1400requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1401run_test "Context serialization, client serializes, GCM" \
1402 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1403 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1404 0 \
1405 -c "Deserializing connection..." \
1406 -S "Deserializing connection..."
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1407
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1408requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1409requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1410run_test "Context serialization, client serializes, with CID" \
1411 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1412 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1413 0 \
1414 -c "Deserializing connection..." \
1415 -S "Deserializing connection..."
1416
1417requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1418run_test "Context serialization, server serializes, CCM" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1419 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1420 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1421 0 \
1422 -C "Deserializing connection..." \
1423 -s "Deserializing connection..."
1424
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1425requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1426run_test "Context serialization, server serializes, ChaChaPoly" \
1427 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1428 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1429 0 \
1430 -C "Deserializing connection..." \
1431 -s "Deserializing connection..."
1432
1433requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1434run_test "Context serialization, server serializes, GCM" \
1435 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1436 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1437 0 \
1438 -C "Deserializing connection..." \
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1439 -s "Deserializing connection..."
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1440
1441requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1442requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1443run_test "Context serialization, server serializes, with CID" \
1444 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1445 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1446 0 \
1447 -C "Deserializing connection..." \
1448 -s "Deserializing connection..."
1449
1450requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1451run_test "Context serialization, both serialize, CCM" \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1452 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1453 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1454 0 \
1455 -c "Deserializing connection..." \
1456 -s "Deserializing connection..."
1457
1458requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1459run_test "Context serialization, both serialize, ChaChaPoly" \
1460 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1461 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1462 0 \
1463 -c "Deserializing connection..." \
1464 -s "Deserializing connection..."
1465
1466requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1467run_test "Context serialization, both serialize, GCM" \
1468 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1469 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1470 0 \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1471 -c "Deserializing connection..." \
1472 -s "Deserializing connection..."
1473
1474requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1475requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1476run_test "Context serialization, both serialize, with CID" \
1477 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1478 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1479 0 \
1480 -c "Deserializing connection..." \
1481 -s "Deserializing connection..."
1482
1483requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1484run_test "Context serialization, re-init, client serializes, CCM" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1485 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1486 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1487 0 \
1488 -c "Deserializing connection..." \
1489 -S "Deserializing connection..."
1490
1491requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1492run_test "Context serialization, re-init, client serializes, ChaChaPoly" \
1493 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1494 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1495 0 \
1496 -c "Deserializing connection..." \
1497 -S "Deserializing connection..."
1498
1499requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1500run_test "Context serialization, re-init, client serializes, GCM" \
1501 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1502 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1503 0 \
1504 -c "Deserializing connection..." \
1505 -S "Deserializing connection..."
1506
1507requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1508requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1509run_test "Context serialization, re-init, client serializes, with CID" \
1510 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1511 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1512 0 \
1513 -c "Deserializing connection..." \
1514 -S "Deserializing connection..."
1515
1516requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1517run_test "Context serialization, re-init, server serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1518 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1519 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1520 0 \
1521 -C "Deserializing connection..." \
1522 -s "Deserializing connection..."
1523
1524requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1525run_test "Context serialization, re-init, server serializes, ChaChaPoly" \
1526 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1527 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1528 0 \
1529 -C "Deserializing connection..." \
1530 -s "Deserializing connection..."
1531
1532requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1533run_test "Context serialization, re-init, server serializes, GCM" \
1534 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1535 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1536 0 \
1537 -C "Deserializing connection..." \
1538 -s "Deserializing connection..."
1539
1540requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1541requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1542run_test "Context serialization, re-init, server serializes, with CID" \
1543 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1544 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1545 0 \
1546 -C "Deserializing connection..." \
1547 -s "Deserializing connection..."
1548
1549requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1550run_test "Context serialization, re-init, both serialize, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1551 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1552 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1553 0 \
1554 -c "Deserializing connection..." \
1555 -s "Deserializing connection..."
1556
1557requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1558run_test "Context serialization, re-init, both serialize, ChaChaPoly" \
1559 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1560 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1561 0 \
1562 -c "Deserializing connection..." \
1563 -s "Deserializing connection..."
1564
1565requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1566run_test "Context serialization, re-init, both serialize, GCM" \
1567 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1568 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1569 0 \
1570 -c "Deserializing connection..." \
1571 -s "Deserializing connection..."
1572
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1573requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1574requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1575run_test "Context serialization, re-init, both serialize, with CID" \
1576 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1577 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1578 0 \
1579 -c "Deserializing connection..." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1580 -s "Deserializing connection..."
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1581
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1582# Tests for DTLS Connection ID extension
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1583
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1584# So far, the CID API isn't implemented, so we can't
1585# grep for output witnessing its use. This needs to be
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1586# changed once the CID extension is implemented.
Hanno Beckerad8e2c92019-05-08 13:19:53 +0100[diff] [blame]1587
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1588requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1589run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1590 "$P_SRV debug_level=3 dtls=1 cid=0" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1591 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1592 0 \
1593 -s "Disable use of CID extension." \
1594 -s "found CID extension" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1595 -s "Client sent CID extension, but CID disabled" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1596 -c "Enable use of CID extension." \
1597 -c "client hello, adding CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1598 -S "server hello, adding CID extension" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1599 -C "found CID extension" \
1600 -S "Copy CIDs into SSL transform" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1601 -C "Copy CIDs into SSL transform" \
1602 -c "Use of Connection ID was rejected by the server"
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1603
1604requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1605run_test "Connection ID: Cli disabled, Srv enabled" \
1606 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1607 "$P_CLI debug_level=3 dtls=1 cid=0" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1608 0 \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1609 -c "Disable use of CID extension." \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1610 -C "client hello, adding CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1611 -S "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1612 -s "Enable use of CID extension." \
1613 -S "server hello, adding CID extension" \
1614 -C "found CID extension" \
1615 -S "Copy CIDs into SSL transform" \
1616 -C "Copy CIDs into SSL transform" \
1617 -s "Use of Connection ID was not offered by client"
1618
1619requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1620run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
1621 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1622 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
1623 0 \
1624 -c "Enable use of CID extension." \
1625 -s "Enable use of CID extension." \
1626 -c "client hello, adding CID extension" \
1627 -s "found CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1628 -s "Use of CID extension negotiated" \
1629 -s "server hello, adding CID extension" \
1630 -c "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1631 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1632 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1633 -c "Copy CIDs into SSL transform" \
1634 -c "Peer CID (length 2 Bytes): de ad" \
1635 -s "Peer CID (length 2 Bytes): be ef" \
1636 -s "Use of Connection ID has been negotiated" \
1637 -c "Use of Connection ID has been negotiated"
1638
1639requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1640run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
1641 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
1642 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
1643 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
1644 0 \
1645 -c "Enable use of CID extension." \
1646 -s "Enable use of CID extension." \
1647 -c "client hello, adding CID extension" \
1648 -s "found CID extension" \
1649 -s "Use of CID extension negotiated" \
1650 -s "server hello, adding CID extension" \
1651 -c "found CID extension" \
1652 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1653 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1654 -c "Copy CIDs into SSL transform" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1655 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1656 -s "Peer CID (length 2 Bytes): be ef" \
1657 -s "Use of Connection ID has been negotiated" \
1658 -c "Use of Connection ID has been negotiated" \
1659 -c "ignoring unexpected CID" \
1660 -s "ignoring unexpected CID"
1661
1662requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1663run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
1664 -p "$P_PXY mtu=800" \
1665 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1666 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1667 0 \
1668 -c "Enable use of CID extension." \
1669 -s "Enable use of CID extension." \
1670 -c "client hello, adding CID extension" \
1671 -s "found CID extension" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1672 -s "Use of CID extension negotiated" \
1673 -s "server hello, adding CID extension" \
1674 -c "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1675 -c "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1676 -s "Copy CIDs into SSL transform" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1677 -c "Copy CIDs into SSL transform" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1678 -c "Peer CID (length 2 Bytes): de ad" \
1679 -s "Peer CID (length 2 Bytes): be ef" \
1680 -s "Use of Connection ID has been negotiated" \
1681 -c "Use of Connection ID has been negotiated"
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1682
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1683requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1684run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1685 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1686 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1687 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1688 0 \
1689 -c "Enable use of CID extension." \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1690 -s "Enable use of CID extension." \
1691 -c "client hello, adding CID extension" \
1692 -s "found CID extension" \
1693 -s "Use of CID extension negotiated" \
1694 -s "server hello, adding CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1695 -c "found CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1696 -c "Use of CID extension negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1697 -s "Copy CIDs into SSL transform" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1698 -c "Copy CIDs into SSL transform" \
1699 -c "Peer CID (length 2 Bytes): de ad" \
1700 -s "Peer CID (length 2 Bytes): be ef" \
1701 -s "Use of Connection ID has been negotiated" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1702 -c "Use of Connection ID has been negotiated" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1703 -c "ignoring unexpected CID" \
1704 -s "ignoring unexpected CID"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1705
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1706requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1707run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1708 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1709 "$P_CLI debug_level=3 dtls=1 cid=1" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1710 0 \
1711 -c "Enable use of CID extension." \
1712 -s "Enable use of CID extension." \
1713 -c "client hello, adding CID extension" \
1714 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1715 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1716 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1717 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1718 -c "Use of CID extension negotiated" \
1719 -s "Copy CIDs into SSL transform" \
1720 -c "Copy CIDs into SSL transform" \
1721 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1722 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1723 -s "Use of Connection ID has been negotiated" \
1724 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1725
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1726requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1727run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1728 "$P_SRV debug_level=3 dtls=1 cid=1" \
1729 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1730 0 \
1731 -c "Enable use of CID extension." \
1732 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1733 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1734 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1735 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1736 -s "server hello, adding CID extension" \
1737 -c "found CID extension" \
1738 -c "Use of CID extension negotiated" \
1739 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1740 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1741 -s "Peer CID (length 4 Bytes): de ad be ef" \
1742 -c "Peer CID (length 0 Bytes):" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1743 -s "Use of Connection ID has been negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1744 -c "Use of Connection ID has been negotiated"
1745
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1746requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1747run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1748 "$P_SRV debug_level=3 dtls=1 cid=1" \
1749 "$P_CLI debug_level=3 dtls=1 cid=1" \
1750 0 \
1751 -c "Enable use of CID extension." \
1752 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1753 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1754 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1755 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1756 -s "server hello, adding CID extension" \
1757 -c "found CID extension" \
1758 -c "Use of CID extension negotiated" \
1759 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1760 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1761 -S "Use of Connection ID has been negotiated" \
1762 -C "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1763
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1764requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1765run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1766 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1767 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1768 0 \
1769 -c "Enable use of CID extension." \
1770 -s "Enable use of CID extension." \
1771 -c "client hello, adding CID extension" \
1772 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1773 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1774 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1775 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1776 -c "Use of CID extension negotiated" \
1777 -s "Copy CIDs into SSL transform" \
1778 -c "Copy CIDs into SSL transform" \
1779 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1780 -s "Peer CID (length 2 Bytes): be ef" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1781 -s "Use of Connection ID has been negotiated" \
1782 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1783
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1784requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1785run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1786 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1787 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1788 0 \
1789 -c "Enable use of CID extension." \
1790 -s "Enable use of CID extension." \
1791 -c "client hello, adding CID extension" \
1792 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1793 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1794 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1795 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1796 -c "Use of CID extension negotiated" \
1797 -s "Copy CIDs into SSL transform" \
1798 -c "Copy CIDs into SSL transform" \
1799 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1800 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1801 -s "Use of Connection ID has been negotiated" \
1802 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1803
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1804requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1805run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1806 "$P_SRV debug_level=3 dtls=1 cid=1" \
1807 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1808 0 \
1809 -c "Enable use of CID extension." \
1810 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1811 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1812 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1813 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1814 -s "server hello, adding CID extension" \
1815 -c "found CID extension" \
1816 -c "Use of CID extension negotiated" \
1817 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1818 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1819 -s "Peer CID (length 4 Bytes): de ad be ef" \
1820 -c "Peer CID (length 0 Bytes):" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1821 -s "Use of Connection ID has been negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1822 -c "Use of Connection ID has been negotiated"
1823
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1824requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1825run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1826 "$P_SRV debug_level=3 dtls=1 cid=1" \
1827 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1828 0 \
1829 -c "Enable use of CID extension." \
1830 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1831 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1832 -s "found CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1833 -s "Use of CID extension negotiated" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1834 -s "server hello, adding CID extension" \
1835 -c "found CID extension" \
1836 -c "Use of CID extension negotiated" \
1837 -s "Copy CIDs into SSL transform" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1838 -c "Copy CIDs into SSL transform" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1839 -S "Use of Connection ID has been negotiated" \
1840 -C "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1841
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1842requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1843run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1844 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1845 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1846 0 \
1847 -c "Enable use of CID extension." \
1848 -s "Enable use of CID extension." \
1849 -c "client hello, adding CID extension" \
1850 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1851 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1852 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1853 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1854 -c "Use of CID extension negotiated" \
1855 -s "Copy CIDs into SSL transform" \
1856 -c "Copy CIDs into SSL transform" \
1857 -c "Peer CID (length 2 Bytes): de ad" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1858 -s "Peer CID (length 2 Bytes): be ef" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1859 -s "Use of Connection ID has been negotiated" \
1860 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1861
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1862requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1863run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1864 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1865 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1866 0 \
1867 -c "Enable use of CID extension." \
1868 -s "Enable use of CID extension." \
1869 -c "client hello, adding CID extension" \
1870 -s "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1871 -s "Use of CID extension negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1872 -s "server hello, adding CID extension" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1873 -c "found CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1874 -c "Use of CID extension negotiated" \
1875 -s "Copy CIDs into SSL transform" \
1876 -c "Copy CIDs into SSL transform" \
1877 -c "Peer CID (length 4 Bytes): de ad be ef" \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1878 -s "Peer CID (length 0 Bytes):" \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1879 -s "Use of Connection ID has been negotiated" \
1880 -c "Use of Connection ID has been negotiated"
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1881
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1882requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1883run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1884 "$P_SRV debug_level=3 dtls=1 cid=1" \
1885 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1886 0 \
1887 -c "Enable use of CID extension." \
1888 -s "Enable use of CID extension." \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1889 -c "client hello, adding CID extension" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1890 -s "found CID extension" \
Hanno Becker963cb352019-04-23 11:52:44 +0100[diff] [blame]1891 -s "Use of CID extension negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1892 -s "server hello, adding CID extension" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1893 -c "found CID extension" \
1894 -c "Use of CID extension negotiated" \
1895 -s "Copy CIDs into SSL transform" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1896 -c "Copy CIDs into SSL transform" \
1897 -s "Peer CID (length 4 Bytes): de ad be ef" \
1898 -c "Peer CID (length 0 Bytes):" \
1899 -s "Use of Connection ID has been negotiated" \
1900 -c "Use of Connection ID has been negotiated"
1901
1902requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1903run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
1904 "$P_SRV debug_level=3 dtls=1 cid=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1905 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1906 0 \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1907 -c "Enable use of CID extension." \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1908 -s "Enable use of CID extension." \
1909 -c "client hello, adding CID extension" \
1910 -s "found CID extension" \
1911 -s "Use of CID extension negotiated" \
1912 -s "server hello, adding CID extension" \
1913 -c "found CID extension" \
1914 -c "Use of CID extension negotiated" \
1915 -s "Copy CIDs into SSL transform" \
1916 -c "Copy CIDs into SSL transform" \
1917 -S "Use of Connection ID has been negotiated" \
1918 -C "Use of Connection ID has been negotiated"
1919
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1920requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1921requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1922run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
1923 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
1924 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
1925 0 \
1926 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1927 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1928 -s "(initial handshake) Use of Connection ID has been negotiated" \
1929 -c "(initial handshake) Use of Connection ID has been negotiated" \
1930 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1931 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1932 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1933 -c "(after renegotiation) Use of Connection ID has been negotiated"
1934
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1935requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1936requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1937run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1938 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1939 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1940 0 \
1941 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1942 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1943 -s "(initial handshake) Use of Connection ID has been negotiated" \
1944 -c "(initial handshake) Use of Connection ID has been negotiated" \
1945 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1946 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1947 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1948 -c "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1949
1950requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1951requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1952run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1953 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1954 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1955 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1956 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1957 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1958 -s "(initial handshake) Use of Connection ID has been negotiated" \
1959 -c "(initial handshake) Use of Connection ID has been negotiated" \
1960 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1961 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1962 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1963 -c "(after renegotiation) Use of Connection ID has been negotiated"
1964
1965requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1966requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1967run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1968 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]1969 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1970 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1971 0 \
1972 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1973 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1974 -s "(initial handshake) Use of Connection ID has been negotiated" \
1975 -c "(initial handshake) Use of Connection ID has been negotiated" \
1976 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1977 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1978 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1979 -c "(after renegotiation) Use of Connection ID has been negotiated" \
1980 -c "ignoring unexpected CID" \
1981 -s "ignoring unexpected CID"
1982
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1983requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]1984requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1985run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1986 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1987 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1988 0 \
1989 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1990 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1991 -s "(initial handshake) Use of Connection ID has been negotiated" \
1992 -c "(initial handshake) Use of Connection ID has been negotiated" \
1993 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1994 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1995 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1996 -S "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1997
1998requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1999requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2000run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2001 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2002 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2003 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2004 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2005 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2006 -s "(initial handshake) Use of Connection ID has been negotiated" \
2007 -c "(initial handshake) Use of Connection ID has been negotiated" \
2008 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2009 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2010 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2011 -S "(after renegotiation) Use of Connection ID has been negotiated"
2012
2013requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2014requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2015run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2016 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
2017 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2018 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2019 0 \
2020 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2021 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2022 -s "(initial handshake) Use of Connection ID has been negotiated" \
2023 -c "(initial handshake) Use of Connection ID has been negotiated" \
2024 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2025 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2026 -C "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2027 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2028 -c "ignoring unexpected CID" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2029 -s "ignoring unexpected CID"
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2030
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2031requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2032requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2033run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
2034 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2035 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2036 0 \
2037 -S "(initial handshake) Use of Connection ID has been negotiated" \
2038 -C "(initial handshake) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2039 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2040 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2041 -c "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2042 -s "(after renegotiation) Use of Connection ID has been negotiated"
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2043
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2044requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2045requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2046run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
2047 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2048 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2049 0 \
2050 -S "(initial handshake) Use of Connection ID has been negotiated" \
2051 -C "(initial handshake) Use of Connection ID has been negotiated" \
2052 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2053 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2054 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2055 -s "(after renegotiation) Use of Connection ID has been negotiated"
2056
2057requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2058requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2059run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2060 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2061 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2062 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2063 0 \
2064 -S "(initial handshake) Use of Connection ID has been negotiated" \
2065 -C "(initial handshake) Use of Connection ID has been negotiated" \
2066 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2067 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2068 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2069 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2070 -c "ignoring unexpected CID" \
2071 -s "ignoring unexpected CID"
2072
2073requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2074requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2075run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
2076 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2077 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2078 0 \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2079 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2080 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2081 -s "(initial handshake) Use of Connection ID has been negotiated" \
2082 -c "(initial handshake) Use of Connection ID has been negotiated" \
2083 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2084 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2085 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2086 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2087 -s "(after renegotiation) Use of Connection ID was not offered by client"
2088
2089requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2090requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2091run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
2092 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
2093 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2094 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2095 0 \
2096 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2097 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2098 -s "(initial handshake) Use of Connection ID has been negotiated" \
2099 -c "(initial handshake) Use of Connection ID has been negotiated" \
2100 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2101 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2102 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2103 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2104 -s "(after renegotiation) Use of Connection ID was not offered by client" \
2105 -c "ignoring unexpected CID" \
2106 -s "ignoring unexpected CID"
2107
2108requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2109requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2110run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
2111 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]2112 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2113 0 \
2114 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2115 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2116 -s "(initial handshake) Use of Connection ID has been negotiated" \
2117 -c "(initial handshake) Use of Connection ID has been negotiated" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2118 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2119 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2120 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2121 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2122 -c "(after renegotiation) Use of Connection ID was rejected by the server"
2123
2124requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2125requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2126run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
2127 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2128 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2129 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2130 0 \
2131 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2132 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2133 -s "(initial handshake) Use of Connection ID has been negotiated" \
2134 -c "(initial handshake) Use of Connection ID has been negotiated" \
2135 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2136 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2137 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2138 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2139 -c "(after renegotiation) Use of Connection ID was rejected by the server" \
2140 -c "ignoring unexpected CID" \
2141 -s "ignoring unexpected CID"
2142
2143# Tests for Encrypt-then-MAC extension
2144
2145run_test "Encrypt then MAC: default" \
2146 "$P_SRV debug_level=3 \
2147 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2148 "$P_CLI debug_level=3" \
2149 0 \
2150 -c "client hello, adding encrypt_then_mac extension" \
2151 -s "found encrypt then mac extension" \
2152 -s "server hello, adding encrypt then mac extension" \
2153 -c "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2154 -c "using encrypt then mac" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2155 -s "using encrypt then mac"
2156
2157run_test "Encrypt then MAC: client enabled, server disabled" \
2158 "$P_SRV debug_level=3 etm=0 \
2159 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2160 "$P_CLI debug_level=3 etm=1" \
2161 0 \
2162 -c "client hello, adding encrypt_then_mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2163 -s "found encrypt then mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2164 -S "server hello, adding encrypt then mac extension" \
2165 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2166 -C "using encrypt then mac" \
2167 -S "using encrypt then mac"
2168
2169run_test "Encrypt then MAC: client enabled, aead cipher" \
2170 "$P_SRV debug_level=3 etm=1 \
2171 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
2172 "$P_CLI debug_level=3 etm=1" \
2173 0 \
2174 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2175 -s "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2176 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2177 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2178 -C "using encrypt then mac" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2179 -S "using encrypt then mac"
2180
2181run_test "Encrypt then MAC: client enabled, stream cipher" \
2182 "$P_SRV debug_level=3 etm=1 \
2183 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2184 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2185 0 \
2186 -c "client hello, adding encrypt_then_mac extension" \
2187 -s "found encrypt then mac extension" \
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2188 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2189 -C "found encrypt_then_mac extension" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2190 -C "using encrypt then mac" \
2191 -S "using encrypt then mac"
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2192
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2193run_test "Encrypt then MAC: client disabled, server enabled" \
2194 "$P_SRV debug_level=3 etm=1 \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2195 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2196 "$P_CLI debug_level=3 etm=0" \
2197 0 \
2198 -C "client hello, adding encrypt_then_mac extension" \
2199 -S "found encrypt then mac extension" \
2200 -S "server hello, adding encrypt then mac extension" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2201 -C "found encrypt_then_mac extension" \
2202 -C "using encrypt then mac" \
Jarno Lamsa31d940b2019-06-12 10:21:33 +0300[diff] [blame]2203 -S "using encrypt then mac"
2204
2205requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2206run_test "Encrypt then MAC: client SSLv3, server enabled" \
2207 "$P_SRV debug_level=3 min_version=ssl3 \
2208 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2209 "$P_CLI debug_level=3 force_version=ssl3" \
2210 0 \
2211 -C "client hello, adding encrypt_then_mac extension" \
2212 -S "found encrypt then mac extension" \
2213 -S "server hello, adding encrypt then mac extension" \
2214 -C "found encrypt_then_mac extension" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2215 -C "using encrypt then mac" \
2216 -S "using encrypt then mac"
2217
2218requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2219run_test "Encrypt then MAC: client enabled, server SSLv3" \
2220 "$P_SRV debug_level=3 force_version=ssl3 \
2221 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2222 "$P_CLI debug_level=3 min_version=ssl3" \
2223 0 \
2224 -c "client hello, adding encrypt_then_mac extension" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2225 -S "found encrypt then mac extension" \
2226 -S "server hello, adding encrypt then mac extension" \
2227 -C "found encrypt_then_mac extension" \
2228 -C "using encrypt then mac" \
2229 -S "using encrypt then mac"
2230
2231# Tests for Extended Master Secret extension
2232
2233run_test "Extended Master Secret: default (not enforcing)" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2234 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0 " \
2235 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]2236 0 \
2237 -c "client hello, adding extended_master_secret extension" \
2238 -s "found extended master secret extension" \
2239 -s "server hello, adding extended master secret extension" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2240 -c "found extended_master_secret extension" \
2241 -c "session hash for extended master secret" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2242 -s "session hash for extended master secret"
2243
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2244run_test "Extended Master Secret: both enabled, both enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2245 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2246 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2247 0 \
2248 -c "client hello, adding extended_master_secret extension" \
2249 -s "found extended master secret extension" \
2250 -s "server hello, adding extended master secret extension" \
2251 -c "found extended_master_secret extension" \
2252 -c "session hash for extended master secret" \
2253 -s "session hash for extended master secret"
2254
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2255run_test "Extended Master Secret: both enabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2256 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2257 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2258 0 \
2259 -c "client hello, adding extended_master_secret extension" \
2260 -s "found extended master secret extension" \
2261 -s "server hello, adding extended master secret extension" \
2262 -c "found extended_master_secret extension" \
2263 -c "session hash for extended master secret" \
2264 -s "session hash for extended master secret"
2265
2266run_test "Extended Master Secret: both enabled, server enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2267 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2268 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2269 0 \
2270 -c "client hello, adding extended_master_secret extension" \
2271 -s "found extended master secret extension" \
2272 -s "server hello, adding extended master secret extension" \
2273 -c "found extended_master_secret extension" \
2274 -c "session hash for extended master secret" \
2275 -s "session hash for extended master secret"
2276
2277run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2278 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2279 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2280 1 \
2281 -c "client hello, adding extended_master_secret extension" \
2282 -s "found extended master secret extension" \
2283 -S "server hello, adding extended master secret extension" \
2284 -C "found extended_master_secret extension" \
2285 -c "Peer not offering extended master secret, while it is enforced"
2286
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2287run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2288 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2289 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2290 1 \
2291 -C "client hello, adding extended_master_secret extension" \
2292 -S "found extended master secret extension" \
2293 -S "server hello, adding extended master secret extension" \
2294 -C "found extended_master_secret extension" \
2295 -s "Peer not offering extended master secret, while it is enforced"
2296
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2297run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2298 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2299 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2300 0 \
2301 -c "client hello, adding extended_master_secret extension" \
2302 -s "found extended master secret extension" \
2303 -S "server hello, adding extended master secret extension" \
2304 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2305 -C "session hash for extended master secret" \
2306 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2307
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2308run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2309 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2310 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2311 0 \
2312 -C "client hello, adding extended_master_secret extension" \
2313 -S "found extended master secret extension" \
2314 -S "server hello, adding extended master secret extension" \
2315 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2316 -C "session hash for extended master secret" \
2317 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2318
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2319run_test "Extended Master Secret: client disabled, server disabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2320 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2321 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2322 0 \
2323 -C "client hello, adding extended_master_secret extension" \
2324 -S "found extended master secret extension" \
2325 -S "server hello, adding extended master secret extension" \
2326 -C "found extended_master_secret extension" \
2327 -C "session hash for extended master secret" \
2328 -S "session hash for extended master secret"
2329
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2330requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2331run_test "Extended Master Secret: client SSLv3, server enabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2332 "$P_SRV debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2333 "$P_CLI debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2334 0 \
2335 -C "client hello, adding extended_master_secret extension" \
2336 -S "found extended master secret extension" \
2337 -S "server hello, adding extended master secret extension" \
2338 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2339 -C "session hash for extended master secret" \
2340 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2341
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2342requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2343run_test "Extended Master Secret: client enabled, server SSLv3" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2344 "$P_SRV debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2345 "$P_CLI debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2346 0 \
2347 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2348 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2349 -S "server hello, adding extended master secret extension" \
2350 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2351 -C "session hash for extended master secret" \
2352 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2353
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2354# Tests for FALLBACK_SCSV
2355
2356run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2357 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2358 "$P_CLI debug_level=3 force_version=tls1_1" \
2359 0 \
2360 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2361 -S "received FALLBACK_SCSV" \
2362 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2363 -C "is a fatal alert message (msg 86)"
2364
2365run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2366 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2367 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2368 0 \
2369 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2370 -S "received FALLBACK_SCSV" \
2371 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2372 -C "is a fatal alert message (msg 86)"
2373
2374run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2375 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2376 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2377 1 \
2378 -c "adding FALLBACK_SCSV" \
2379 -s "received FALLBACK_SCSV" \
2380 -s "inapropriate fallback" \
2381 -c "is a fatal alert message (msg 86)"
2382
2383run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2384 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2385 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2386 0 \
2387 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2388 -s "received FALLBACK_SCSV" \
2389 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2390 -C "is a fatal alert message (msg 86)"
2391
2392requires_openssl_with_fallback_scsv
2393run_test "Fallback SCSV: default, openssl server" \
2394 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2395 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2396 0 \
2397 -C "adding FALLBACK_SCSV" \
2398 -C "is a fatal alert message (msg 86)"
2399
2400requires_openssl_with_fallback_scsv
2401run_test "Fallback SCSV: enabled, openssl server" \
2402 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2403 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2404 1 \
2405 -c "adding FALLBACK_SCSV" \
2406 -c "is a fatal alert message (msg 86)"
2407
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2408requires_openssl_with_fallback_scsv
2409run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2410 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2411 "$O_CLI -tls1_1" \
2412 0 \
2413 -S "received FALLBACK_SCSV" \
2414 -S "inapropriate fallback"
2415
2416requires_openssl_with_fallback_scsv
2417run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2418 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2419 "$O_CLI -tls1_1 -fallback_scsv" \
2420 1 \
2421 -s "received FALLBACK_SCSV" \
2422 -s "inapropriate fallback"
2423
2424requires_openssl_with_fallback_scsv
2425run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2426 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2427 "$O_CLI -fallback_scsv" \
2428 0 \
2429 -s "received FALLBACK_SCSV" \
2430 -S "inapropriate fallback"
2431
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2432# Test sending and receiving empty application data records
2433
2434run_test "Encrypt then MAC: empty application data record" \
2435 "$P_SRV auth_mode=none debug_level=4 etm=1" \
2436 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
2437 0 \
2438 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2439 -s "dumping 'input payload after decrypt' (0 bytes)" \
2440 -c "0 bytes written in 1 fragments"
2441
2442run_test "Default, no Encrypt then MAC: empty application data record" \
2443 "$P_SRV auth_mode=none debug_level=4 etm=0" \
2444 "$P_CLI auth_mode=none etm=0 request_size=0" \
2445 0 \
2446 -s "dumping 'input payload after decrypt' (0 bytes)" \
2447 -c "0 bytes written in 1 fragments"
2448
2449run_test "Encrypt then MAC, DTLS: empty application data record" \
2450 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
2451 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
2452 0 \
2453 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2454 -s "dumping 'input payload after decrypt' (0 bytes)" \
2455 -c "0 bytes written in 1 fragments"
2456
2457run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
2458 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
2459 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
2460 0 \
2461 -s "dumping 'input payload after decrypt' (0 bytes)" \
2462 -c "0 bytes written in 1 fragments"
2463
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2464## ClientHello generated with
2465## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
2466## then manually twiddling the ciphersuite list.
2467## The ClientHello content is spelled out below as a hex string as
2468## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
2469## The expected response is an inappropriate_fallback alert.
2470requires_openssl_with_fallback_scsv
2471run_test "Fallback SCSV: beginning of list" \
2472 "$P_SRV debug_level=2" \
2473 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
2474 0 \
2475 -s "received FALLBACK_SCSV" \
2476 -s "inapropriate fallback"
2477
2478requires_openssl_with_fallback_scsv
2479run_test "Fallback SCSV: end of list" \
2480 "$P_SRV debug_level=2" \
2481 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
2482 0 \
2483 -s "received FALLBACK_SCSV" \
2484 -s "inapropriate fallback"
2485
2486## Here the expected response is a valid ServerHello prefix, up to the random.
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]2487## Due to the way the clienthello was generated, this currently needs the
2488## server to have support for session tickets.
2489requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2490requires_openssl_with_fallback_scsv
2491run_test "Fallback SCSV: not in list" \
2492 "$P_SRV debug_level=2" \
2493 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
2494 0 \
2495 -S "received FALLBACK_SCSV" \
2496 -S "inapropriate fallback"
2497
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2498# Tests for CBC 1/n-1 record splitting
2499
2500run_test "CBC Record splitting: TLS 1.2, no splitting" \
2501 "$P_SRV" \
2502 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2503 request_size=123 force_version=tls1_2" \
2504 0 \
2505 -s "Read from client: 123 bytes read" \
2506 -S "Read from client: 1 bytes read" \
2507 -S "122 bytes read"
2508
2509run_test "CBC Record splitting: TLS 1.1, no splitting" \
2510 "$P_SRV" \
2511 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2512 request_size=123 force_version=tls1_1" \
2513 0 \
2514 -s "Read from client: 123 bytes read" \
2515 -S "Read from client: 1 bytes read" \
2516 -S "122 bytes read"
2517
2518run_test "CBC Record splitting: TLS 1.0, splitting" \
2519 "$P_SRV" \
2520 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2521 request_size=123 force_version=tls1" \
2522 0 \
2523 -S "Read from client: 123 bytes read" \
2524 -s "Read from client: 1 bytes read" \
2525 -s "122 bytes read"
2526
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2527requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2528run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2529 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2530 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2531 request_size=123 force_version=ssl3" \
2532 0 \
2533 -S "Read from client: 123 bytes read" \
2534 -s "Read from client: 1 bytes read" \
2535 -s "122 bytes read"
2536
2537run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2538 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2539 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2540 request_size=123 force_version=tls1" \
2541 0 \
2542 -s "Read from client: 123 bytes read" \
2543 -S "Read from client: 1 bytes read" \
2544 -S "122 bytes read"
2545
2546run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
2547 "$P_SRV" \
2548 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2549 request_size=123 force_version=tls1 recsplit=0" \
2550 0 \
2551 -s "Read from client: 123 bytes read" \
2552 -S "Read from client: 1 bytes read" \
2553 -S "122 bytes read"
2554
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]2555run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
2556 "$P_SRV nbio=2" \
2557 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2558 request_size=123 force_version=tls1" \
2559 0 \
2560 -S "Read from client: 123 bytes read" \
2561 -s "Read from client: 1 bytes read" \
2562 -s "122 bytes read"
2563
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2564# Tests for Session Tickets
2565
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2566requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2567requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2568run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2569 "$P_SRV debug_level=3 tickets=1" \
2570 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2571 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2572 -c "client hello, adding session ticket extension" \
2573 -s "found session ticket extension" \
2574 -s "server hello, adding session ticket extension" \
2575 -c "found session_ticket extension" \
2576 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2577 -S "session successfully restored from cache" \
2578 -s "session successfully restored from ticket" \
2579 -s "a session has been resumed" \
2580 -c "a session has been resumed"
2581
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2582requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2583requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2584run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2585 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2586 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2587 0 \
2588 -c "client hello, adding session ticket extension" \
2589 -s "found session ticket extension" \
2590 -s "server hello, adding session ticket extension" \
2591 -c "found session_ticket extension" \
2592 -c "parse new session ticket" \
2593 -S "session successfully restored from cache" \
2594 -s "session successfully restored from ticket" \
2595 -s "a session has been resumed" \
2596 -c "a session has been resumed"
2597
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2598requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2599requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2600run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2601 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
2602 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2603 0 \
2604 -c "client hello, adding session ticket extension" \
2605 -s "found session ticket extension" \
2606 -s "server hello, adding session ticket extension" \
2607 -c "found session_ticket extension" \
2608 -c "parse new session ticket" \
2609 -S "session successfully restored from cache" \
2610 -S "session successfully restored from ticket" \
2611 -S "a session has been resumed" \
2612 -C "a session has been resumed"
2613
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2614requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2615requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2616run_test "Session resume using tickets: session copy" \
2617 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2618 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
2619 0 \
2620 -c "client hello, adding session ticket extension" \
2621 -s "found session ticket extension" \
2622 -s "server hello, adding session ticket extension" \
2623 -c "found session_ticket extension" \
2624 -c "parse new session ticket" \
2625 -S "session successfully restored from cache" \
2626 -s "session successfully restored from ticket" \
2627 -s "a session has been resumed" \
2628 -c "a session has been resumed"
2629
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2630requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2631requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2632run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2633 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2634 "$P_CLI debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2635 0 \
2636 -c "client hello, adding session ticket extension" \
2637 -c "found session_ticket extension" \
2638 -c "parse new session ticket" \
2639 -c "a session has been resumed"
2640
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2641requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2642requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2643run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2644 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2645 "( $O_CLI -sess_out $SESSION; \
2646 $O_CLI -sess_in $SESSION; \
2647 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2648 0 \
2649 -s "found session ticket extension" \
2650 -s "server hello, adding session ticket extension" \
2651 -S "session successfully restored from cache" \
2652 -s "session successfully restored from ticket" \
2653 -s "a session has been resumed"
2654
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2655# Tests for Session Tickets with DTLS
2656
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2657requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2658requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2659run_test "Session resume using tickets, DTLS: basic" \
2660 "$P_SRV debug_level=3 dtls=1 tickets=1" \
2661 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2662 0 \
2663 -c "client hello, adding session ticket extension" \
2664 -s "found session ticket extension" \
2665 -s "server hello, adding session ticket extension" \
2666 -c "found session_ticket extension" \
2667 -c "parse new session ticket" \
2668 -S "session successfully restored from cache" \
2669 -s "session successfully restored from ticket" \
2670 -s "a session has been resumed" \
2671 -c "a session has been resumed"
2672
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2673requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2674requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2675run_test "Session resume using tickets, DTLS: cache disabled" \
2676 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2677 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2678 0 \
2679 -c "client hello, adding session ticket extension" \
2680 -s "found session ticket extension" \
2681 -s "server hello, adding session ticket extension" \
2682 -c "found session_ticket extension" \
2683 -c "parse new session ticket" \
2684 -S "session successfully restored from cache" \
2685 -s "session successfully restored from ticket" \
2686 -s "a session has been resumed" \
2687 -c "a session has been resumed"
2688
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2689requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2690requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2691run_test "Session resume using tickets, DTLS: timeout" \
2692 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
2693 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
2694 0 \
2695 -c "client hello, adding session ticket extension" \
2696 -s "found session ticket extension" \
2697 -s "server hello, adding session ticket extension" \
2698 -c "found session_ticket extension" \
2699 -c "parse new session ticket" \
2700 -S "session successfully restored from cache" \
2701 -S "session successfully restored from ticket" \
2702 -S "a session has been resumed" \
2703 -C "a session has been resumed"
2704
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2705requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2706requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2707run_test "Session resume using tickets, DTLS: session copy" \
2708 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2709 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_mode=0" \
2710 0 \
2711 -c "client hello, adding session ticket extension" \
2712 -s "found session ticket extension" \
2713 -s "server hello, adding session ticket extension" \
2714 -c "found session_ticket extension" \
2715 -c "parse new session ticket" \
2716 -S "session successfully restored from cache" \
2717 -s "session successfully restored from ticket" \
2718 -s "a session has been resumed" \
2719 -c "a session has been resumed"
2720
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2721requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2722requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2723run_test "Session resume using tickets, DTLS: openssl server" \
2724 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2725 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2726 0 \
2727 -c "client hello, adding session ticket extension" \
2728 -c "found session_ticket extension" \
2729 -c "parse new session ticket" \
2730 -c "a session has been resumed"
2731
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2732requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2733requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2734run_test "Session resume using tickets, DTLS: openssl client" \
2735 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2736 "( $O_CLI -dtls1 -sess_out $SESSION; \
2737 $O_CLI -dtls1 -sess_in $SESSION; \
2738 rm -f $SESSION )" \
2739 0 \
2740 -s "found session ticket extension" \
2741 -s "server hello, adding session ticket extension" \
2742 -S "session successfully restored from cache" \
2743 -s "session successfully restored from ticket" \
2744 -s "a session has been resumed"
2745
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2746# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2747
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2748requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2749requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2750requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2751run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2752 "$P_SRV debug_level=3 tickets=0" \
2753 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2754 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2755 -c "client hello, adding session ticket extension" \
2756 -s "found session ticket extension" \
2757 -S "server hello, adding session ticket extension" \
2758 -C "found session_ticket extension" \
2759 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2760 -s "session successfully restored from cache" \
2761 -S "session successfully restored from ticket" \
2762 -s "a session has been resumed" \
2763 -c "a session has been resumed"
2764
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2765requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2766requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2767requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2768run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2769 "$P_SRV debug_level=3 tickets=1" \
2770 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2771 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2772 -C "client hello, adding session ticket extension" \
2773 -S "found session ticket extension" \
2774 -S "server hello, adding session ticket extension" \
2775 -C "found session_ticket extension" \
2776 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2777 -s "session successfully restored from cache" \
2778 -S "session successfully restored from ticket" \
2779 -s "a session has been resumed" \
2780 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2781
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2782requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2783requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2784run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2785 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
2786 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2787 0 \
2788 -S "session successfully restored from cache" \
2789 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2790 -S "a session has been resumed" \
2791 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2792
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2793requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2794requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2795run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2796 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
2797 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2798 0 \
2799 -s "session successfully restored from cache" \
2800 -S "session successfully restored from ticket" \
2801 -s "a session has been resumed" \
2802 -c "a session has been resumed"
2803
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2804requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2805requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]2806run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2807 "$P_SRV debug_level=3 tickets=0" \
2808 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2809 0 \
2810 -s "session successfully restored from cache" \
2811 -S "session successfully restored from ticket" \
2812 -s "a session has been resumed" \
2813 -c "a session has been resumed"
2814
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2815requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2816requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2817run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2818 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
2819 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2820 0 \
2821 -S "session successfully restored from cache" \
2822 -S "session successfully restored from ticket" \
2823 -S "a session has been resumed" \
2824 -C "a session has been resumed"
2825
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2826requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2827requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2828run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2829 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
2830 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2831 0 \
2832 -s "session successfully restored from cache" \
2833 -S "session successfully restored from ticket" \
2834 -s "a session has been resumed" \
2835 -c "a session has been resumed"
2836
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2837requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2838requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2839run_test "Session resume using cache: session copy" \
2840 "$P_SRV debug_level=3 tickets=0" \
2841 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
2842 0 \
2843 -s "session successfully restored from cache" \
2844 -S "session successfully restored from ticket" \
2845 -s "a session has been resumed" \
2846 -c "a session has been resumed"
2847
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2848requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2849requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2850run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2851 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2852 "( $O_CLI -sess_out $SESSION; \
2853 $O_CLI -sess_in $SESSION; \
2854 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2855 0 \
2856 -s "found session ticket extension" \
2857 -S "server hello, adding session ticket extension" \
2858 -s "session successfully restored from cache" \
2859 -S "session successfully restored from ticket" \
2860 -s "a session has been resumed"
2861
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2862requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2863requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2864run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2865 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2866 "$P_CLI debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2867 0 \
2868 -C "found session_ticket extension" \
2869 -C "parse new session ticket" \
2870 -c "a session has been resumed"
2871
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2872# Tests for Session Resume based on session-ID and cache, DTLS
2873
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2874requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2875requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2876requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2877run_test "Session resume using cache, DTLS: tickets enabled on client" \
2878 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2879 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
2880 0 \
2881 -c "client hello, adding session ticket extension" \
2882 -s "found session ticket extension" \
2883 -S "server hello, adding session ticket extension" \
2884 -C "found session_ticket extension" \
2885 -C "parse new session ticket" \
2886 -s "session successfully restored from cache" \
2887 -S "session successfully restored from ticket" \
2888 -s "a session has been resumed" \
2889 -c "a session has been resumed"
2890
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2891requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2892requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2893requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2894run_test "Session resume using cache, DTLS: tickets enabled on server" \
2895 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2896 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2897 0 \
2898 -C "client hello, adding session ticket extension" \
2899 -S "found session ticket extension" \
2900 -S "server hello, adding session ticket extension" \
2901 -C "found session_ticket extension" \
2902 -C "parse new session ticket" \
2903 -s "session successfully restored from cache" \
2904 -S "session successfully restored from ticket" \
2905 -s "a session has been resumed" \
2906 -c "a session has been resumed"
2907
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2908requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2909requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2910run_test "Session resume using cache, DTLS: cache_max=0" \
2911 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
2912 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2913 0 \
2914 -S "session successfully restored from cache" \
2915 -S "session successfully restored from ticket" \
2916 -S "a session has been resumed" \
2917 -C "a session has been resumed"
2918
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2919requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2920requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2921run_test "Session resume using cache, DTLS: cache_max=1" \
2922 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
2923 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2924 0 \
2925 -s "session successfully restored from cache" \
2926 -S "session successfully restored from ticket" \
2927 -s "a session has been resumed" \
2928 -c "a session has been resumed"
2929
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2930requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2931requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2932run_test "Session resume using cache, DTLS: timeout > delay" \
2933 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2934 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
2935 0 \
2936 -s "session successfully restored from cache" \
2937 -S "session successfully restored from ticket" \
2938 -s "a session has been resumed" \
2939 -c "a session has been resumed"
2940
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2941requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2942requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2943run_test "Session resume using cache, DTLS: timeout < delay" \
2944 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
2945 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2946 0 \
2947 -S "session successfully restored from cache" \
2948 -S "session successfully restored from ticket" \
2949 -S "a session has been resumed" \
2950 -C "a session has been resumed"
2951
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2952requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2953requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2954run_test "Session resume using cache, DTLS: no timeout" \
2955 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
2956 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2957 0 \
2958 -s "session successfully restored from cache" \
2959 -S "session successfully restored from ticket" \
2960 -s "a session has been resumed" \
2961 -c "a session has been resumed"
2962
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2963requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2964requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2965run_test "Session resume using cache, DTLS: session copy" \
2966 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2967 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
2968 0 \
2969 -s "session successfully restored from cache" \
2970 -S "session successfully restored from ticket" \
2971 -s "a session has been resumed" \
2972 -c "a session has been resumed"
2973
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2974requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2975requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2976run_test "Session resume using cache, DTLS: openssl client" \
2977 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2978 "( $O_CLI -dtls1 -sess_out $SESSION; \
2979 $O_CLI -dtls1 -sess_in $SESSION; \
2980 rm -f $SESSION )" \
2981 0 \
2982 -s "found session ticket extension" \
2983 -S "server hello, adding session ticket extension" \
2984 -s "session successfully restored from cache" \
2985 -S "session successfully restored from ticket" \
2986 -s "a session has been resumed"
2987
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2988requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2989requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2990run_test "Session resume using cache, DTLS: openssl server" \
2991 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2992 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2993 0 \
2994 -C "found session_ticket extension" \
2995 -C "parse new session ticket" \
2996 -c "a session has been resumed"
2997
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2998# Tests for Max Fragment Length extension
2999
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3000if [ $MAX_CONTENT_LEN -ne 16384 ]; then
3001 printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
3002fi
3003
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3004requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3005run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3006 "$P_SRV debug_level=3" \
3007 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3008 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3009 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3010 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3011 -C "client hello, adding max_fragment_length extension" \
3012 -S "found max fragment length extension" \
3013 -S "server hello, max_fragment_length extension" \
3014 -C "found max_fragment_length extension"
3015
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3016requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3017run_test "Max fragment length: enabled, default, larger message" \
3018 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3019 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3020 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3021 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3022 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3023 -C "client hello, adding max_fragment_length extension" \
3024 -S "found max fragment length extension" \
3025 -S "server hello, max_fragment_length extension" \
3026 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3027 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3028 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3029 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3030
3031requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunen3f1190d2019-09-26 17:18:57 +0300[diff] [blame]3032requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 4096
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3033run_test "Max fragment length, DTLS: enabled, default, larger message" \
3034 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3035 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3036 1 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3037 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
3038 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3039 -C "client hello, adding max_fragment_length extension" \
3040 -S "found max fragment length extension" \
3041 -S "server hello, max_fragment_length extension" \
3042 -C "found max_fragment_length extension" \
3043 -c "fragment larger than.*maximum "
3044
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3045# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
3046# (session fragment length will be 16384 regardless of mbedtls
3047# content length configuration.)
3048
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3049requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3050requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 16384
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3051run_test "Max fragment length: disabled, larger message" \
3052 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3053 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3054 0 \
3055 -C "Maximum fragment length is 16384" \
3056 -S "Maximum fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3057 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3058 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3059 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3060
3061requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3062requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 16384
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3063run_test "Max fragment length DTLS: disabled, larger message" \
3064 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3065 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3066 1 \
3067 -C "Maximum fragment length is 16384" \
3068 -S "Maximum fragment length is 16384" \
3069 -c "fragment larger than.*maximum "
3070
3071requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunen3f1190d2019-09-26 17:18:57 +0300[diff] [blame]3072requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 4096
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3073run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3074 "$P_SRV debug_level=3" \
3075 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3076 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3077 -c "Maximum fragment length is 4096" \
3078 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3079 -c "client hello, adding max_fragment_length extension" \
3080 -s "found max fragment length extension" \
3081 -s "server hello, max_fragment_length extension" \
3082 -c "found max_fragment_length extension"
3083
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3084requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunen3f1190d2019-09-26 17:18:57 +0300[diff] [blame]3085requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 4096
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3086run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3087 "$P_SRV debug_level=3 max_frag_len=4096" \
3088 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3089 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3090 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3091 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3092 -C "client hello, adding max_fragment_length extension" \
3093 -S "found max fragment length extension" \
3094 -S "server hello, max_fragment_length extension" \
3095 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3096
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3097requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunen3f1190d2019-09-26 17:18:57 +0300[diff] [blame]3098requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 4096
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3099requires_gnutls
3100run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3101 "$G_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3102 "$P_CLI debug_level=3 max_frag_len=4096 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3103 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3104 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3105 -c "client hello, adding max_fragment_length extension" \
3106 -c "found max_fragment_length extension"
3107
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3108requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3109requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 2048
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3110run_test "Max fragment length: client, message just fits" \
3111 "$P_SRV debug_level=3" \
3112 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
3113 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3114 -c "Maximum fragment length is 2048" \
3115 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3116 -c "client hello, adding max_fragment_length extension" \
3117 -s "found max fragment length extension" \
3118 -s "server hello, max_fragment_length extension" \
3119 -c "found max_fragment_length extension" \
3120 -c "2048 bytes written in 1 fragments" \
3121 -s "2048 bytes read"
3122
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3123requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3124requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 2048
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3125run_test "Max fragment length: client, larger message" \
3126 "$P_SRV debug_level=3" \
3127 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
3128 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3129 -c "Maximum fragment length is 2048" \
3130 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3131 -c "client hello, adding max_fragment_length extension" \
3132 -s "found max fragment length extension" \
3133 -s "server hello, max_fragment_length extension" \
3134 -c "found max_fragment_length extension" \
3135 -c "2345 bytes written in 2 fragments" \
3136 -s "2048 bytes read" \
3137 -s "297 bytes read"
3138
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3139requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3140requires_config_value_at_least "MBEDTLS_SSL_MAX_CONTENT_LEN" 2048
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]3141run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3142 "$P_SRV debug_level=3 dtls=1" \
3143 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
3144 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]3145 -c "Maximum fragment length is 2048" \
3146 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3147 -c "client hello, adding max_fragment_length extension" \
3148 -s "found max fragment length extension" \
3149 -s "server hello, max_fragment_length extension" \
3150 -c "found max_fragment_length extension" \
3151 -c "fragment larger than.*maximum"
3152
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3153# Tests for renegotiation
3154
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3155# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3156run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3157 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3158 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3159 0 \
3160 -C "client hello, adding renegotiation extension" \
3161 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3162 -S "found renegotiation extension" \
3163 -s "server hello, secure renegotiation extension" \
3164 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3165 -C "=> renegotiate" \
3166 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3167 -S "write hello request"
3168
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3169requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3170run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3171 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3172 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3173 0 \
3174 -c "client hello, adding renegotiation extension" \
3175 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3176 -s "found renegotiation extension" \
3177 -s "server hello, secure renegotiation extension" \
3178 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3179 -c "=> renegotiate" \
3180 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3181 -S "write hello request"
3182
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3183requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3184run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3185 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3186 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3187 0 \
3188 -c "client hello, adding renegotiation extension" \
3189 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3190 -s "found renegotiation extension" \
3191 -s "server hello, secure renegotiation extension" \
3192 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3193 -c "=> renegotiate" \
3194 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3195 -s "write hello request"
3196
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3197# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3198# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3199# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3200requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3201run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
3202 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
3203 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
3204 0 \
3205 -c "client hello, adding renegotiation extension" \
3206 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3207 -s "found renegotiation extension" \
3208 -s "server hello, secure renegotiation extension" \
3209 -c "found renegotiation extension" \
3210 -c "=> renegotiate" \
3211 -s "=> renegotiate" \
3212 -S "write hello request" \
3213 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3214
3215# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3216# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3217# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3218requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3219run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
3220 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
3221 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3222 0 \
3223 -c "client hello, adding renegotiation extension" \
3224 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3225 -s "found renegotiation extension" \
3226 -s "server hello, secure renegotiation extension" \
3227 -c "found renegotiation extension" \
3228 -c "=> renegotiate" \
3229 -s "=> renegotiate" \
3230 -s "write hello request" \
3231 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3232
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3233requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3234run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3235 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3236 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3237 0 \
3238 -c "client hello, adding renegotiation extension" \
3239 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3240 -s "found renegotiation extension" \
3241 -s "server hello, secure renegotiation extension" \
3242 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3243 -c "=> renegotiate" \
3244 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3245 -s "write hello request"
3246
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3247requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3248run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3249 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3250 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3251 1 \
3252 -c "client hello, adding renegotiation extension" \
3253 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3254 -S "found renegotiation extension" \
3255 -s "server hello, secure renegotiation extension" \
3256 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3257 -c "=> renegotiate" \
3258 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3259 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]3260 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3261 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3262
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3263requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3264run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3265 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3266 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3267 0 \
3268 -C "client hello, adding renegotiation extension" \
3269 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3270 -S "found renegotiation extension" \
3271 -s "server hello, secure renegotiation extension" \
3272 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3273 -C "=> renegotiate" \
3274 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3275 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]3276 -S "SSL - An unexpected message was received from our peer" \
3277 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3278
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3279requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3280run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3281 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3282 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3283 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3284 0 \
3285 -C "client hello, adding renegotiation extension" \
3286 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3287 -S "found renegotiation extension" \
3288 -s "server hello, secure renegotiation extension" \
3289 -c "found renegotiation extension" \
3290 -C "=> renegotiate" \
3291 -S "=> renegotiate" \
3292 -s "write hello request" \
3293 -S "SSL - An unexpected message was received from our peer" \
3294 -S "failed"
3295
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3296# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3297requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3298run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3299 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3300 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3301 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3302 0 \
3303 -C "client hello, adding renegotiation extension" \
3304 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3305 -S "found renegotiation extension" \
3306 -s "server hello, secure renegotiation extension" \
3307 -c "found renegotiation extension" \
3308 -C "=> renegotiate" \
3309 -S "=> renegotiate" \
3310 -s "write hello request" \
3311 -S "SSL - An unexpected message was received from our peer" \
3312 -S "failed"
3313
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3314requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3315run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3316 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3317 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3318 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3319 0 \
3320 -C "client hello, adding renegotiation extension" \
3321 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3322 -S "found renegotiation extension" \
3323 -s "server hello, secure renegotiation extension" \
3324 -c "found renegotiation extension" \
3325 -C "=> renegotiate" \
3326 -S "=> renegotiate" \
3327 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3328 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3329
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3330requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3331run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3332 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3333 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3334 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3335 0 \
3336 -c "client hello, adding renegotiation extension" \
3337 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3338 -s "found renegotiation extension" \
3339 -s "server hello, secure renegotiation extension" \
3340 -c "found renegotiation extension" \
3341 -c "=> renegotiate" \
3342 -s "=> renegotiate" \
3343 -s "write hello request" \
3344 -S "SSL - An unexpected message was received from our peer" \
3345 -S "failed"
3346
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3347requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3348run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3349 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3350 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3351 0 \
3352 -C "client hello, adding renegotiation extension" \
3353 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3354 -S "found renegotiation extension" \
3355 -s "server hello, secure renegotiation extension" \
3356 -c "found renegotiation extension" \
3357 -S "record counter limit reached: renegotiate" \
3358 -C "=> renegotiate" \
3359 -S "=> renegotiate" \
3360 -S "write hello request" \
3361 -S "SSL - An unexpected message was received from our peer" \
3362 -S "failed"
3363
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3364# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3365requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3366run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3367 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3368 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3369 0 \
3370 -c "client hello, adding renegotiation extension" \
3371 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3372 -s "found renegotiation extension" \
3373 -s "server hello, secure renegotiation extension" \
3374 -c "found renegotiation extension" \
3375 -s "record counter limit reached: renegotiate" \
3376 -c "=> renegotiate" \
3377 -s "=> renegotiate" \
3378 -s "write hello request" \
3379 -S "SSL - An unexpected message was received from our peer" \
3380 -S "failed"
3381
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3382requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3383run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3384 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3385 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3386 0 \
3387 -c "client hello, adding renegotiation extension" \
3388 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3389 -s "found renegotiation extension" \
3390 -s "server hello, secure renegotiation extension" \
3391 -c "found renegotiation extension" \
3392 -s "record counter limit reached: renegotiate" \
3393 -c "=> renegotiate" \
3394 -s "=> renegotiate" \
3395 -s "write hello request" \
3396 -S "SSL - An unexpected message was received from our peer" \
3397 -S "failed"
3398
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3399requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3400run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3401 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3402 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
3403 0 \
3404 -C "client hello, adding renegotiation extension" \
3405 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3406 -S "found renegotiation extension" \
3407 -s "server hello, secure renegotiation extension" \
3408 -c "found renegotiation extension" \
3409 -S "record counter limit reached: renegotiate" \
3410 -C "=> renegotiate" \
3411 -S "=> renegotiate" \
3412 -S "write hello request" \
3413 -S "SSL - An unexpected message was received from our peer" \
3414 -S "failed"
3415
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3416requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3417run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3418 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3419 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3420 0 \
3421 -c "client hello, adding renegotiation extension" \
3422 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3423 -s "found renegotiation extension" \
3424 -s "server hello, secure renegotiation extension" \
3425 -c "found renegotiation extension" \
3426 -c "=> renegotiate" \
3427 -s "=> renegotiate" \
3428 -S "write hello request"
3429
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3430requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3431run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3432 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3433 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3434 0 \
3435 -c "client hello, adding renegotiation extension" \
3436 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3437 -s "found renegotiation extension" \
3438 -s "server hello, secure renegotiation extension" \
3439 -c "found renegotiation extension" \
3440 -c "=> renegotiate" \
3441 -s "=> renegotiate" \
3442 -s "write hello request"
3443
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3444requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3445run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3446 "$O_SRV -www" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3447 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3448 0 \
3449 -c "client hello, adding renegotiation extension" \
3450 -c "found renegotiation extension" \
3451 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3452 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3453 -C "error" \
3454 -c "HTTP/1.0 200 [Oo][Kk]"
3455
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3456requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3457requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3458run_test "Renegotiation: gnutls server strict, client-initiated" \
3459 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3460 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3461 0 \
3462 -c "client hello, adding renegotiation extension" \
3463 -c "found renegotiation extension" \
3464 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3465 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3466 -C "error" \
3467 -c "HTTP/1.0 200 [Oo][Kk]"
3468
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3469requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3470requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3471run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
3472 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3473 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3474 1 \
3475 -c "client hello, adding renegotiation extension" \
3476 -C "found renegotiation extension" \
3477 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3478 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3479 -c "error" \
3480 -C "HTTP/1.0 200 [Oo][Kk]"
3481
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3482requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3483requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3484run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
3485 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3486 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3487 allow_legacy=0" \
3488 1 \
3489 -c "client hello, adding renegotiation extension" \
3490 -C "found renegotiation extension" \
3491 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3492 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3493 -c "error" \
3494 -C "HTTP/1.0 200 [Oo][Kk]"
3495
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3496requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3497requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3498run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
3499 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3500 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3501 allow_legacy=1" \
3502 0 \
3503 -c "client hello, adding renegotiation extension" \
3504 -C "found renegotiation extension" \
3505 -c "=> renegotiate" \
3506 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3507 -C "error" \
3508 -c "HTTP/1.0 200 [Oo][Kk]"
3509
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3510requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]3511run_test "Renegotiation: DTLS, client-initiated" \
3512 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
3513 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
3514 0 \
3515 -c "client hello, adding renegotiation extension" \
3516 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3517 -s "found renegotiation extension" \
3518 -s "server hello, secure renegotiation extension" \
3519 -c "found renegotiation extension" \
3520 -c "=> renegotiate" \
3521 -s "=> renegotiate" \
3522 -S "write hello request"
3523
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3524requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3525run_test "Renegotiation: DTLS, server-initiated" \
3526 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]3527 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
3528 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3529 0 \
3530 -c "client hello, adding renegotiation extension" \
3531 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3532 -s "found renegotiation extension" \
3533 -s "server hello, secure renegotiation extension" \
3534 -c "found renegotiation extension" \
3535 -c "=> renegotiate" \
3536 -s "=> renegotiate" \
3537 -s "write hello request"
3538
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3539requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3540run_test "Renegotiation: DTLS, renego_period overflow" \
3541 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
3542 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
3543 0 \
3544 -c "client hello, adding renegotiation extension" \
3545 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3546 -s "found renegotiation extension" \
3547 -s "server hello, secure renegotiation extension" \
3548 -s "record counter limit reached: renegotiate" \
3549 -c "=> renegotiate" \
3550 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3551 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3552
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3553requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3554requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3555run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
3556 "$G_SRV -u --mtu 4096" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3557 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3558 0 \
3559 -c "client hello, adding renegotiation extension" \
3560 -c "found renegotiation extension" \
3561 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3562 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3563 -C "error" \
3564 -s "Extra-header:"
3565
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3566# Test for the "secure renegotation" extension only (no actual renegotiation)
3567
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3568requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3569run_test "Renego ext: gnutls server strict, client default" \
3570 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3571 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3572 0 \
3573 -c "found renegotiation extension" \
3574 -C "error" \
3575 -c "HTTP/1.0 200 [Oo][Kk]"
3576
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3577requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3578run_test "Renego ext: gnutls server unsafe, client default" \
3579 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3580 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3581 0 \
3582 -C "found renegotiation extension" \
3583 -C "error" \
3584 -c "HTTP/1.0 200 [Oo][Kk]"
3585
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3586requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3587run_test "Renego ext: gnutls server unsafe, client break legacy" \
3588 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3589 "$P_CLI debug_level=3 allow_legacy=-1" \
3590 1 \
3591 -C "found renegotiation extension" \
3592 -c "error" \
3593 -C "HTTP/1.0 200 [Oo][Kk]"
3594
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3595requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3596run_test "Renego ext: gnutls client strict, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3597 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3598 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3599 0 \
3600 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3601 -s "server hello, secure renegotiation extension"
3602
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3603requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3604run_test "Renego ext: gnutls client unsafe, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3605 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3606 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3607 0 \
3608 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3609 -S "server hello, secure renegotiation extension"
3610
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3611requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3612run_test "Renego ext: gnutls client unsafe, server break legacy" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3613 "$P_SRV debug_level=3 allow_legacy=-1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3614 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3615 1 \
3616 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3617 -S "server hello, secure renegotiation extension"
3618
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3619# Tests for silently dropping trailing extra bytes in .der certificates
3620
3621requires_gnutls
3622run_test "DER format: no trailing bytes" \
3623 "$P_SRV crt_file=data_files/server5-der0.crt \
3624 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3625 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3626 0 \
3627 -c "Handshake was completed" \
3628
3629requires_gnutls
3630run_test "DER format: with a trailing zero byte" \
3631 "$P_SRV crt_file=data_files/server5-der1a.crt \
3632 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3633 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3634 0 \
3635 -c "Handshake was completed" \
3636
3637requires_gnutls
3638run_test "DER format: with a trailing random byte" \
3639 "$P_SRV crt_file=data_files/server5-der1b.crt \
3640 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3641 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3642 0 \
3643 -c "Handshake was completed" \
3644
3645requires_gnutls
3646run_test "DER format: with 2 trailing random bytes" \
3647 "$P_SRV crt_file=data_files/server5-der2.crt \
3648 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3649 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3650 0 \
3651 -c "Handshake was completed" \
3652
3653requires_gnutls
3654run_test "DER format: with 4 trailing random bytes" \
3655 "$P_SRV crt_file=data_files/server5-der4.crt \
3656 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3657 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3658 0 \
3659 -c "Handshake was completed" \
3660
3661requires_gnutls
3662run_test "DER format: with 8 trailing random bytes" \
3663 "$P_SRV crt_file=data_files/server5-der8.crt \
3664 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3665 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3666 0 \
3667 -c "Handshake was completed" \
3668
3669requires_gnutls
3670run_test "DER format: with 9 trailing random bytes" \
3671 "$P_SRV crt_file=data_files/server5-der9.crt \
3672 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3673 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3674 0 \
3675 -c "Handshake was completed" \
3676
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3677# Tests for auth_mode
3678
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3679requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3680requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3681run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3682 "$P_SRV crt_file=data_files/server5-badsign.crt \
3683 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3684 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3685 1 \
3686 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3687 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3688 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3689 -c "X509 - Certificate verification failed"
3690
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3691requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3692requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3693run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3694 "$P_SRV crt_file=data_files/server5-badsign.crt \
3695 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3696 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3697 0 \
3698 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3699 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3700 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3701 -C "X509 - Certificate verification failed"
3702
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3703requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3704requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3705run_test "Authentication: server goodcert, client optional, no trusted CA" \
3706 "$P_SRV" \
3707 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
3708 0 \
3709 -c "x509_verify_cert() returned" \
3710 -c "! The certificate is not correctly signed by the trusted CA" \
3711 -c "! Certificate verification flags"\
3712 -C "! mbedtls_ssl_handshake returned" \
3713 -C "X509 - Certificate verification failed" \
3714 -C "SSL - No CA Chain is set, but required to operate"
3715
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3716requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3717requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3718run_test "Authentication: server goodcert, client required, no trusted CA" \
3719 "$P_SRV" \
3720 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
3721 1 \
3722 -c "x509_verify_cert() returned" \
3723 -c "! The certificate is not correctly signed by the trusted CA" \
3724 -c "! Certificate verification flags"\
3725 -c "! mbedtls_ssl_handshake returned" \
3726 -c "SSL - No CA Chain is set, but required to operate"
3727
3728# The purpose of the next two tests is to test the client's behaviour when receiving a server
3729# certificate with an unsupported elliptic curve. This should usually not happen because
3730# the client informs the server about the supported curves - it does, though, in the
3731# corner case of a static ECDH suite, because the server doesn't check the curve on that
3732# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
3733# different means to have the server ignoring the client's supported curve list.
3734
3735requires_config_enabled MBEDTLS_ECP_C
3736run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
3737 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3738 crt_file=data_files/server5.ku-ka.crt" \
3739 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
3740 1 \
3741 -c "bad certificate (EC key curve)"\
3742 -c "! Certificate verification flags"\
3743 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
3744
3745requires_config_enabled MBEDTLS_ECP_C
3746run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
3747 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3748 crt_file=data_files/server5.ku-ka.crt" \
3749 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
3750 1 \
3751 -c "bad certificate (EC key curve)"\
3752 -c "! Certificate verification flags"\
3753 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
3754
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3755run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]3756 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3757 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3758 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3759 0 \
3760 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3761 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3762 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3763 -C "X509 - Certificate verification failed"
3764
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3765run_test "Authentication: client SHA256, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3766 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3767 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3768 key_file=data_files/server6.key \
3769 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
3770 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3771 -c "Supported Signature Algorithm found: 5,"
3772
3773run_test "Authentication: client SHA384, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3774 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3775 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3776 key_file=data_files/server6.key \
3777 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
3778 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3779 -c "Supported Signature Algorithm found: 5,"
3780
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3781requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3782run_test "Authentication: client has no cert, server required (SSLv3)" \
3783 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
3784 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
3785 key_file=data_files/server5.key" \
3786 1 \
3787 -S "skip write certificate request" \
3788 -C "skip parse certificate request" \
3789 -c "got a certificate request" \
3790 -c "got no certificate to send" \
3791 -S "x509_verify_cert() returned" \
3792 -s "client has no certificate" \
3793 -s "! mbedtls_ssl_handshake returned" \
3794 -c "! mbedtls_ssl_handshake returned" \
3795 -s "No client certification received from the client, but required by the authentication mode"
3796
3797run_test "Authentication: client has no cert, server required (TLS)" \
3798 "$P_SRV debug_level=3 auth_mode=required" \
3799 "$P_CLI debug_level=3 crt_file=none \
3800 key_file=data_files/server5.key" \
3801 1 \
3802 -S "skip write certificate request" \
3803 -C "skip parse certificate request" \
3804 -c "got a certificate request" \
3805 -c "= write certificate$" \
3806 -C "skip write certificate$" \
3807 -S "x509_verify_cert() returned" \
3808 -s "client has no certificate" \
3809 -s "! mbedtls_ssl_handshake returned" \
3810 -c "! mbedtls_ssl_handshake returned" \
3811 -s "No client certification received from the client, but required by the authentication mode"
3812
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3813requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3814requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3815run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3816 "$P_SRV debug_level=3 auth_mode=required" \
3817 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3818 key_file=data_files/server5.key" \
3819 1 \
3820 -S "skip write certificate request" \
3821 -C "skip parse certificate request" \
3822 -c "got a certificate request" \
3823 -C "skip write certificate" \
3824 -C "skip write certificate verify" \
3825 -S "skip parse certificate verify" \
3826 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3827 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3828 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3829 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3830 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3831 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3832# We don't check that the client receives the alert because it might
3833# detect that its write end of the connection is closed and abort
3834# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3835
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3836requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3837requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]3838run_test "Authentication: client cert not trusted, server required" \
3839 "$P_SRV debug_level=3 auth_mode=required" \
3840 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
3841 key_file=data_files/server5.key" \
3842 1 \
3843 -S "skip write certificate request" \
3844 -C "skip parse certificate request" \
3845 -c "got a certificate request" \
3846 -C "skip write certificate" \
3847 -C "skip write certificate verify" \
3848 -S "skip parse certificate verify" \
3849 -s "x509_verify_cert() returned" \
3850 -s "! The certificate is not correctly signed by the trusted CA" \
3851 -s "! mbedtls_ssl_handshake returned" \
3852 -c "! mbedtls_ssl_handshake returned" \
3853 -s "X509 - Certificate verification failed"
3854
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3855requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3856requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3857run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3858 "$P_SRV debug_level=3 auth_mode=optional" \
3859 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3860 key_file=data_files/server5.key" \
3861 0 \
3862 -S "skip write certificate request" \
3863 -C "skip parse certificate request" \
3864 -c "got a certificate request" \
3865 -C "skip write certificate" \
3866 -C "skip write certificate verify" \
3867 -S "skip parse certificate verify" \
3868 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3869 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3870 -S "! mbedtls_ssl_handshake returned" \
3871 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3872 -S "X509 - Certificate verification failed"
3873
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3874run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3875 "$P_SRV debug_level=3 auth_mode=none" \
3876 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3877 key_file=data_files/server5.key" \
3878 0 \
3879 -s "skip write certificate request" \
3880 -C "skip parse certificate request" \
3881 -c "got no certificate request" \
3882 -c "skip write certificate" \
3883 -c "skip write certificate verify" \
3884 -s "skip parse certificate verify" \
3885 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3886 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3887 -S "! mbedtls_ssl_handshake returned" \
3888 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3889 -S "X509 - Certificate verification failed"
3890
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3891requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3892requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3893run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3894 "$P_SRV debug_level=3 auth_mode=optional" \
3895 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3896 0 \
3897 -S "skip write certificate request" \
3898 -C "skip parse certificate request" \
3899 -c "got a certificate request" \
3900 -C "skip write certificate$" \
3901 -C "got no certificate to send" \
3902 -S "SSLv3 client has no certificate" \
3903 -c "skip write certificate verify" \
3904 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3905 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3906 -S "! mbedtls_ssl_handshake returned" \
3907 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3908 -S "X509 - Certificate verification failed"
3909
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]3910requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3911requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3912run_test "Authentication: openssl client no cert, server optional" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3913 "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3914 "$O_CLI" \
3915 0 \
3916 -S "skip write certificate request" \
3917 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3918 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3919 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3920 -S "X509 - Certificate verification failed"
3921
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3922run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3923 "$O_SRV -verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3924 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3925 0 \
3926 -C "skip parse certificate request" \
3927 -c "got a certificate request" \
3928 -C "skip write certificate$" \
3929 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3930 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3931
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3932run_test "Authentication: client no cert, openssl server required" \
3933 "$O_SRV -Verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3934 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3935 1 \
3936 -C "skip parse certificate request" \
3937 -c "got a certificate request" \
3938 -C "skip write certificate$" \
3939 -c "skip write certificate verify" \
3940 -c "! mbedtls_ssl_handshake returned"
3941
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3942requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]3943requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]3944requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3945run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3946 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3947 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3948 0 \
3949 -S "skip write certificate request" \
3950 -C "skip parse certificate request" \
3951 -c "got a certificate request" \
3952 -C "skip write certificate$" \
3953 -c "skip write certificate verify" \
3954 -c "got no certificate to send" \
3955 -s "SSLv3 client has no certificate" \
3956 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3957 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3958 -S "! mbedtls_ssl_handshake returned" \
3959 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3960 -S "X509 - Certificate verification failed"
3961
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]3962# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
3963# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3964
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3965MAX_IM_CA='8'
Arto Kinnunen78213522019-09-26 11:06:39 +0300[diff] [blame]3966MAX_IM_CA_CONFIG="$( get_config_value_or_default MBEDTLS_X509_MAX_INTERMEDIATE_CA )"
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3967
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3968requires_full_size_output_buffer
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3969requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3970run_test "Authentication: server max_int chain, client default" \
3971 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
3972 key_file=data_files/dir-maxpath/09.key" \
3973 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
3974 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3975 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3976
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3977requires_full_size_output_buffer
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3978requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3979run_test "Authentication: server max_int+1 chain, client default" \
3980 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3981 key_file=data_files/dir-maxpath/10.key" \
3982 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
3983 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3984 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3985
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3986requires_full_size_output_buffer
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3987requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3988run_test "Authentication: server max_int+1 chain, client optional" \
3989 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3990 key_file=data_files/dir-maxpath/10.key" \
3991 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
3992 auth_mode=optional" \
3993 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]3994 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3995
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3996requires_full_size_output_buffer
Arto Kinnunena1e98062019-09-26 19:35:16 +0300[diff] [blame^]3997requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3998run_test "Authentication: server max_int+1 chain, client none" \
3999 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4000 key_file=data_files/dir-maxpath/10.key" \
4001 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4002 auth_mode=none" \
4003 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4004 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4005
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4006requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4007run_test "Authentication: client max_int+1 chain, server default" \
4008 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
4009 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4010 key_file=data_files/dir-maxpath/10.key" \
4011 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4012 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4013
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4014requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4015run_test "Authentication: client max_int+1 chain, server optional" \
4016 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4017 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4018 key_file=data_files/dir-maxpath/10.key" \
4019 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4020 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4021
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4022requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4023run_test "Authentication: client max_int+1 chain, server required" \
4024 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4025 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4026 key_file=data_files/dir-maxpath/10.key" \
4027 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4028 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4029
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4030requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4031run_test "Authentication: client max_int chain, server required" \
4032 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4033 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4034 key_file=data_files/dir-maxpath/09.key" \
4035 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4036 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4037
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4038# Tests for CA list in CertificateRequest messages
4039
4040run_test "Authentication: send CA list in CertificateRequest (default)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4041 "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4042 "$P_CLI crt_file=data_files/server6.crt \
4043 key_file=data_files/server6.key" \
4044 0 \
4045 -s "requested DN"
4046
4047run_test "Authentication: do not send CA list in CertificateRequest" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4048 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0 ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4049 "$P_CLI crt_file=data_files/server6.crt \
4050 key_file=data_files/server6.key" \
4051 0 \
4052 -S "requested DN"
4053
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4054requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4055requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4056run_test "Authentication: send CA list in CertificateRequest, client self signed" \
4057 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4058 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4059 key_file=data_files/server5.key" \
4060 1 \
4061 -S "requested DN" \
4062 -s "x509_verify_cert() returned" \
4063 -s "! The certificate is not correctly signed by the trusted CA" \
4064 -s "! mbedtls_ssl_handshake returned" \
4065 -c "! mbedtls_ssl_handshake returned" \
4066 -s "X509 - Certificate verification failed"
4067
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4068# Tests for certificate selection based on SHA verson
4069
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4070requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4071requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4072run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
4073 "$P_SRV crt_file=data_files/server5.crt \
4074 key_file=data_files/server5.key \
4075 crt_file2=data_files/server5-sha1.crt \
4076 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4077 "$P_CLI force_version=tls1_2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4078 0 \
4079 -c "signed using.*ECDSA with SHA256" \
4080 -C "signed using.*ECDSA with SHA1"
4081
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4082requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4083requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4084run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
4085 "$P_SRV crt_file=data_files/server5.crt \
4086 key_file=data_files/server5.key \
4087 crt_file2=data_files/server5-sha1.crt \
4088 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4089 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4090 0 \
4091 -C "signed using.*ECDSA with SHA256" \
4092 -c "signed using.*ECDSA with SHA1"
4093
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4094requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4095requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4096run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
4097 "$P_SRV crt_file=data_files/server5.crt \
4098 key_file=data_files/server5.key \
4099 crt_file2=data_files/server5-sha1.crt \
4100 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4101 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4102 0 \
4103 -C "signed using.*ECDSA with SHA256" \
4104 -c "signed using.*ECDSA with SHA1"
4105
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4106requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4107requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4108run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
4109 "$P_SRV crt_file=data_files/server5.crt \
4110 key_file=data_files/server5.key \
4111 crt_file2=data_files/server6.crt \
4112 key_file2=data_files/server6.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4113 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4114 0 \
4115 -c "serial number.*09" \
4116 -c "signed using.*ECDSA with SHA256" \
4117 -C "signed using.*ECDSA with SHA1"
4118
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4119requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4120requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4121run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
4122 "$P_SRV crt_file=data_files/server6.crt \
4123 key_file=data_files/server6.key \
4124 crt_file2=data_files/server5.crt \
4125 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4126 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4127 0 \
4128 -c "serial number.*0A" \
4129 -c "signed using.*ECDSA with SHA256" \
4130 -C "signed using.*ECDSA with SHA1"
4131
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4132# tests for SNI
4133
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4134requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4135requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4136run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4137 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4138 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4139 "$P_CLI server_name=localhost ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4140 0 \
4141 -S "parse ServerName extension" \
4142 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4143 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4144
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4145requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4146requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4147requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4148run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4149 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4150 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4151 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4152 "$P_CLI server_name=localhost ca_file=data_files/test-ca.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4153 0 \
4154 -s "parse ServerName extension" \
4155 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4156 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4157
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4158requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4159requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4160requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4161run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4162 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4163 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4164 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4165 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4166 0 \
4167 -s "parse ServerName extension" \
4168 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4169 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4170
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4171requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4172run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4173 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4174 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4175 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4176 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4177 1 \
4178 -s "parse ServerName extension" \
4179 -s "ssl_sni_wrapper() returned" \
4180 -s "mbedtls_ssl_handshake returned" \
4181 -c "mbedtls_ssl_handshake returned" \
4182 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4183
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4184run_test "SNI: client auth no override: optional" \
4185 "$P_SRV debug_level=3 auth_mode=optional \
4186 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4187 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4188 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4189 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4190 -S "skip write certificate request" \
4191 -C "skip parse certificate request" \
4192 -c "got a certificate request" \
4193 -C "skip write certificate" \
4194 -C "skip write certificate verify" \
4195 -S "skip parse certificate verify"
4196
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4197requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4198run_test "SNI: client auth override: none -> optional" \
4199 "$P_SRV debug_level=3 auth_mode=none \
4200 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4201 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4202 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4203 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4204 -S "skip write certificate request" \
4205 -C "skip parse certificate request" \
4206 -c "got a certificate request" \
4207 -C "skip write certificate" \
4208 -C "skip write certificate verify" \
4209 -S "skip parse certificate verify"
4210
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4211requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4212run_test "SNI: client auth override: optional -> none" \
4213 "$P_SRV debug_level=3 auth_mode=optional \
4214 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4215 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4216 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4217 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4218 -s "skip write certificate request" \
4219 -C "skip parse certificate request" \
4220 -c "got no certificate request" \
4221 -c "skip write certificate" \
4222 -c "skip write certificate verify" \
4223 -s "skip parse certificate verify"
4224
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4225requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4226requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4227requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4228run_test "SNI: CA no override" \
4229 "$P_SRV debug_level=3 auth_mode=optional \
4230 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4231 ca_file=data_files/test-ca.crt \
4232 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4233 "$P_CLI debug_level=3 server_name=localhost \
4234 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4235 1 \
4236 -S "skip write certificate request" \
4237 -C "skip parse certificate request" \
4238 -c "got a certificate request" \
4239 -C "skip write certificate" \
4240 -C "skip write certificate verify" \
4241 -S "skip parse certificate verify" \
4242 -s "x509_verify_cert() returned" \
4243 -s "! The certificate is not correctly signed by the trusted CA" \
4244 -S "The certificate has been revoked (is on a CRL)"
4245
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4246requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4247requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4248requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4249run_test "SNI: CA override" \
4250 "$P_SRV debug_level=3 auth_mode=optional \
4251 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4252 ca_file=data_files/test-ca.crt \
4253 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4254 "$P_CLI debug_level=3 server_name=localhost \
4255 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4256 0 \
4257 -S "skip write certificate request" \
4258 -C "skip parse certificate request" \
4259 -c "got a certificate request" \
4260 -C "skip write certificate" \
4261 -C "skip write certificate verify" \
4262 -S "skip parse certificate verify" \
4263 -S "x509_verify_cert() returned" \
4264 -S "! The certificate is not correctly signed by the trusted CA" \
4265 -S "The certificate has been revoked (is on a CRL)"
4266
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4267requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4268requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4269requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4270run_test "SNI: CA override with CRL" \
4271 "$P_SRV debug_level=3 auth_mode=optional \
4272 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4273 ca_file=data_files/test-ca.crt \
4274 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4275 "$P_CLI debug_level=3 server_name=localhost \
4276 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4277 1 \
4278 -S "skip write certificate request" \
4279 -C "skip parse certificate request" \
4280 -c "got a certificate request" \
4281 -C "skip write certificate" \
4282 -C "skip write certificate verify" \
4283 -S "skip parse certificate verify" \
4284 -s "x509_verify_cert() returned" \
4285 -S "! The certificate is not correctly signed by the trusted CA" \
4286 -s "The certificate has been revoked (is on a CRL)"
4287
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4288# Tests for SNI and DTLS
4289
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4290requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4291requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4292run_test "SNI: DTLS, no SNI callback" \
4293 "$P_SRV debug_level=3 dtls=1 \
4294 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4295 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca2.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4296 0 \
4297 -S "parse ServerName extension" \
4298 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4299 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4300
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4301requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4302requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4303requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4304run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4305 "$P_SRV debug_level=3 dtls=1 \
4306 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4307 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4308 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca.crt" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4309 0 \
4310 -s "parse ServerName extension" \
4311 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4312 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4313
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4314requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4315requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4316requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4317run_test "SNI: DTLS, matching cert 2" \
4318 "$P_SRV debug_level=3 dtls=1 \
4319 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4320 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4321 "$P_CLI server_name=polarssl.example dtls=1 ca_file=data_files/test-ca.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4322 0 \
4323 -s "parse ServerName extension" \
4324 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4325 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4326
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4327requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4328run_test "SNI: DTLS, no matching cert" \
4329 "$P_SRV debug_level=3 dtls=1 \
4330 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4331 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4332 "$P_CLI server_name=nonesuch.example dtls=1" \
4333 1 \
4334 -s "parse ServerName extension" \
4335 -s "ssl_sni_wrapper() returned" \
4336 -s "mbedtls_ssl_handshake returned" \
4337 -c "mbedtls_ssl_handshake returned" \
4338 -c "SSL - A fatal alert message was received from our peer"
4339
4340run_test "SNI: DTLS, client auth no override: optional" \
4341 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4342 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4343 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4344 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4345 0 \
4346 -S "skip write certificate request" \
4347 -C "skip parse certificate request" \
4348 -c "got a certificate request" \
4349 -C "skip write certificate" \
4350 -C "skip write certificate verify" \
4351 -S "skip parse certificate verify"
4352
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4353requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4354run_test "SNI: DTLS, client auth override: none -> optional" \
4355 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
4356 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4357 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4358 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4359 0 \
4360 -S "skip write certificate request" \
4361 -C "skip parse certificate request" \
4362 -c "got a certificate request" \
4363 -C "skip write certificate" \
4364 -C "skip write certificate verify" \
4365 -S "skip parse certificate verify"
4366
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4367requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4368run_test "SNI: DTLS, client auth override: optional -> none" \
4369 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4370 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4371 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4372 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4373 0 \
4374 -s "skip write certificate request" \
4375 -C "skip parse certificate request" \
4376 -c "got no certificate request" \
4377 -c "skip write certificate" \
4378 -c "skip write certificate verify" \
4379 -s "skip parse certificate verify"
4380
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4381requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4382requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4383requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4384run_test "SNI: DTLS, CA no override" \
4385 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4386 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4387 ca_file=data_files/test-ca.crt \
4388 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4389 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4390 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4391 1 \
4392 -S "skip write certificate request" \
4393 -C "skip parse certificate request" \
4394 -c "got a certificate request" \
4395 -C "skip write certificate" \
4396 -C "skip write certificate verify" \
4397 -S "skip parse certificate verify" \
4398 -s "x509_verify_cert() returned" \
4399 -s "! The certificate is not correctly signed by the trusted CA" \
4400 -S "The certificate has been revoked (is on a CRL)"
4401
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4402requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4403run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4404 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4405 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4406 ca_file=data_files/test-ca.crt \
4407 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4408 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4409 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4410 0 \
4411 -S "skip write certificate request" \
4412 -C "skip parse certificate request" \
4413 -c "got a certificate request" \
4414 -C "skip write certificate" \
4415 -C "skip write certificate verify" \
4416 -S "skip parse certificate verify" \
4417 -S "x509_verify_cert() returned" \
4418 -S "! The certificate is not correctly signed by the trusted CA" \
4419 -S "The certificate has been revoked (is on a CRL)"
4420
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4421requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4422requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4423requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4424run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4425 "$P_SRV debug_level=3 auth_mode=optional \
4426 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
4427 ca_file=data_files/test-ca.crt \
4428 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4429 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4430 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4431 1 \
4432 -S "skip write certificate request" \
4433 -C "skip parse certificate request" \
4434 -c "got a certificate request" \
4435 -C "skip write certificate" \
4436 -C "skip write certificate verify" \
4437 -S "skip parse certificate verify" \
4438 -s "x509_verify_cert() returned" \
4439 -S "! The certificate is not correctly signed by the trusted CA" \
4440 -s "The certificate has been revoked (is on a CRL)"
4441
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4442# Tests for non-blocking I/O: exercise a variety of handshake flows
4443
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4444run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4445 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4446 "$P_CLI nbio=2 tickets=0" \
4447 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4448 -S "mbedtls_ssl_handshake returned" \
4449 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4450 -c "Read from server: .* bytes read"
4451
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4452run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4453 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
4454 "$P_CLI nbio=2 tickets=0" \
4455 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4456 -S "mbedtls_ssl_handshake returned" \
4457 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4458 -c "Read from server: .* bytes read"
4459
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4460run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4461 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4462 "$P_CLI nbio=2 tickets=1" \
4463 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4464 -S "mbedtls_ssl_handshake returned" \
4465 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4466 -c "Read from server: .* bytes read"
4467
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4468run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4469 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4470 "$P_CLI nbio=2 tickets=1" \
4471 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4472 -S "mbedtls_ssl_handshake returned" \
4473 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4474 -c "Read from server: .* bytes read"
4475
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4476run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4477 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4478 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4479 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4480 -S "mbedtls_ssl_handshake returned" \
4481 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4482 -c "Read from server: .* bytes read"
4483
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4484run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4485 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4486 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4487 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4488 -S "mbedtls_ssl_handshake returned" \
4489 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4490 -c "Read from server: .* bytes read"
4491
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4492run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4493 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4494 "$P_CLI nbio=2 tickets=0 reconnect=1" \
4495 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4496 -S "mbedtls_ssl_handshake returned" \
4497 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4498 -c "Read from server: .* bytes read"
4499
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]4500# Tests for event-driven I/O: exercise a variety of handshake flows
4501
4502run_test "Event-driven I/O: basic handshake" \
4503 "$P_SRV event=1 tickets=0 auth_mode=none" \
4504 "$P_CLI event=1 tickets=0" \
4505 0 \
4506 -S "mbedtls_ssl_handshake returned" \
4507 -C "mbedtls_ssl_handshake returned" \
4508 -c "Read from server: .* bytes read"
4509
4510run_test "Event-driven I/O: client auth" \
4511 "$P_SRV event=1 tickets=0 auth_mode=required" \
4512 "$P_CLI event=1 tickets=0" \
4513 0 \
4514 -S "mbedtls_ssl_handshake returned" \
4515 -C "mbedtls_ssl_handshake returned" \
4516 -c "Read from server: .* bytes read"
4517
4518run_test "Event-driven I/O: ticket" \
4519 "$P_SRV event=1 tickets=1 auth_mode=none" \
4520 "$P_CLI event=1 tickets=1" \
4521 0 \
4522 -S "mbedtls_ssl_handshake returned" \
4523 -C "mbedtls_ssl_handshake returned" \
4524 -c "Read from server: .* bytes read"
4525
4526run_test "Event-driven I/O: ticket + client auth" \
4527 "$P_SRV event=1 tickets=1 auth_mode=required" \
4528 "$P_CLI event=1 tickets=1" \
4529 0 \
4530 -S "mbedtls_ssl_handshake returned" \
4531 -C "mbedtls_ssl_handshake returned" \
4532 -c "Read from server: .* bytes read"
4533
4534run_test "Event-driven I/O: ticket + client auth + resume" \
4535 "$P_SRV event=1 tickets=1 auth_mode=required" \
4536 "$P_CLI event=1 tickets=1 reconnect=1" \
4537 0 \
4538 -S "mbedtls_ssl_handshake returned" \
4539 -C "mbedtls_ssl_handshake returned" \
4540 -c "Read from server: .* bytes read"
4541
4542run_test "Event-driven I/O: ticket + resume" \
4543 "$P_SRV event=1 tickets=1 auth_mode=none" \
4544 "$P_CLI event=1 tickets=1 reconnect=1" \
4545 0 \
4546 -S "mbedtls_ssl_handshake returned" \
4547 -C "mbedtls_ssl_handshake returned" \
4548 -c "Read from server: .* bytes read"
4549
4550run_test "Event-driven I/O: session-id resume" \
4551 "$P_SRV event=1 tickets=0 auth_mode=none" \
4552 "$P_CLI event=1 tickets=0 reconnect=1" \
4553 0 \
4554 -S "mbedtls_ssl_handshake returned" \
4555 -C "mbedtls_ssl_handshake returned" \
4556 -c "Read from server: .* bytes read"
4557
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4558run_test "Event-driven I/O, DTLS: basic handshake" \
4559 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4560 "$P_CLI dtls=1 event=1 tickets=0" \
4561 0 \
4562 -c "Read from server: .* bytes read"
4563
4564run_test "Event-driven I/O, DTLS: client auth" \
4565 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4566 "$P_CLI dtls=1 event=1 tickets=0" \
4567 0 \
4568 -c "Read from server: .* bytes read"
4569
4570run_test "Event-driven I/O, DTLS: ticket" \
4571 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4572 "$P_CLI dtls=1 event=1 tickets=1" \
4573 0 \
4574 -c "Read from server: .* bytes read"
4575
4576run_test "Event-driven I/O, DTLS: ticket + client auth" \
4577 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4578 "$P_CLI dtls=1 event=1 tickets=1" \
4579 0 \
4580 -c "Read from server: .* bytes read"
4581
4582run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
4583 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4584 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4585 0 \
4586 -c "Read from server: .* bytes read"
4587
4588run_test "Event-driven I/O, DTLS: ticket + resume" \
4589 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4590 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4591 0 \
4592 -c "Read from server: .* bytes read"
4593
4594run_test "Event-driven I/O, DTLS: session-id resume" \
4595 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4596 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4597 0 \
4598 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4599
4600# This test demonstrates the need for the mbedtls_ssl_check_pending function.
4601# During session resumption, the client will send its ApplicationData record
4602# within the same datagram as the Finished messages. In this situation, the
4603# server MUST NOT idle on the underlying transport after handshake completion,
4604# because the ApplicationData request has already been queued internally.
4605run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]4606 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4607 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4608 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4609 0 \
4610 -c "Read from server: .* bytes read"
4611
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4612# Tests for version negotiation
4613
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4614run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4615 "$P_SRV" \
4616 "$P_CLI" \
4617 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4618 -S "mbedtls_ssl_handshake returned" \
4619 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4620 -s "Protocol is TLSv1.2" \
4621 -c "Protocol is TLSv1.2"
4622
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4623run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4624 "$P_SRV" \
4625 "$P_CLI max_version=tls1_1" \
4626 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4627 -S "mbedtls_ssl_handshake returned" \
4628 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4629 -s "Protocol is TLSv1.1" \
4630 -c "Protocol is TLSv1.1"
4631
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4632run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4633 "$P_SRV max_version=tls1_1" \
4634 "$P_CLI" \
4635 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4636 -S "mbedtls_ssl_handshake returned" \
4637 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4638 -s "Protocol is TLSv1.1" \
4639 -c "Protocol is TLSv1.1"
4640
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4641run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4642 "$P_SRV max_version=tls1_1" \
4643 "$P_CLI max_version=tls1_1" \
4644 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4645 -S "mbedtls_ssl_handshake returned" \
4646 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4647 -s "Protocol is TLSv1.1" \
4648 -c "Protocol is TLSv1.1"
4649
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4650run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4651 "$P_SRV min_version=tls1_1" \
4652 "$P_CLI max_version=tls1_1" \
4653 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4654 -S "mbedtls_ssl_handshake returned" \
4655 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4656 -s "Protocol is TLSv1.1" \
4657 -c "Protocol is TLSv1.1"
4658
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4659run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4660 "$P_SRV max_version=tls1_1" \
4661 "$P_CLI min_version=tls1_1" \
4662 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4663 -S "mbedtls_ssl_handshake returned" \
4664 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4665 -s "Protocol is TLSv1.1" \
4666 -c "Protocol is TLSv1.1"
4667
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4668run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4669 "$P_SRV max_version=tls1_1" \
4670 "$P_CLI min_version=tls1_2" \
4671 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4672 -s "mbedtls_ssl_handshake returned" \
4673 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4674 -c "SSL - Handshake protocol not within min/max boundaries"
4675
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4676run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4677 "$P_SRV min_version=tls1_2" \
4678 "$P_CLI max_version=tls1_1" \
4679 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4680 -s "mbedtls_ssl_handshake returned" \
4681 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4682 -s "SSL - Handshake protocol not within min/max boundaries"
4683
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4684# Tests for ALPN extension
4685
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4686run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4687 "$P_SRV debug_level=3" \
4688 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4689 0 \
4690 -C "client hello, adding alpn extension" \
4691 -S "found alpn extension" \
4692 -C "got an alert message, type: \\[2:120]" \
4693 -S "server hello, adding alpn extension" \
4694 -C "found alpn extension " \
4695 -C "Application Layer Protocol is" \
4696 -S "Application Layer Protocol is"
4697
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4698run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4699 "$P_SRV debug_level=3" \
4700 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4701 0 \
4702 -c "client hello, adding alpn extension" \
4703 -s "found alpn extension" \
4704 -C "got an alert message, type: \\[2:120]" \
4705 -S "server hello, adding alpn extension" \
4706 -C "found alpn extension " \
4707 -c "Application Layer Protocol is (none)" \
4708 -S "Application Layer Protocol is"
4709
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4710run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4711 "$P_SRV debug_level=3 alpn=abc,1234" \
4712 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4713 0 \
4714 -C "client hello, adding alpn extension" \
4715 -S "found alpn extension" \
4716 -C "got an alert message, type: \\[2:120]" \
4717 -S "server hello, adding alpn extension" \
4718 -C "found alpn extension " \
4719 -C "Application Layer Protocol is" \
4720 -s "Application Layer Protocol is (none)"
4721
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4722run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4723 "$P_SRV debug_level=3 alpn=abc,1234" \
4724 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4725 0 \
4726 -c "client hello, adding alpn extension" \
4727 -s "found alpn extension" \
4728 -C "got an alert message, type: \\[2:120]" \
4729 -s "server hello, adding alpn extension" \
4730 -c "found alpn extension" \
4731 -c "Application Layer Protocol is abc" \
4732 -s "Application Layer Protocol is abc"
4733
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4734run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4735 "$P_SRV debug_level=3 alpn=abc,1234" \
4736 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4737 0 \
4738 -c "client hello, adding alpn extension" \
4739 -s "found alpn extension" \
4740 -C "got an alert message, type: \\[2:120]" \
4741 -s "server hello, adding alpn extension" \
4742 -c "found alpn extension" \
4743 -c "Application Layer Protocol is abc" \
4744 -s "Application Layer Protocol is abc"
4745
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4746run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4747 "$P_SRV debug_level=3 alpn=abc,1234" \
4748 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4749 0 \
4750 -c "client hello, adding alpn extension" \
4751 -s "found alpn extension" \
4752 -C "got an alert message, type: \\[2:120]" \
4753 -s "server hello, adding alpn extension" \
4754 -c "found alpn extension" \
4755 -c "Application Layer Protocol is 1234" \
4756 -s "Application Layer Protocol is 1234"
4757
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4758run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4759 "$P_SRV debug_level=3 alpn=abc,123" \
4760 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4761 1 \
4762 -c "client hello, adding alpn extension" \
4763 -s "found alpn extension" \
4764 -c "got an alert message, type: \\[2:120]" \
4765 -S "server hello, adding alpn extension" \
4766 -C "found alpn extension" \
4767 -C "Application Layer Protocol is 1234" \
4768 -S "Application Layer Protocol is 1234"
4769
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]4770
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4771# Tests for keyUsage in leaf certificates, part 1:
4772# server-side certificate/suite selection
4773
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4774run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4775 "$P_SRV key_file=data_files/server2.key \
4776 crt_file=data_files/server2.ku-ds.crt" \
4777 "$P_CLI" \
4778 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]4779 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4780
4781
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4782run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4783 "$P_SRV key_file=data_files/server2.key \
4784 crt_file=data_files/server2.ku-ke.crt" \
4785 "$P_CLI" \
4786 0 \
4787 -c "Ciphersuite is TLS-RSA-WITH-"
4788
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4789run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4790 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4791 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4792 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4793 1 \
4794 -C "Ciphersuite is "
4795
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4796run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4797 "$P_SRV key_file=data_files/server5.key \
4798 crt_file=data_files/server5.ku-ds.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4799 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4800 0 \
4801 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
4802
4803
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4804run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4805 "$P_SRV key_file=data_files/server5.key \
4806 crt_file=data_files/server5.ku-ka.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4807 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4808 0 \
4809 -c "Ciphersuite is TLS-ECDH-"
4810
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4811run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4812 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4813 crt_file=data_files/server5.ku-ke.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4814 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4815 1 \
4816 -C "Ciphersuite is "
4817
4818# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4819# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4820
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4821run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4822 "$O_SRV -key data_files/server2.key \
4823 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4824 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4825 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4826 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4827 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4828 -C "Processing of the Certificate handshake message failed" \
4829 -c "Ciphersuite is TLS-"
4830
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4831run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4832 "$O_SRV -key data_files/server2.key \
4833 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4834 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4835 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4836 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4837 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4838 -C "Processing of the Certificate handshake message failed" \
4839 -c "Ciphersuite is TLS-"
4840
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4841run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4842 "$O_SRV -key data_files/server2.key \
4843 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4844 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4845 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4846 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4847 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4848 -C "Processing of the Certificate handshake message failed" \
4849 -c "Ciphersuite is TLS-"
4850
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4851run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4852 "$O_SRV -key data_files/server2.key \
4853 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4854 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4855 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4856 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4857 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4858 -c "Processing of the Certificate handshake message failed" \
4859 -C "Ciphersuite is TLS-"
4860
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4861requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4862requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4863run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
4864 "$O_SRV -key data_files/server2.key \
4865 -cert data_files/server2.ku-ke.crt" \
4866 "$P_CLI debug_level=1 auth_mode=optional \
4867 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4868 0 \
4869 -c "bad certificate (usage extensions)" \
4870 -C "Processing of the Certificate handshake message failed" \
4871 -c "Ciphersuite is TLS-" \
4872 -c "! Usage does not match the keyUsage extension"
4873
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4874run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4875 "$O_SRV -key data_files/server2.key \
4876 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4877 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4878 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4879 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4880 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4881 -C "Processing of the Certificate handshake message failed" \
4882 -c "Ciphersuite is TLS-"
4883
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4884run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4885 "$O_SRV -key data_files/server2.key \
4886 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4887 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4888 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4889 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4890 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4891 -c "Processing of the Certificate handshake message failed" \
4892 -C "Ciphersuite is TLS-"
4893
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4894requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4895requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4896run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
4897 "$O_SRV -key data_files/server2.key \
4898 -cert data_files/server2.ku-ds.crt" \
4899 "$P_CLI debug_level=1 auth_mode=optional \
4900 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4901 0 \
4902 -c "bad certificate (usage extensions)" \
4903 -C "Processing of the Certificate handshake message failed" \
4904 -c "Ciphersuite is TLS-" \
4905 -c "! Usage does not match the keyUsage extension"
4906
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4907# Tests for keyUsage in leaf certificates, part 3:
4908# server-side checking of client cert
4909
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4910run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4911 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4912 "$O_CLI -key data_files/server2.key \
4913 -cert data_files/server2.ku-ds.crt" \
4914 0 \
4915 -S "bad certificate (usage extensions)" \
4916 -S "Processing of the Certificate handshake message failed"
4917
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4918run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4919 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4920 "$O_CLI -key data_files/server2.key \
4921 -cert data_files/server2.ku-ke.crt" \
4922 0 \
4923 -s "bad certificate (usage extensions)" \
4924 -S "Processing of the Certificate handshake message failed"
4925
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4926run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4927 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4928 "$O_CLI -key data_files/server2.key \
4929 -cert data_files/server2.ku-ke.crt" \
4930 1 \
4931 -s "bad certificate (usage extensions)" \
4932 -s "Processing of the Certificate handshake message failed"
4933
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4934run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4935 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4936 "$O_CLI -key data_files/server5.key \
4937 -cert data_files/server5.ku-ds.crt" \
4938 0 \
4939 -S "bad certificate (usage extensions)" \
4940 -S "Processing of the Certificate handshake message failed"
4941
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4942run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4943 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4944 "$O_CLI -key data_files/server5.key \
4945 -cert data_files/server5.ku-ka.crt" \
4946 0 \
4947 -s "bad certificate (usage extensions)" \
4948 -S "Processing of the Certificate handshake message failed"
4949
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4950# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
4951
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4952run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4953 "$P_SRV key_file=data_files/server5.key \
4954 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4955 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4956 0
4957
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4958run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4959 "$P_SRV key_file=data_files/server5.key \
4960 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4961 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4962 0
4963
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4964run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4965 "$P_SRV key_file=data_files/server5.key \
4966 crt_file=data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4967 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4968 0
4969
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4970run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]4971 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4972 crt_file=data_files/server5.eku-cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4973 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4974 1
4975
4976# Tests for extendedKeyUsage, part 2: client-side checking of server cert
4977
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4978run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4979 "$O_SRV -key data_files/server5.key \
4980 -cert data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4981 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4982 0 \
4983 -C "bad certificate (usage extensions)" \
4984 -C "Processing of the Certificate handshake message failed" \
4985 -c "Ciphersuite is TLS-"
4986
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4987run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4988 "$O_SRV -key data_files/server5.key \
4989 -cert data_files/server5.eku-srv_cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4990 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4991 0 \
4992 -C "bad certificate (usage extensions)" \
4993 -C "Processing of the Certificate handshake message failed" \
4994 -c "Ciphersuite is TLS-"
4995
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4996run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4997 "$O_SRV -key data_files/server5.key \
4998 -cert data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4999 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5000 0 \
5001 -C "bad certificate (usage extensions)" \
5002 -C "Processing of the Certificate handshake message failed" \
5003 -c "Ciphersuite is TLS-"
5004
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5005run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5006 "$O_SRV -key data_files/server5.key \
5007 -cert data_files/server5.eku-cs.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5008 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5009 1 \
5010 -c "bad certificate (usage extensions)" \
5011 -c "Processing of the Certificate handshake message failed" \
5012 -C "Ciphersuite is TLS-"
5013
5014# Tests for extendedKeyUsage, part 3: server-side checking of client cert
5015
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5016run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5017 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5018 "$O_CLI -key data_files/server5.key \
5019 -cert data_files/server5.eku-cli.crt" \
5020 0 \
5021 -S "bad certificate (usage extensions)" \
5022 -S "Processing of the Certificate handshake message failed"
5023
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5024run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5025 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5026 "$O_CLI -key data_files/server5.key \
5027 -cert data_files/server5.eku-srv_cli.crt" \
5028 0 \
5029 -S "bad certificate (usage extensions)" \
5030 -S "Processing of the Certificate handshake message failed"
5031
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5032run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5033 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5034 "$O_CLI -key data_files/server5.key \
5035 -cert data_files/server5.eku-cs_any.crt" \
5036 0 \
5037 -S "bad certificate (usage extensions)" \
5038 -S "Processing of the Certificate handshake message failed"
5039
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5040run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5041 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5042 "$O_CLI -key data_files/server5.key \
5043 -cert data_files/server5.eku-cs.crt" \
5044 0 \
5045 -s "bad certificate (usage extensions)" \
5046 -S "Processing of the Certificate handshake message failed"
5047
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5048run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5049 "$P_SRV debug_level=1 auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5050 "$O_CLI -key data_files/server5.key \
5051 -cert data_files/server5.eku-cs.crt" \
5052 1 \
5053 -s "bad certificate (usage extensions)" \
5054 -s "Processing of the Certificate handshake message failed"
5055
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5056# Tests for DHM parameters loading
5057
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5058run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5059 "$P_SRV" \
5060 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5061 debug_level=3" \
5062 0 \
5063 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]5064 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5065
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5066run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5067 "$P_SRV dhm_file=data_files/dhparams.pem" \
5068 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5069 debug_level=3" \
5070 0 \
5071 -c "value of 'DHM: P ' (1024 bits)" \
5072 -c "value of 'DHM: G ' (2 bits)"
5073
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5074# Tests for DHM client-side size checking
5075
5076run_test "DHM size: server default, client default, OK" \
5077 "$P_SRV" \
5078 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5079 debug_level=1" \
5080 0 \
5081 -C "DHM prime too short:"
5082
5083run_test "DHM size: server default, client 2048, OK" \
5084 "$P_SRV" \
5085 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5086 debug_level=1 dhmlen=2048" \
5087 0 \
5088 -C "DHM prime too short:"
5089
5090run_test "DHM size: server 1024, client default, OK" \
5091 "$P_SRV dhm_file=data_files/dhparams.pem" \
5092 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5093 debug_level=1" \
5094 0 \
5095 -C "DHM prime too short:"
5096
5097run_test "DHM size: server 1000, client default, rejected" \
5098 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5099 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5100 debug_level=1" \
5101 1 \
5102 -c "DHM prime too short:"
5103
5104run_test "DHM size: server default, client 2049, rejected" \
5105 "$P_SRV" \
5106 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5107 debug_level=1 dhmlen=2049" \
5108 1 \
5109 -c "DHM prime too short:"
5110
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5111# Tests for PSK callback
5112
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5113run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5114 "$P_SRV psk=abc123 psk_identity=foo" \
5115 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5116 psk_identity=foo psk=abc123" \
5117 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5118 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5119 -S "SSL - Unknown identity received" \
5120 -S "SSL - Verification of the message MAC failed"
5121
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5122run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5123 "$P_SRV" \
5124 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5125 psk_identity=foo psk=abc123" \
5126 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5127 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5128 -S "SSL - Unknown identity received" \
5129 -S "SSL - Verification of the message MAC failed"
5130
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5131run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5132 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
5133 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5134 psk_identity=foo psk=abc123" \
5135 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5136 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5137 -s "SSL - Unknown identity received" \
5138 -S "SSL - Verification of the message MAC failed"
5139
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5140run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5141 "$P_SRV psk_list=abc,dead,def,beef" \
5142 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5143 psk_identity=abc psk=dead" \
5144 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5145 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5146 -S "SSL - Unknown identity received" \
5147 -S "SSL - Verification of the message MAC failed"
5148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5149run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5150 "$P_SRV psk_list=abc,dead,def,beef" \
5151 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5152 psk_identity=def psk=beef" \
5153 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5154 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5155 -S "SSL - Unknown identity received" \
5156 -S "SSL - Verification of the message MAC failed"
5157
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5158run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5159 "$P_SRV psk_list=abc,dead,def,beef" \
5160 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5161 psk_identity=ghi psk=beef" \
5162 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5163 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5164 -s "SSL - Unknown identity received" \
5165 -S "SSL - Verification of the message MAC failed"
5166
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5167run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5168 "$P_SRV psk_list=abc,dead,def,beef" \
5169 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5170 psk_identity=abc psk=beef" \
5171 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5172 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5173 -S "SSL - Unknown identity received" \
5174 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5175
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5176# Tests for EC J-PAKE
5177
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5178requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5179run_test "ECJPAKE: client not configured" \
5180 "$P_SRV debug_level=3" \
5181 "$P_CLI debug_level=3" \
5182 0 \
5183 -C "add ciphersuite: c0ff" \
5184 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5185 -S "found ecjpake kkpp extension" \
5186 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5187 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5188 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5189 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5190 -S "None of the common ciphersuites is usable"
5191
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5192requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5193run_test "ECJPAKE: server not configured" \
5194 "$P_SRV debug_level=3" \
5195 "$P_CLI debug_level=3 ecjpake_pw=bla \
5196 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5197 1 \
5198 -c "add ciphersuite: c0ff" \
5199 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5200 -s "found ecjpake kkpp extension" \
5201 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5202 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5203 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5204 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5205 -s "None of the common ciphersuites is usable"
5206
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5207requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5208run_test "ECJPAKE: working, TLS" \
5209 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5210 "$P_CLI debug_level=3 ecjpake_pw=bla \
5211 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]5212 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5213 -c "add ciphersuite: c0ff" \
5214 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5215 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5216 -s "found ecjpake kkpp extension" \
5217 -S "skip ecjpake kkpp extension" \
5218 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5219 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5220 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5221 -S "None of the common ciphersuites is usable" \
5222 -S "SSL - Verification of the message MAC failed"
5223
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5224server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5225requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5226run_test "ECJPAKE: password mismatch, TLS" \
5227 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5228 "$P_CLI debug_level=3 ecjpake_pw=bad \
5229 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5230 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5231 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5232 -s "SSL - Verification of the message MAC failed"
5233
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5234requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5235run_test "ECJPAKE: working, DTLS" \
5236 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5237 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5238 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5239 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5240 -c "re-using cached ecjpake parameters" \
5241 -S "SSL - Verification of the message MAC failed"
5242
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5243requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5244run_test "ECJPAKE: working, DTLS, no cookie" \
5245 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
5246 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5247 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5248 0 \
5249 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5250 -S "SSL - Verification of the message MAC failed"
5251
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5252server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5253requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5254run_test "ECJPAKE: password mismatch, DTLS" \
5255 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5256 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
5257 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5258 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5259 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5260 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5261
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5262# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5263requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5264run_test "ECJPAKE: working, DTLS, nolog" \
5265 "$P_SRV dtls=1 ecjpake_pw=bla" \
5266 "$P_CLI dtls=1 ecjpake_pw=bla \
5267 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5268 0
5269
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5270# Tests for ciphersuites per version
5271
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5272requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5273requires_config_enabled MBEDTLS_CAMELLIA_C
5274requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5275run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5276 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5277 "$P_CLI force_version=ssl3" \
5278 0 \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5279 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5280
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5281requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
5282requires_config_enabled MBEDTLS_CAMELLIA_C
5283requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5284run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5285 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]5286 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5287 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5288 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5289
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5290requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
5291requires_config_enabled MBEDTLS_CAMELLIA_C
5292requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5293run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5294 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5295 "$P_CLI force_version=tls1_1" \
5296 0 \
5297 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
5298
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5299requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
5300requires_config_enabled MBEDTLS_CAMELLIA_C
5301requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5302run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5303 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5304 "$P_CLI force_version=tls1_2" \
5305 0 \
5306 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
5307
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5308# Test for ClientHello without extensions
5309
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]5310requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5311run_test "ClientHello without extensions, SHA-1 allowed" \
Ron Eldorb76e7652019-01-16 23:14:41 +0200[diff] [blame]5312 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5313 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5314 0 \
5315 -s "dumping 'client hello extensions' (0 bytes)"
5316
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5317requires_gnutls
5318run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
5319 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5320 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5321 0 \
5322 -s "dumping 'client hello extensions' (0 bytes)"
5323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5324# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5325
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5326run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5327 "$P_SRV" \
5328 "$P_CLI request_size=100" \
5329 0 \
5330 -s "Read from client: 100 bytes read$"
5331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5332run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5333 "$P_SRV" \
5334 "$P_CLI request_size=500" \
5335 0 \
5336 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5337
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5338# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5339
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5340requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5341run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5342 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5343 "$P_CLI request_size=1 force_version=ssl3 \
5344 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5345 0 \
5346 -s "Read from client: 1 bytes read"
5347
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5348requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5349run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5350 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5351 "$P_CLI request_size=1 force_version=ssl3 \
5352 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5353 0 \
5354 -s "Read from client: 1 bytes read"
5355
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5356run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5357 "$P_SRV" \
5358 "$P_CLI request_size=1 force_version=tls1 \
5359 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5360 0 \
5361 -s "Read from client: 1 bytes read"
5362
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5363run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5364 "$P_SRV" \
5365 "$P_CLI request_size=1 force_version=tls1 etm=0 \
5366 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5367 0 \
5368 -s "Read from client: 1 bytes read"
5369
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5370requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5371run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5372 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5373 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5374 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5375 0 \
5376 -s "Read from client: 1 bytes read"
5377
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5378requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5379run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5380 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5381 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5382 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5383 0 \
5384 -s "Read from client: 1 bytes read"
5385
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5386run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5387 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5388 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5389 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5390 0 \
5391 -s "Read from client: 1 bytes read"
5392
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5393run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5394 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5395 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5396 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5397 0 \
5398 -s "Read from client: 1 bytes read"
5399
5400requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5401run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5402 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5403 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5404 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5405 0 \
5406 -s "Read from client: 1 bytes read"
5407
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5408requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5409run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5410 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5411 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5412 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5413 0 \
5414 -s "Read from client: 1 bytes read"
5415
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5416run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5417 "$P_SRV" \
5418 "$P_CLI request_size=1 force_version=tls1_1 \
5419 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5420 0 \
5421 -s "Read from client: 1 bytes read"
5422
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5423run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5424 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5425 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5426 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5427 0 \
5428 -s "Read from client: 1 bytes read"
5429
5430requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5431run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5432 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5433 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5434 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5435 0 \
5436 -s "Read from client: 1 bytes read"
5437
5438requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5439run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5440 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5441 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5442 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5443 0 \
5444 -s "Read from client: 1 bytes read"
5445
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5446run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5447 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5448 "$P_CLI request_size=1 force_version=tls1_1 \
5449 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5450 0 \
5451 -s "Read from client: 1 bytes read"
5452
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5453run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5454 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5455 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5456 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5457 0 \
5458 -s "Read from client: 1 bytes read"
5459
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5460requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5461run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5462 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5463 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5464 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5465 0 \
5466 -s "Read from client: 1 bytes read"
5467
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5468requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5469run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5470 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5471 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5472 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5473 0 \
5474 -s "Read from client: 1 bytes read"
5475
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5476run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5477 "$P_SRV" \
5478 "$P_CLI request_size=1 force_version=tls1_2 \
5479 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5480 0 \
5481 -s "Read from client: 1 bytes read"
5482
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5483run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5484 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5485 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5486 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5487 0 \
5488 -s "Read from client: 1 bytes read"
5489
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5490run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5491 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5492 "$P_CLI request_size=1 force_version=tls1_2 \
5493 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5494 0 \
5495 -s "Read from client: 1 bytes read"
5496
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5497requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5498run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5499 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5500 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5501 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5502 0 \
5503 -s "Read from client: 1 bytes read"
5504
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5505requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5506run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5507 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5508 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5509 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5510 0 \
5511 -s "Read from client: 1 bytes read"
5512
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5513run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5514 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5515 "$P_CLI request_size=1 force_version=tls1_2 \
5516 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5517 0 \
5518 -s "Read from client: 1 bytes read"
5519
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5520run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5521 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5522 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5523 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5524 0 \
5525 -s "Read from client: 1 bytes read"
5526
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5527requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5528run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5529 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5530 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5531 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5532 0 \
5533 -s "Read from client: 1 bytes read"
5534
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5535requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5536run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5537 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5538 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5539 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5540 0 \
5541 -s "Read from client: 1 bytes read"
5542
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5543run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5544 "$P_SRV" \
5545 "$P_CLI request_size=1 force_version=tls1_2 \
5546 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5547 0 \
5548 -s "Read from client: 1 bytes read"
5549
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5550run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5551 "$P_SRV" \
5552 "$P_CLI request_size=1 force_version=tls1_2 \
5553 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5554 0 \
5555 -s "Read from client: 1 bytes read"
5556
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5557# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5558
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5559run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5560 "$P_SRV dtls=1 force_version=dtls1" \
5561 "$P_CLI dtls=1 request_size=1 \
5562 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5563 0 \
5564 -s "Read from client: 1 bytes read"
5565
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5566run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5567 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
5568 "$P_CLI dtls=1 request_size=1 \
5569 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5570 0 \
5571 -s "Read from client: 1 bytes read"
5572
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5573requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5574run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5575 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
5576 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5577 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5578 0 \
5579 -s "Read from client: 1 bytes read"
5580
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5581requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5582run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5583 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5584 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5585 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5586 0 \
5587 -s "Read from client: 1 bytes read"
5588
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5589run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5590 "$P_SRV dtls=1 force_version=dtls1_2" \
5591 "$P_CLI dtls=1 request_size=1 \
5592 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5593 0 \
5594 -s "Read from client: 1 bytes read"
5595
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5596run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5597 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5598 "$P_CLI dtls=1 request_size=1 \
5599 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5600 0 \
5601 -s "Read from client: 1 bytes read"
5602
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5603requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5604run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5605 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5606 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5607 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5608 0 \
5609 -s "Read from client: 1 bytes read"
5610
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5611requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5612run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5613 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5614 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5615 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5616 0 \
5617 -s "Read from client: 1 bytes read"
5618
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5619# Tests for small server packets
5620
5621requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5622run_test "Small server packet SSLv3 BlockCipher" \
5623 "$P_SRV response_size=1 min_version=ssl3" \
5624 "$P_CLI force_version=ssl3 \
5625 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5626 0 \
5627 -c "Read from server: 1 bytes read"
5628
5629requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5630run_test "Small server packet SSLv3 StreamCipher" \
5631 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5632 "$P_CLI force_version=ssl3 \
5633 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5634 0 \
5635 -c "Read from server: 1 bytes read"
5636
5637run_test "Small server packet TLS 1.0 BlockCipher" \
5638 "$P_SRV response_size=1" \
5639 "$P_CLI force_version=tls1 \
5640 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5641 0 \
5642 -c "Read from server: 1 bytes read"
5643
5644run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
5645 "$P_SRV response_size=1" \
5646 "$P_CLI force_version=tls1 etm=0 \
5647 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5648 0 \
5649 -c "Read from server: 1 bytes read"
5650
5651requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5652run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
5653 "$P_SRV response_size=1 trunc_hmac=1" \
5654 "$P_CLI force_version=tls1 \
5655 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5656 0 \
5657 -c "Read from server: 1 bytes read"
5658
5659requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5660run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
5661 "$P_SRV response_size=1 trunc_hmac=1" \
5662 "$P_CLI force_version=tls1 \
5663 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5664 0 \
5665 -c "Read from server: 1 bytes read"
5666
5667run_test "Small server packet TLS 1.0 StreamCipher" \
5668 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5669 "$P_CLI force_version=tls1 \
5670 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5671 0 \
5672 -c "Read from server: 1 bytes read"
5673
5674run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
5675 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5676 "$P_CLI force_version=tls1 \
5677 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5678 0 \
5679 -c "Read from server: 1 bytes read"
5680
5681requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5682run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
5683 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5684 "$P_CLI force_version=tls1 \
5685 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5686 0 \
5687 -c "Read from server: 1 bytes read"
5688
5689requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5690run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
5691 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5692 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5693 trunc_hmac=1 etm=0" \
5694 0 \
5695 -c "Read from server: 1 bytes read"
5696
5697run_test "Small server packet TLS 1.1 BlockCipher" \
5698 "$P_SRV response_size=1" \
5699 "$P_CLI force_version=tls1_1 \
5700 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5701 0 \
5702 -c "Read from server: 1 bytes read"
5703
5704run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
5705 "$P_SRV response_size=1" \
5706 "$P_CLI force_version=tls1_1 \
5707 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5708 0 \
5709 -c "Read from server: 1 bytes read"
5710
5711requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5712run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
5713 "$P_SRV response_size=1 trunc_hmac=1" \
5714 "$P_CLI force_version=tls1_1 \
5715 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5716 0 \
5717 -c "Read from server: 1 bytes read"
5718
5719requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5720run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
5721 "$P_SRV response_size=1 trunc_hmac=1" \
5722 "$P_CLI force_version=tls1_1 \
5723 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5724 0 \
5725 -c "Read from server: 1 bytes read"
5726
5727run_test "Small server packet TLS 1.1 StreamCipher" \
5728 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5729 "$P_CLI force_version=tls1_1 \
5730 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5731 0 \
5732 -c "Read from server: 1 bytes read"
5733
5734run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
5735 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5736 "$P_CLI force_version=tls1_1 \
5737 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5738 0 \
5739 -c "Read from server: 1 bytes read"
5740
5741requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5742run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
5743 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5744 "$P_CLI force_version=tls1_1 \
5745 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5746 0 \
5747 -c "Read from server: 1 bytes read"
5748
5749requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5750run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
5751 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5752 "$P_CLI force_version=tls1_1 \
5753 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5754 0 \
5755 -c "Read from server: 1 bytes read"
5756
5757run_test "Small server packet TLS 1.2 BlockCipher" \
5758 "$P_SRV response_size=1" \
5759 "$P_CLI force_version=tls1_2 \
5760 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5761 0 \
5762 -c "Read from server: 1 bytes read"
5763
5764run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
5765 "$P_SRV response_size=1" \
5766 "$P_CLI force_version=tls1_2 \
5767 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5768 0 \
5769 -c "Read from server: 1 bytes read"
5770
5771run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
5772 "$P_SRV response_size=1" \
5773 "$P_CLI force_version=tls1_2 \
5774 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
5775 0 \
5776 -c "Read from server: 1 bytes read"
5777
5778requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5779run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
5780 "$P_SRV response_size=1 trunc_hmac=1" \
5781 "$P_CLI force_version=tls1_2 \
5782 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5783 0 \
5784 -c "Read from server: 1 bytes read"
5785
5786requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5787run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
5788 "$P_SRV response_size=1 trunc_hmac=1" \
5789 "$P_CLI force_version=tls1_2 \
5790 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5791 0 \
5792 -c "Read from server: 1 bytes read"
5793
5794run_test "Small server packet TLS 1.2 StreamCipher" \
5795 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5796 "$P_CLI force_version=tls1_2 \
5797 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5798 0 \
5799 -c "Read from server: 1 bytes read"
5800
5801run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
5802 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5803 "$P_CLI force_version=tls1_2 \
5804 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5805 0 \
5806 -c "Read from server: 1 bytes read"
5807
5808requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5809run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
5810 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5811 "$P_CLI force_version=tls1_2 \
5812 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5813 0 \
5814 -c "Read from server: 1 bytes read"
5815
5816requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5817run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
5818 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5819 "$P_CLI force_version=tls1_2 \
5820 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5821 0 \
5822 -c "Read from server: 1 bytes read"
5823
5824run_test "Small server packet TLS 1.2 AEAD" \
5825 "$P_SRV response_size=1" \
5826 "$P_CLI force_version=tls1_2 \
5827 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5828 0 \
5829 -c "Read from server: 1 bytes read"
5830
5831run_test "Small server packet TLS 1.2 AEAD shorter tag" \
5832 "$P_SRV response_size=1" \
5833 "$P_CLI force_version=tls1_2 \
5834 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5835 0 \
5836 -c "Read from server: 1 bytes read"
5837
5838# Tests for small server packets in DTLS
5839
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5840run_test "Small server packet DTLS 1.0" \
5841 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
5842 "$P_CLI dtls=1 \
5843 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5844 0 \
5845 -c "Read from server: 1 bytes read"
5846
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5847run_test "Small server packet DTLS 1.0, without EtM" \
5848 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
5849 "$P_CLI dtls=1 \
5850 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5851 0 \
5852 -c "Read from server: 1 bytes read"
5853
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5854requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5855run_test "Small server packet DTLS 1.0, truncated hmac" \
5856 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
5857 "$P_CLI dtls=1 trunc_hmac=1 \
5858 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5859 0 \
5860 -c "Read from server: 1 bytes read"
5861
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5862requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5863run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
5864 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
5865 "$P_CLI dtls=1 \
5866 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5867 0 \
5868 -c "Read from server: 1 bytes read"
5869
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5870run_test "Small server packet DTLS 1.2" \
5871 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
5872 "$P_CLI dtls=1 \
5873 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5874 0 \
5875 -c "Read from server: 1 bytes read"
5876
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5877run_test "Small server packet DTLS 1.2, without EtM" \
5878 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
5879 "$P_CLI dtls=1 \
5880 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5881 0 \
5882 -c "Read from server: 1 bytes read"
5883
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5884requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5885run_test "Small server packet DTLS 1.2, truncated hmac" \
5886 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
5887 "$P_CLI dtls=1 \
5888 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5889 0 \
5890 -c "Read from server: 1 bytes read"
5891
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5892requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5893run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
5894 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
5895 "$P_CLI dtls=1 \
5896 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5897 0 \
5898 -c "Read from server: 1 bytes read"
5899
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]5900# A test for extensions in SSLv3
5901
5902requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5903run_test "SSLv3 with extensions, server side" \
5904 "$P_SRV min_version=ssl3 debug_level=3" \
5905 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
5906 0 \
5907 -S "dumping 'client hello extensions'" \
5908 -S "server hello, total extension length:"
5909
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5910# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5911
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5912# How many fragments do we expect to write $1 bytes?
5913fragments_for_write() {
5914 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
5915}
5916
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5917requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5918run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5919 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5920 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5921 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5922 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5923 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5924 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5925
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5926requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5927run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5928 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5929 "$P_CLI request_size=16384 force_version=ssl3 \
5930 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5931 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5932 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5933 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5934
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5935run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5936 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5937 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5938 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5939 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5940 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5941 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5942
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5943run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5944 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5945 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
5946 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5947 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5948 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5949
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5950requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5951run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5952 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5953 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5954 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5955 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5956 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5957 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5958
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5959requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5960run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5961 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5962 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5963 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5964 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5965 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5966
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5967run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5968 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5969 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5970 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5971 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5972 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5973
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5974run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5975 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5976 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5977 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5978 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5979 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5980
5981requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5982run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5983 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5984 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5985 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5986 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5987 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5988
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5989requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5990run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5991 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5992 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5993 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5994 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5995 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5996 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5997
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5998run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5999 "$P_SRV" \
6000 "$P_CLI request_size=16384 force_version=tls1_1 \
6001 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6002 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6003 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6004 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6005
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6006run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6007 "$P_SRV" \
6008 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
6009 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6010 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6011 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6012
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6013requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6014run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6015 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6016 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6017 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6018 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6019 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6020
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6021requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6022run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6023 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6024 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6025 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6026 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6027 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6028
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6029run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6030 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6031 "$P_CLI request_size=16384 force_version=tls1_1 \
6032 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6033 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6034 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6035 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6036
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6037run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6038 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6039 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6040 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6041 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6042 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6043 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6044
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6045requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6046run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6047 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6048 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6049 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6050 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6051 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6052
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6053requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6054run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6055 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6056 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6057 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6058 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6059 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6060 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6061
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6062run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6063 "$P_SRV" \
6064 "$P_CLI request_size=16384 force_version=tls1_2 \
6065 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6066 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6067 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6068 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6069
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6070run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6071 "$P_SRV" \
6072 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
6073 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6074 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6075 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6076
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6077run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6078 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6079 "$P_CLI request_size=16384 force_version=tls1_2 \
6080 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6081 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6082 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6083 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6084
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6085requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6086run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6087 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6088 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6089 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6090 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6091 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6092
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6093requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6094run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6095 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6096 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6097 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6098 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6099 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6100 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6101
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6102run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6103 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6104 "$P_CLI request_size=16384 force_version=tls1_2 \
6105 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6106 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6107 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6108 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6109
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6110run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6111 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6112 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6113 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6114 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6115 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6116
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6117requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6118run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6119 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6120 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6121 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6122 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6123 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6124
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6125requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6126run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6127 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6128 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6129 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6130 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6131 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6132 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6133
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6134run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6135 "$P_SRV" \
6136 "$P_CLI request_size=16384 force_version=tls1_2 \
6137 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6138 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6139 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6140 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6141
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6142run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6143 "$P_SRV" \
6144 "$P_CLI request_size=16384 force_version=tls1_2 \
6145 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6146 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6147 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6148 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6149
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6150# Test for large server packets
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6151requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6152run_test "Large server packet SSLv3 StreamCipher" \
6153 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6154 "$P_CLI force_version=ssl3 \
6155 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6156 0 \
6157 -c "Read from server: 16384 bytes read"
6158
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]6159# Checking next 4 tests logs for 1n-1 split against BEAST too
6160requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6161run_test "Large server packet SSLv3 BlockCipher" \
6162 "$P_SRV response_size=16384 min_version=ssl3" \
6163 "$P_CLI force_version=ssl3 recsplit=0 \
6164 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6165 0 \
6166 -c "Read from server: 1 bytes read"\
6167 -c "16383 bytes read"\
6168 -C "Read from server: 16384 bytes read"
6169
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6170run_test "Large server packet TLS 1.0 BlockCipher" \
6171 "$P_SRV response_size=16384" \
6172 "$P_CLI force_version=tls1 recsplit=0 \
6173 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6174 0 \
6175 -c "Read from server: 1 bytes read"\
6176 -c "16383 bytes read"\
6177 -C "Read from server: 16384 bytes read"
6178
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6179run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
6180 "$P_SRV response_size=16384" \
6181 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
6182 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6183 0 \
6184 -c "Read from server: 1 bytes read"\
6185 -c "16383 bytes read"\
6186 -C "Read from server: 16384 bytes read"
6187
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6188requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6189run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
6190 "$P_SRV response_size=16384" \
6191 "$P_CLI force_version=tls1 recsplit=0 \
6192 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6193 trunc_hmac=1" \
6194 0 \
6195 -c "Read from server: 1 bytes read"\
6196 -c "16383 bytes read"\
6197 -C "Read from server: 16384 bytes read"
6198
6199requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6200run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
6201 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6202 "$P_CLI force_version=tls1 \
6203 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6204 trunc_hmac=1" \
6205 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6206 -s "16384 bytes written in 1 fragments" \
6207 -c "Read from server: 16384 bytes read"
6208
6209run_test "Large server packet TLS 1.0 StreamCipher" \
6210 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6211 "$P_CLI force_version=tls1 \
6212 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6213 0 \
6214 -s "16384 bytes written in 1 fragments" \
6215 -c "Read from server: 16384 bytes read"
6216
6217run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
6218 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6219 "$P_CLI force_version=tls1 \
6220 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6221 0 \
6222 -s "16384 bytes written in 1 fragments" \
6223 -c "Read from server: 16384 bytes read"
6224
6225requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6226run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
6227 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6228 "$P_CLI force_version=tls1 \
6229 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6230 0 \
6231 -s "16384 bytes written in 1 fragments" \
6232 -c "Read from server: 16384 bytes read"
6233
6234requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6235run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6236 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6237 "$P_CLI force_version=tls1 \
6238 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6239 0 \
6240 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6241 -c "Read from server: 16384 bytes read"
6242
6243run_test "Large server packet TLS 1.1 BlockCipher" \
6244 "$P_SRV response_size=16384" \
6245 "$P_CLI force_version=tls1_1 \
6246 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6247 0 \
6248 -c "Read from server: 16384 bytes read"
6249
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6250run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
6251 "$P_SRV response_size=16384" \
6252 "$P_CLI force_version=tls1_1 etm=0 \
6253 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6254 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6255 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6256 -c "Read from server: 16384 bytes read"
6257
6258requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6259run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
6260 "$P_SRV response_size=16384" \
6261 "$P_CLI force_version=tls1_1 \
6262 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6263 trunc_hmac=1" \
6264 0 \
6265 -c "Read from server: 16384 bytes read"
6266
6267requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6268run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6269 "$P_SRV response_size=16384 trunc_hmac=1" \
6270 "$P_CLI force_version=tls1_1 \
6271 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6272 0 \
6273 -s "16384 bytes written in 1 fragments" \
6274 -c "Read from server: 16384 bytes read"
6275
6276run_test "Large server packet TLS 1.1 StreamCipher" \
6277 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6278 "$P_CLI force_version=tls1_1 \
6279 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6280 0 \
6281 -c "Read from server: 16384 bytes read"
6282
6283run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
6284 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6285 "$P_CLI force_version=tls1_1 \
6286 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6287 0 \
6288 -s "16384 bytes written in 1 fragments" \
6289 -c "Read from server: 16384 bytes read"
6290
6291requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6292run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
6293 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6294 "$P_CLI force_version=tls1_1 \
6295 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6296 trunc_hmac=1" \
6297 0 \
6298 -c "Read from server: 16384 bytes read"
6299
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6300run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6301 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6302 "$P_CLI force_version=tls1_1 \
6303 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6304 0 \
6305 -s "16384 bytes written in 1 fragments" \
6306 -c "Read from server: 16384 bytes read"
6307
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6308run_test "Large server packet TLS 1.2 BlockCipher" \
6309 "$P_SRV response_size=16384" \
6310 "$P_CLI force_version=tls1_2 \
6311 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6312 0 \
6313 -c "Read from server: 16384 bytes read"
6314
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6315run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
6316 "$P_SRV response_size=16384" \
6317 "$P_CLI force_version=tls1_2 etm=0 \
6318 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6319 0 \
6320 -s "16384 bytes written in 1 fragments" \
6321 -c "Read from server: 16384 bytes read"
6322
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6323run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
6324 "$P_SRV response_size=16384" \
6325 "$P_CLI force_version=tls1_2 \
6326 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6327 0 \
6328 -c "Read from server: 16384 bytes read"
6329
6330requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6331run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
6332 "$P_SRV response_size=16384" \
6333 "$P_CLI force_version=tls1_2 \
6334 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6335 trunc_hmac=1" \
6336 0 \
6337 -c "Read from server: 16384 bytes read"
6338
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6339run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6340 "$P_SRV response_size=16384 trunc_hmac=1" \
6341 "$P_CLI force_version=tls1_2 \
6342 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6343 0 \
6344 -s "16384 bytes written in 1 fragments" \
6345 -c "Read from server: 16384 bytes read"
6346
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6347run_test "Large server packet TLS 1.2 StreamCipher" \
6348 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6349 "$P_CLI force_version=tls1_2 \
6350 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6351 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6352 -s "16384 bytes written in 1 fragments" \
6353 -c "Read from server: 16384 bytes read"
6354
6355run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
6356 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6357 "$P_CLI force_version=tls1_2 \
6358 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6359 0 \
6360 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6361 -c "Read from server: 16384 bytes read"
6362
6363requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6364run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
6365 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6366 "$P_CLI force_version=tls1_2 \
6367 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6368 trunc_hmac=1" \
6369 0 \
6370 -c "Read from server: 16384 bytes read"
6371
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6372requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6373run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6374 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6375 "$P_CLI force_version=tls1_2 \
6376 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6377 0 \
6378 -s "16384 bytes written in 1 fragments" \
6379 -c "Read from server: 16384 bytes read"
6380
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6381run_test "Large server packet TLS 1.2 AEAD" \
6382 "$P_SRV response_size=16384" \
6383 "$P_CLI force_version=tls1_2 \
6384 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6385 0 \
6386 -c "Read from server: 16384 bytes read"
6387
6388run_test "Large server packet TLS 1.2 AEAD shorter tag" \
6389 "$P_SRV response_size=16384" \
6390 "$P_CLI force_version=tls1_2 \
6391 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6392 0 \
6393 -c "Read from server: 16384 bytes read"
6394
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6395# Tests for restartable ECC
6396
6397requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6398run_test "EC restart: TLS, default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6399 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6400 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6401 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6402 debug_level=1" \
6403 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6404 -C "x509_verify_cert.*4b00" \
6405 -C "mbedtls_pk_verify.*4b00" \
6406 -C "mbedtls_ecdh_make_public.*4b00" \
6407 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6408
6409requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6410run_test "EC restart: TLS, max_ops=0" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6411 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6412 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6413 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6414 debug_level=1 ec_max_ops=0" \
6415 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6416 -C "x509_verify_cert.*4b00" \
6417 -C "mbedtls_pk_verify.*4b00" \
6418 -C "mbedtls_ecdh_make_public.*4b00" \
6419 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6420
6421requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6422run_test "EC restart: TLS, max_ops=65535" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6423 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6424 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6425 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6426 debug_level=1 ec_max_ops=65535" \
6427 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6428 -C "x509_verify_cert.*4b00" \
6429 -C "mbedtls_pk_verify.*4b00" \
6430 -C "mbedtls_ecdh_make_public.*4b00" \
6431 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6432
6433requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6434run_test "EC restart: TLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6435 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6436 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6437 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6438 debug_level=1 ec_max_ops=1000" \
6439 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6440 -c "x509_verify_cert.*4b00" \
6441 -c "mbedtls_pk_verify.*4b00" \
6442 -c "mbedtls_ecdh_make_public.*4b00" \
6443 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6444
6445requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6446requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6447run_test "EC restart: TLS, max_ops=1000, badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6448 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6449 crt_file=data_files/server5-badsign.crt \
6450 key_file=data_files/server5.key" \
6451 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6452 key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \
6453 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6454 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6455 -c "x509_verify_cert.*4b00" \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6456 -c "mbedtls_pk_verify.*4b00" \
6457 -c "mbedtls_ecdh_make_public.*4b00" \
6458 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6459 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6460
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6461requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6462requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6463run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6464 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6465 crt_file=data_files/server5-badsign.crt \
6466 key_file=data_files/server5.key" \
6467 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6468 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6469 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6470 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6471 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6472 -c "x509_verify_cert.*4b00" \
6473 -c "mbedtls_pk_verify.*4b00" \
6474 -c "mbedtls_ecdh_make_public.*4b00" \
6475 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6476 -c "! The certificate is not correctly signed by the trusted CA" \
6477 -C "! mbedtls_ssl_handshake returned" \
6478 -C "X509 - Certificate verification failed"
6479
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6480requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6481requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6482requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6483run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6484 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6485 crt_file=data_files/server5-badsign.crt \
6486 key_file=data_files/server5.key" \
6487 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6488 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6489 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6490 debug_level=1 ec_max_ops=1000 auth_mode=none" \
6491 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6492 -C "x509_verify_cert.*4b00" \
6493 -c "mbedtls_pk_verify.*4b00" \
6494 -c "mbedtls_ecdh_make_public.*4b00" \
6495 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6496 -C "! The certificate is not correctly signed by the trusted CA" \
6497 -C "! mbedtls_ssl_handshake returned" \
6498 -C "X509 - Certificate verification failed"
6499
6500requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6501run_test "EC restart: DTLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6502 "$P_SRV auth_mode=required dtls=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6503 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6504 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6505 dtls=1 debug_level=1 ec_max_ops=1000" \
6506 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6507 -c "x509_verify_cert.*4b00" \
6508 -c "mbedtls_pk_verify.*4b00" \
6509 -c "mbedtls_ecdh_make_public.*4b00" \
6510 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6511
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6512requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6513run_test "EC restart: TLS, max_ops=1000 no client auth" \
6514 "$P_SRV" \
6515 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6516 debug_level=1 ec_max_ops=1000" \
6517 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6518 -c "x509_verify_cert.*4b00" \
6519 -c "mbedtls_pk_verify.*4b00" \
6520 -c "mbedtls_ecdh_make_public.*4b00" \
6521 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6522
6523requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6524run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
6525 "$P_SRV psk=abc123" \
6526 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
6527 psk=abc123 debug_level=1 ec_max_ops=1000" \
6528 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6529 -C "x509_verify_cert.*4b00" \
6530 -C "mbedtls_pk_verify.*4b00" \
6531 -C "mbedtls_ecdh_make_public.*4b00" \
6532 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6533
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6534# Tests of asynchronous private key support in SSL
6535
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6536requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6537run_test "SSL async private: sign, delay=0" \
6538 "$P_SRV \
6539 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6540 "$P_CLI" \
6541 0 \
6542 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6543 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6544
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6545requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6546run_test "SSL async private: sign, delay=1" \
6547 "$P_SRV \
6548 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6549 "$P_CLI" \
6550 0 \
6551 -s "Async sign callback: using key slot " \
6552 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6553 -s "Async resume (slot [0-9]): sign done, status=0"
6554
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]6555requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6556run_test "SSL async private: sign, delay=2" \
6557 "$P_SRV \
6558 async_operations=s async_private_delay1=2 async_private_delay2=2" \
6559 "$P_CLI" \
6560 0 \
6561 -s "Async sign callback: using key slot " \
6562 -U "Async sign callback: using key slot " \
6563 -s "Async resume (slot [0-9]): call 1 more times." \
6564 -s "Async resume (slot [0-9]): call 0 more times." \
6565 -s "Async resume (slot [0-9]): sign done, status=0"
6566
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]6567# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
6568# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
6569requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6570requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6571run_test "SSL async private: sign, RSA, TLS 1.1" \
6572 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
6573 async_operations=s async_private_delay1=0 async_private_delay2=0" \
6574 "$P_CLI force_version=tls1_1" \
6575 0 \
6576 -s "Async sign callback: using key slot " \
6577 -s "Async resume (slot [0-9]): sign done, status=0"
6578
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6579requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]6580requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]6581requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6582requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]6583run_test "SSL async private: sign, SNI" \
6584 "$P_SRV debug_level=3 \
6585 async_operations=s async_private_delay1=0 async_private_delay2=0 \
6586 crt_file=data_files/server5.crt key_file=data_files/server5.key \
6587 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
6588 "$P_CLI server_name=polarssl.example" \
6589 0 \
6590 -s "Async sign callback: using key slot " \
6591 -s "Async resume (slot [0-9]): sign done, status=0" \
6592 -s "parse ServerName extension" \
6593 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6594 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
6595
6596requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6597run_test "SSL async private: decrypt, delay=0" \
6598 "$P_SRV \
6599 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6600 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6601 0 \
6602 -s "Async decrypt callback: using key slot " \
6603 -s "Async resume (slot [0-9]): decrypt done, status=0"
6604
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6605requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6606run_test "SSL async private: decrypt, delay=1" \
6607 "$P_SRV \
6608 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6609 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6610 0 \
6611 -s "Async decrypt callback: using key slot " \
6612 -s "Async resume (slot [0-9]): call 0 more times." \
6613 -s "Async resume (slot [0-9]): decrypt done, status=0"
6614
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6615requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6616run_test "SSL async private: decrypt RSA-PSK, delay=0" \
6617 "$P_SRV psk=abc123 \
6618 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6619 "$P_CLI psk=abc123 \
6620 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6621 0 \
6622 -s "Async decrypt callback: using key slot " \
6623 -s "Async resume (slot [0-9]): decrypt done, status=0"
6624
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6625requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6626run_test "SSL async private: decrypt RSA-PSK, delay=1" \
6627 "$P_SRV psk=abc123 \
6628 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6629 "$P_CLI psk=abc123 \
6630 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6631 0 \
6632 -s "Async decrypt callback: using key slot " \
6633 -s "Async resume (slot [0-9]): call 0 more times." \
6634 -s "Async resume (slot [0-9]): decrypt done, status=0"
6635
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6636requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6637run_test "SSL async private: sign callback not present" \
6638 "$P_SRV \
6639 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6640 "$P_CLI; [ \$? -eq 1 ] &&
6641 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6642 0 \
6643 -S "Async sign callback" \
6644 -s "! mbedtls_ssl_handshake returned" \
6645 -s "The own private key or pre-shared key is not set, but needed" \
6646 -s "Async resume (slot [0-9]): decrypt done, status=0" \
6647 -s "Successful connection"
6648
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6649requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6650run_test "SSL async private: decrypt callback not present" \
6651 "$P_SRV debug_level=1 \
6652 async_operations=s async_private_delay1=1 async_private_delay2=1" \
6653 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
6654 [ \$? -eq 1 ] && $P_CLI" \
6655 0 \
6656 -S "Async decrypt callback" \
6657 -s "! mbedtls_ssl_handshake returned" \
6658 -s "got no RSA private key" \
6659 -s "Async resume (slot [0-9]): sign done, status=0" \
6660 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6661
6662# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6663requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6664run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6665 "$P_SRV \
6666 async_operations=s async_private_delay1=1 \
6667 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6668 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6669 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ca_file=data_files/test-ca2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6670 0 \
6671 -s "Async sign callback: using key slot 0," \
6672 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6673 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6674
6675# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6676requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6677run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6678 "$P_SRV \
6679 async_operations=s async_private_delay2=1 \
6680 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6681 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6682 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6683 0 \
6684 -s "Async sign callback: using key slot 0," \
6685 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6686 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6687
6688# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6689requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]6690run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6691 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]6692 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6693 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6694 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6695 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6696 0 \
6697 -s "Async sign callback: using key slot 1," \
6698 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6699 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6700
6701# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6702requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6703run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6704 "$P_SRV \
6705 async_operations=s async_private_delay1=1 \
6706 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6707 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6708 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6709 0 \
6710 -s "Async sign callback: no key matches this certificate."
6711
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6712requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6713run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6714 "$P_SRV \
6715 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6716 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6717 "$P_CLI" \
6718 1 \
6719 -s "Async sign callback: injected error" \
6720 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6721 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6722 -s "! mbedtls_ssl_handshake returned"
6723
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6724requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6725run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6726 "$P_SRV \
6727 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6728 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6729 "$P_CLI" \
6730 1 \
6731 -s "Async sign callback: using key slot " \
6732 -S "Async resume" \
6733 -s "Async cancel"
6734
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6735requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6736run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6737 "$P_SRV \
6738 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6739 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6740 "$P_CLI" \
6741 1 \
6742 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6743 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6744 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6745 -s "! mbedtls_ssl_handshake returned"
6746
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6747requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6748run_test "SSL async private: decrypt, error in start" \
6749 "$P_SRV \
6750 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6751 async_private_error=1" \
6752 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6753 1 \
6754 -s "Async decrypt callback: injected error" \
6755 -S "Async resume" \
6756 -S "Async cancel" \
6757 -s "! mbedtls_ssl_handshake returned"
6758
6759requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6760run_test "SSL async private: decrypt, cancel after start" \
6761 "$P_SRV \
6762 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6763 async_private_error=2" \
6764 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6765 1 \
6766 -s "Async decrypt callback: using key slot " \
6767 -S "Async resume" \
6768 -s "Async cancel"
6769
6770requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6771run_test "SSL async private: decrypt, error in resume" \
6772 "$P_SRV \
6773 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6774 async_private_error=3" \
6775 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6776 1 \
6777 -s "Async decrypt callback: using key slot " \
6778 -s "Async resume callback: decrypt done but injected error" \
6779 -S "Async cancel" \
6780 -s "! mbedtls_ssl_handshake returned"
6781
6782requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6783run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6784 "$P_SRV \
6785 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6786 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6787 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6788 0 \
6789 -s "Async cancel" \
6790 -s "! mbedtls_ssl_handshake returned" \
6791 -s "Async resume" \
6792 -s "Successful connection"
6793
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6794requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6795run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6796 "$P_SRV \
6797 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6798 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6799 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6800 0 \
6801 -s "! mbedtls_ssl_handshake returned" \
6802 -s "Async resume" \
6803 -s "Successful connection"
6804
6805# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6806requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6807run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6808 "$P_SRV \
6809 async_operations=s async_private_delay1=1 async_private_error=-2 \
6810 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6811 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6812 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6813 [ \$? -eq 1 ] &&
6814 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6815 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]6816 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6817 -S "Async resume" \
6818 -s "Async cancel" \
6819 -s "! mbedtls_ssl_handshake returned" \
6820 -s "Async sign callback: no key matches this certificate." \
6821 -s "Successful connection"
6822
6823# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6824requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6825run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6826 "$P_SRV \
6827 async_operations=s async_private_delay1=1 async_private_error=-3 \
6828 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6829 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6830 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6831 [ \$? -eq 1 ] &&
6832 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6833 0 \
6834 -s "Async resume" \
6835 -s "! mbedtls_ssl_handshake returned" \
6836 -s "Async sign callback: no key matches this certificate." \
6837 -s "Successful connection"
6838
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6839requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6840requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6841run_test "SSL async private: renegotiation: client-initiated; sign" \
6842 "$P_SRV \
6843 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6844 exchanges=2 renegotiation=1" \
6845 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
6846 0 \
6847 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6848 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6849
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6850requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6851requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6852run_test "SSL async private: renegotiation: server-initiated; sign" \
6853 "$P_SRV \
6854 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6855 exchanges=2 renegotiation=1 renegotiate=1" \
6856 "$P_CLI exchanges=2 renegotiation=1" \
6857 0 \
6858 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6859 -s "Async resume (slot [0-9]): sign done, status=0"
6860
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6861requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6862requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6863run_test "SSL async private: renegotiation: client-initiated; decrypt" \
6864 "$P_SRV \
6865 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6866 exchanges=2 renegotiation=1" \
6867 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
6868 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6869 0 \
6870 -s "Async decrypt callback: using key slot " \
6871 -s "Async resume (slot [0-9]): decrypt done, status=0"
6872
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6873requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6874requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6875run_test "SSL async private: renegotiation: server-initiated; decrypt" \
6876 "$P_SRV \
6877 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6878 exchanges=2 renegotiation=1 renegotiate=1" \
6879 "$P_CLI exchanges=2 renegotiation=1 \
6880 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6881 0 \
6882 -s "Async decrypt callback: using key slot " \
6883 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6884
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6885# Tests for ECC extensions (rfc 4492)
6886
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6887requires_config_enabled MBEDTLS_AES_C
6888requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6889requires_config_enabled MBEDTLS_SHA256_C
6890requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6891run_test "Force a non ECC ciphersuite in the client side" \
6892 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6893 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6894 0 \
6895 -C "client hello, adding supported_elliptic_curves extension" \
6896 -C "client hello, adding supported_point_formats extension" \
6897 -S "found supported elliptic curves extension" \
6898 -S "found supported point formats extension"
6899
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6900requires_config_enabled MBEDTLS_AES_C
6901requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6902requires_config_enabled MBEDTLS_SHA256_C
6903requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6904run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6905 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6906 "$P_CLI debug_level=3" \
6907 0 \
6908 -C "found supported_point_formats extension" \
6909 -S "server hello, supported_point_formats extension"
6910
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6911requires_config_enabled MBEDTLS_AES_C
6912requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6913requires_config_enabled MBEDTLS_SHA256_C
6914requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6915run_test "Force an ECC ciphersuite in the client side" \
6916 "$P_SRV debug_level=3" \
6917 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6918 0 \
6919 -c "client hello, adding supported_elliptic_curves extension" \
6920 -c "client hello, adding supported_point_formats extension" \
6921 -s "found supported elliptic curves extension" \
6922 -s "found supported point formats extension"
6923
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6924requires_config_enabled MBEDTLS_AES_C
6925requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6926requires_config_enabled MBEDTLS_SHA256_C
6927requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6928run_test "Force an ECC ciphersuite in the server side" \
6929 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6930 "$P_CLI debug_level=3" \
6931 0 \
6932 -c "found supported_point_formats extension" \
6933 -s "server hello, supported_point_formats extension"
6934
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6935# Tests for DTLS HelloVerifyRequest
6936
6937run_test "DTLS cookie: enabled" \
6938 "$P_SRV dtls=1 debug_level=2" \
6939 "$P_CLI dtls=1 debug_level=2" \
6940 0 \
6941 -s "cookie verification failed" \
6942 -s "cookie verification passed" \
6943 -S "cookie verification skipped" \
6944 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6945 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6946 -S "SSL - The requested feature is not available"
6947
6948run_test "DTLS cookie: disabled" \
6949 "$P_SRV dtls=1 debug_level=2 cookies=0" \
6950 "$P_CLI dtls=1 debug_level=2" \
6951 0 \
6952 -S "cookie verification failed" \
6953 -S "cookie verification passed" \
6954 -s "cookie verification skipped" \
6955 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6956 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6957 -S "SSL - The requested feature is not available"
6958
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6959run_test "DTLS cookie: default (failing)" \
6960 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
6961 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
6962 1 \
6963 -s "cookie verification failed" \
6964 -S "cookie verification passed" \
6965 -S "cookie verification skipped" \
6966 -C "received hello verify request" \
6967 -S "hello verification requested" \
6968 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6969
6970requires_ipv6
6971run_test "DTLS cookie: enabled, IPv6" \
6972 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
6973 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
6974 0 \
6975 -s "cookie verification failed" \
6976 -s "cookie verification passed" \
6977 -S "cookie verification skipped" \
6978 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6979 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6980 -S "SSL - The requested feature is not available"
6981
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6982run_test "DTLS cookie: enabled, nbio" \
6983 "$P_SRV dtls=1 nbio=2 debug_level=2" \
6984 "$P_CLI dtls=1 nbio=2 debug_level=2" \
6985 0 \
6986 -s "cookie verification failed" \
6987 -s "cookie verification passed" \
6988 -S "cookie verification skipped" \
6989 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6990 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6991 -S "SSL - The requested feature is not available"
6992
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6993# Tests for client reconnecting from the same port with DTLS
6994
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6995not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6996run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6997 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
6998 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6999 0 \
7000 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7001 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7002 -S "Client initiated reconnection from same port"
7003
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7004not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7005run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7006 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
7007 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7008 0 \
7009 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7010 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7011 -s "Client initiated reconnection from same port"
7012
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7013not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
7014run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7015 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
7016 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7017 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7018 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7019 -s "Client initiated reconnection from same port"
7020
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7021only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
7022run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
7023 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
7024 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
7025 0 \
7026 -S "The operation timed out" \
7027 -s "Client initiated reconnection from same port"
7028
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7029run_test "DTLS client reconnect from same port: no cookies" \
7030 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]7031 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
7032 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7033 -s "The operation timed out" \
7034 -S "Client initiated reconnection from same port"
7035
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7036# Tests for various cases of client authentication with DTLS
7037# (focused on handshake flows and message parsing)
7038
7039run_test "DTLS client auth: required" \
7040 "$P_SRV dtls=1 auth_mode=required" \
7041 "$P_CLI dtls=1" \
7042 0 \
7043 -s "Verifying peer X.509 certificate... ok"
7044
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7045requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7046requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7047run_test "DTLS client auth: optional, client has no cert" \
7048 "$P_SRV dtls=1 auth_mode=optional" \
7049 "$P_CLI dtls=1 crt_file=none key_file=none" \
7050 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7051 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7052
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7053requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7054requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7055run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7056 "$P_SRV dtls=1 auth_mode=none" \
7057 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
7058 0 \
7059 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7060 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7061
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]7062run_test "DTLS wrong PSK: badmac alert" \
7063 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
7064 "$P_CLI dtls=1 psk=abc124" \
7065 1 \
7066 -s "SSL - Verification of the message MAC failed" \
7067 -c "SSL - A fatal alert message was received from our peer"
7068
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7069# Tests for receiving fragmented handshake messages with DTLS
7070
7071requires_gnutls
7072run_test "DTLS reassembly: no fragmentation (gnutls server)" \
7073 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7074 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7075 0 \
7076 -C "found fragmented DTLS handshake message" \
7077 -C "error"
7078
7079requires_gnutls
7080run_test "DTLS reassembly: some fragmentation (gnutls server)" \
7081 "$G_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7082 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7083 0 \
7084 -c "found fragmented DTLS handshake message" \
7085 -C "error"
7086
7087requires_gnutls
7088run_test "DTLS reassembly: more fragmentation (gnutls server)" \
7089 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7090 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7091 0 \
7092 -c "found fragmented DTLS handshake message" \
7093 -C "error"
7094
7095requires_gnutls
7096run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
7097 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7098 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7099 0 \
7100 -c "found fragmented DTLS handshake message" \
7101 -C "error"
7102
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7103requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7104requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7105run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
7106 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7107 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7108 0 \
7109 -c "found fragmented DTLS handshake message" \
7110 -c "client hello, adding renegotiation extension" \
7111 -c "found renegotiation extension" \
7112 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7113 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7114 -C "error" \
7115 -s "Extra-header:"
7116
7117requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7118requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7119run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
7120 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7121 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7122 0 \
7123 -c "found fragmented DTLS handshake message" \
7124 -c "client hello, adding renegotiation extension" \
7125 -c "found renegotiation extension" \
7126 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7127 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7128 -C "error" \
7129 -s "Extra-header:"
7130
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7131run_test "DTLS reassembly: no fragmentation (openssl server)" \
7132 "$O_SRV -dtls1 -mtu 2048" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7133 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7134 0 \
7135 -C "found fragmented DTLS handshake message" \
7136 -C "error"
7137
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7138run_test "DTLS reassembly: some fragmentation (openssl server)" \
7139 "$O_SRV -dtls1 -mtu 768" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7140 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7141 0 \
7142 -c "found fragmented DTLS handshake message" \
7143 -C "error"
7144
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7145run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7146 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7147 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7148 0 \
7149 -c "found fragmented DTLS handshake message" \
7150 -C "error"
7151
7152run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
7153 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7154 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7155 0 \
7156 -c "found fragmented DTLS handshake message" \
7157 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7158
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7159# Tests for sending fragmented handshake messages with DTLS
7160#
7161# Use client auth when we need the client to send large messages,
7162# and use large cert chains on both sides too (the long chains we have all use
7163# both RSA and ECDSA, but ideally we should have long chains with either).
7164# Sizes reached (UDP payload):
7165# - 2037B for server certificate
7166# - 1542B for client certificate
7167# - 1013B for newsessionticket
7168# - all others below 512B
7169# All those tests assume MAX_CONTENT_LEN is at least 2048
7170
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7171requires_config_enabled MBEDTLS_RSA_C
7172requires_config_enabled MBEDTLS_ECDSA_C
7173requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7174run_test "DTLS fragmenting: none (for reference)" \
7175 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7176 crt_file=data_files/server7_int-ca.crt \
7177 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7178 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7179 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7180 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7181 "$P_CLI dtls=1 debug_level=2 \
7182 crt_file=data_files/server8_int-ca2.crt \
7183 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7184 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7185 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7186 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7187 0 \
7188 -S "found fragmented DTLS handshake message" \
7189 -C "found fragmented DTLS handshake message" \
7190 -C "error"
7191
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7192requires_config_enabled MBEDTLS_RSA_C
7193requires_config_enabled MBEDTLS_ECDSA_C
7194requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7195run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7196 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7197 crt_file=data_files/server7_int-ca.crt \
7198 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7199 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7200 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7201 max_frag_len=1024" \
7202 "$P_CLI dtls=1 debug_level=2 \
7203 crt_file=data_files/server8_int-ca2.crt \
7204 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7205 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7206 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7207 max_frag_len=2048" \
7208 0 \
7209 -S "found fragmented DTLS handshake message" \
7210 -c "found fragmented DTLS handshake message" \
7211 -C "error"
7212
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7213# With the MFL extension, the server has no way of forcing
7214# the client to not exceed a certain MTU; hence, the following
7215# test can't be replicated with an MTU proxy such as the one
7216# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7217requires_config_enabled MBEDTLS_RSA_C
7218requires_config_enabled MBEDTLS_ECDSA_C
7219requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7220run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7221 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7222 crt_file=data_files/server7_int-ca.crt \
7223 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7224 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7225 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7226 max_frag_len=512" \
7227 "$P_CLI dtls=1 debug_level=2 \
7228 crt_file=data_files/server8_int-ca2.crt \
7229 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7230 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7231 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7232 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7233 0 \
7234 -S "found fragmented DTLS handshake message" \
7235 -c "found fragmented DTLS handshake message" \
7236 -C "error"
7237
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7238requires_config_enabled MBEDTLS_RSA_C
7239requires_config_enabled MBEDTLS_ECDSA_C
7240requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7241run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7242 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7243 crt_file=data_files/server7_int-ca.crt \
7244 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7245 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7246 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7247 max_frag_len=2048" \
7248 "$P_CLI dtls=1 debug_level=2 \
7249 crt_file=data_files/server8_int-ca2.crt \
7250 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7251 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7252 hs_timeout=2500-60000 \
7253 max_frag_len=1024" \
7254 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7255 -S "found fragmented DTLS handshake message" \
7256 -c "found fragmented DTLS handshake message" \
7257 -C "error"
7258
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7259# While not required by the standard defining the MFL extension
7260# (according to which it only applies to records, not to datagrams),
7261# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7262# as otherwise there wouldn't be any means to communicate MTU restrictions
7263# to the peer.
7264# The next test checks that no datagrams significantly larger than the
7265# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7266requires_config_enabled MBEDTLS_RSA_C
7267requires_config_enabled MBEDTLS_ECDSA_C
7268requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7269run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7270 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7271 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7272 crt_file=data_files/server7_int-ca.crt \
7273 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7274 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7275 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7276 max_frag_len=2048" \
7277 "$P_CLI dtls=1 debug_level=2 \
7278 crt_file=data_files/server8_int-ca2.crt \
7279 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7280 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7281 hs_timeout=2500-60000 \
7282 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7283 0 \
7284 -S "found fragmented DTLS handshake message" \
7285 -c "found fragmented DTLS handshake message" \
7286 -C "error"
7287
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7288requires_config_enabled MBEDTLS_RSA_C
7289requires_config_enabled MBEDTLS_ECDSA_C
7290requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7291run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7292 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7293 crt_file=data_files/server7_int-ca.crt \
7294 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7295 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7296 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7297 max_frag_len=2048" \
7298 "$P_CLI dtls=1 debug_level=2 \
7299 crt_file=data_files/server8_int-ca2.crt \
7300 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7301 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7302 hs_timeout=2500-60000 \
7303 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7304 0 \
7305 -s "found fragmented DTLS handshake message" \
7306 -c "found fragmented DTLS handshake message" \
7307 -C "error"
7308
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7309# While not required by the standard defining the MFL extension
7310# (according to which it only applies to records, not to datagrams),
7311# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7312# as otherwise there wouldn't be any means to communicate MTU restrictions
7313# to the peer.
7314# The next test checks that no datagrams significantly larger than the
7315# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7316requires_config_enabled MBEDTLS_RSA_C
7317requires_config_enabled MBEDTLS_ECDSA_C
7318requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7319run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7320 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7321 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7322 crt_file=data_files/server7_int-ca.crt \
7323 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7324 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7325 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7326 max_frag_len=2048" \
7327 "$P_CLI dtls=1 debug_level=2 \
7328 crt_file=data_files/server8_int-ca2.crt \
7329 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7330 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7331 hs_timeout=2500-60000 \
7332 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7333 0 \
7334 -s "found fragmented DTLS handshake message" \
7335 -c "found fragmented DTLS handshake message" \
7336 -C "error"
7337
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7338requires_config_enabled MBEDTLS_RSA_C
7339requires_config_enabled MBEDTLS_ECDSA_C
7340run_test "DTLS fragmenting: none (for reference) (MTU)" \
7341 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7342 crt_file=data_files/server7_int-ca.crt \
7343 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7344 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7345 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7346 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7347 "$P_CLI dtls=1 debug_level=2 \
7348 crt_file=data_files/server8_int-ca2.crt \
7349 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7350 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7351 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7352 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7353 0 \
7354 -S "found fragmented DTLS handshake message" \
7355 -C "found fragmented DTLS handshake message" \
7356 -C "error"
7357
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7358requires_config_enabled MBEDTLS_RSA_C
7359requires_config_enabled MBEDTLS_ECDSA_C
7360run_test "DTLS fragmenting: client (MTU)" \
7361 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7362 crt_file=data_files/server7_int-ca.crt \
7363 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7364 ca_file=data_files/test-ca.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7365 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7366 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7367 "$P_CLI dtls=1 debug_level=2 \
7368 crt_file=data_files/server8_int-ca2.crt \
7369 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7370 ca_file=data_files/test-ca2.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7371 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7372 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7373 0 \
7374 -s "found fragmented DTLS handshake message" \
7375 -C "found fragmented DTLS handshake message" \
7376 -C "error"
7377
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7378requires_config_enabled MBEDTLS_RSA_C
7379requires_config_enabled MBEDTLS_ECDSA_C
7380run_test "DTLS fragmenting: server (MTU)" \
7381 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7382 crt_file=data_files/server7_int-ca.crt \
7383 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7384 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7385 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7386 mtu=512" \
7387 "$P_CLI dtls=1 debug_level=2 \
7388 crt_file=data_files/server8_int-ca2.crt \
7389 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7390 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7391 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7392 mtu=2048" \
7393 0 \
7394 -S "found fragmented DTLS handshake message" \
7395 -c "found fragmented DTLS handshake message" \
7396 -C "error"
7397
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7398requires_config_enabled MBEDTLS_RSA_C
7399requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7400run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7401 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7402 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7403 crt_file=data_files/server7_int-ca.crt \
7404 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7405 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7406 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]7407 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7408 "$P_CLI dtls=1 debug_level=2 \
7409 crt_file=data_files/server8_int-ca2.crt \
7410 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7411 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7412 hs_timeout=2500-60000 \
7413 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7414 0 \
7415 -s "found fragmented DTLS handshake message" \
7416 -c "found fragmented DTLS handshake message" \
7417 -C "error"
7418
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7419# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7420requires_config_enabled MBEDTLS_RSA_C
7421requires_config_enabled MBEDTLS_ECDSA_C
7422requires_config_enabled MBEDTLS_SHA256_C
7423requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7424requires_config_enabled MBEDTLS_AES_C
7425requires_config_enabled MBEDTLS_GCM_C
7426run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]7427 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7428 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7429 crt_file=data_files/server7_int-ca.crt \
7430 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7431 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7432 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7433 mtu=512" \
7434 "$P_CLI dtls=1 debug_level=2 \
7435 crt_file=data_files/server8_int-ca2.crt \
7436 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7437 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7438 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7439 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7440 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]7441 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]7442 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7443 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7444 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]7445
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7446# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7447# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7448# The ratio of max/min timeout should ideally equal 4 to accept two
7449# retransmissions, but in some cases (like both the server and client using
7450# fragmentation and auto-reduction) an extra retransmission might occur,
7451# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]7452not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7453requires_config_enabled MBEDTLS_RSA_C
7454requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7455requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7456requires_config_enabled MBEDTLS_AES_C
7457requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7458run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7459 -p "$P_PXY mtu=508" \
7460 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7461 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7462 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7463 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7464 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7465 "$P_CLI dtls=1 debug_level=2 \
7466 crt_file=data_files/server8_int-ca2.crt \
7467 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7468 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7469 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7470 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7471 0 \
7472 -s "found fragmented DTLS handshake message" \
7473 -c "found fragmented DTLS handshake message" \
7474 -C "error"
7475
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7476# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7477only_with_valgrind
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7478requires_config_enabled MBEDTLS_RSA_C
7479requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7480requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7481requires_config_enabled MBEDTLS_AES_C
7482requires_config_enabled MBEDTLS_GCM_C
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7483run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7484 -p "$P_PXY mtu=508" \
7485 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7486 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7487 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7488 ca_file=data_files/test-ca.crt \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7489 hs_timeout=250-10000" \
7490 "$P_CLI dtls=1 debug_level=2 \
7491 crt_file=data_files/server8_int-ca2.crt \
7492 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7493 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7494 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7495 hs_timeout=250-10000" \
7496 0 \
7497 -s "found fragmented DTLS handshake message" \
7498 -c "found fragmented DTLS handshake message" \
7499 -C "error"
7500
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7501# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]7502# OTOH the client might resend if the server is to slow to reset after sending
7503# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7504not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7505requires_config_enabled MBEDTLS_RSA_C
7506requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7507run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7508 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7509 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7510 crt_file=data_files/server7_int-ca.crt \
7511 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7512 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7513 hs_timeout=10000-60000 \
7514 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7515 "$P_CLI dtls=1 debug_level=2 \
7516 crt_file=data_files/server8_int-ca2.crt \
7517 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7518 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7519 hs_timeout=10000-60000 \
7520 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7521 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7522 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7523 -s "found fragmented DTLS handshake message" \
7524 -c "found fragmented DTLS handshake message" \
7525 -C "error"
7526
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7527# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7528# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
7529# OTOH the client might resend if the server is to slow to reset after sending
7530# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7531not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7532requires_config_enabled MBEDTLS_RSA_C
7533requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7534requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7535requires_config_enabled MBEDTLS_AES_C
7536requires_config_enabled MBEDTLS_GCM_C
7537run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7538 -p "$P_PXY mtu=512" \
7539 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7540 crt_file=data_files/server7_int-ca.crt \
7541 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7542 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7543 hs_timeout=10000-60000 \
7544 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7545 "$P_CLI dtls=1 debug_level=2 \
7546 crt_file=data_files/server8_int-ca2.crt \
7547 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7548 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7549 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7550 hs_timeout=10000-60000 \
7551 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7552 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7553 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7554 -s "found fragmented DTLS handshake message" \
7555 -c "found fragmented DTLS handshake message" \
7556 -C "error"
7557
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7558not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7559requires_config_enabled MBEDTLS_RSA_C
7560requires_config_enabled MBEDTLS_ECDSA_C
7561run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7562 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7563 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7564 crt_file=data_files/server7_int-ca.crt \
7565 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7566 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7567 hs_timeout=10000-60000 \
7568 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7569 "$P_CLI dtls=1 debug_level=2 \
7570 crt_file=data_files/server8_int-ca2.crt \
7571 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7572 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7573 hs_timeout=10000-60000 \
7574 mtu=1024 nbio=2" \
7575 0 \
7576 -S "autoreduction" \
7577 -s "found fragmented DTLS handshake message" \
7578 -c "found fragmented DTLS handshake message" \
7579 -C "error"
7580
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7581# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7582not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7583requires_config_enabled MBEDTLS_RSA_C
7584requires_config_enabled MBEDTLS_ECDSA_C
7585requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7586requires_config_enabled MBEDTLS_AES_C
7587requires_config_enabled MBEDTLS_GCM_C
7588run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
7589 -p "$P_PXY mtu=512" \
7590 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7591 crt_file=data_files/server7_int-ca.crt \
7592 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7593 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7594 hs_timeout=10000-60000 \
7595 mtu=512 nbio=2" \
7596 "$P_CLI dtls=1 debug_level=2 \
7597 crt_file=data_files/server8_int-ca2.crt \
7598 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7599 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7600 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7601 hs_timeout=10000-60000 \
7602 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7603 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7604 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7605 -s "found fragmented DTLS handshake message" \
7606 -c "found fragmented DTLS handshake message" \
7607 -C "error"
7608
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7609# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]7610# This ensures things still work after session_reset().
7611# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7612# Since we don't support reading fragmented ClientHello yet,
7613# up the MTU to 1450 (larger than ClientHello with session ticket,
7614# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7615# An autoreduction on the client-side might happen if the server is
7616# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7617# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7618# resumed listening, which would result in a spurious autoreduction.
7619not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7620requires_config_enabled MBEDTLS_RSA_C
7621requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7622requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7623requires_config_enabled MBEDTLS_AES_C
7624requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7625run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
7626 -p "$P_PXY mtu=1450" \
7627 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7628 crt_file=data_files/server7_int-ca.crt \
7629 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7630 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7631 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7632 mtu=1450" \
7633 "$P_CLI dtls=1 debug_level=2 \
7634 crt_file=data_files/server8_int-ca2.crt \
7635 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7636 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7637 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7638 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7639 mtu=1450 reconnect=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7640 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7641 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7642 -s "found fragmented DTLS handshake message" \
7643 -c "found fragmented DTLS handshake message" \
7644 -C "error"
7645
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7646# An autoreduction on the client-side might happen if the server is
7647# slow to reset, therefore omitting '-C "autoreduction"' below.
7648not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7649requires_config_enabled MBEDTLS_RSA_C
7650requires_config_enabled MBEDTLS_ECDSA_C
7651requires_config_enabled MBEDTLS_SHA256_C
7652requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7653requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7654requires_config_enabled MBEDTLS_CHACHAPOLY_C
7655run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
7656 -p "$P_PXY mtu=512" \
7657 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7658 crt_file=data_files/server7_int-ca.crt \
7659 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7660 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7661 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7662 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7663 mtu=512" \
7664 "$P_CLI dtls=1 debug_level=2 \
7665 crt_file=data_files/server8_int-ca2.crt \
7666 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7667 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7668 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7669 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7670 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7671 mtu=512" \
7672 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7673 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7674 -s "found fragmented DTLS handshake message" \
7675 -c "found fragmented DTLS handshake message" \
7676 -C "error"
7677
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7678# An autoreduction on the client-side might happen if the server is
7679# slow to reset, therefore omitting '-C "autoreduction"' below.
7680not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7681requires_config_enabled MBEDTLS_RSA_C
7682requires_config_enabled MBEDTLS_ECDSA_C
7683requires_config_enabled MBEDTLS_SHA256_C
7684requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7685requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7686requires_config_enabled MBEDTLS_AES_C
7687requires_config_enabled MBEDTLS_GCM_C
7688run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
7689 -p "$P_PXY mtu=512" \
7690 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7691 crt_file=data_files/server7_int-ca.crt \
7692 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7693 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7694 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7695 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7696 mtu=512" \
7697 "$P_CLI dtls=1 debug_level=2 \
7698 crt_file=data_files/server8_int-ca2.crt \
7699 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7700 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7701 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7702 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7703 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7704 mtu=512" \
7705 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7706 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7707 -s "found fragmented DTLS handshake message" \
7708 -c "found fragmented DTLS handshake message" \
7709 -C "error"
7710
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7711# An autoreduction on the client-side might happen if the server is
7712# slow to reset, therefore omitting '-C "autoreduction"' below.
7713not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7714requires_config_enabled MBEDTLS_RSA_C
7715requires_config_enabled MBEDTLS_ECDSA_C
7716requires_config_enabled MBEDTLS_SHA256_C
7717requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7718requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7719requires_config_enabled MBEDTLS_AES_C
7720requires_config_enabled MBEDTLS_CCM_C
7721run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7722 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7723 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7724 crt_file=data_files/server7_int-ca.crt \
7725 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7726 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7727 exchanges=2 renegotiation=1 \
7728 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7729 hs_timeout=10000-60000 \
7730 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7731 "$P_CLI dtls=1 debug_level=2 \
7732 crt_file=data_files/server8_int-ca2.crt \
7733 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7734 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7735 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7736 hs_timeout=10000-60000 \
7737 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7738 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7739 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7740 -s "found fragmented DTLS handshake message" \
7741 -c "found fragmented DTLS handshake message" \
7742 -C "error"
7743
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7744# An autoreduction on the client-side might happen if the server is
7745# slow to reset, therefore omitting '-C "autoreduction"' below.
7746not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7747requires_config_enabled MBEDTLS_RSA_C
7748requires_config_enabled MBEDTLS_ECDSA_C
7749requires_config_enabled MBEDTLS_SHA256_C
7750requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7751requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7752requires_config_enabled MBEDTLS_AES_C
7753requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7754requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
7755run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7756 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7757 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7758 crt_file=data_files/server7_int-ca.crt \
7759 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7760 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7761 exchanges=2 renegotiation=1 \
7762 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7763 hs_timeout=10000-60000 \
7764 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7765 "$P_CLI dtls=1 debug_level=2 \
7766 crt_file=data_files/server8_int-ca2.crt \
7767 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7768 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7769 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7770 hs_timeout=10000-60000 \
7771 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7772 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7773 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7774 -s "found fragmented DTLS handshake message" \
7775 -c "found fragmented DTLS handshake message" \
7776 -C "error"
7777
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7778# An autoreduction on the client-side might happen if the server is
7779# slow to reset, therefore omitting '-C "autoreduction"' below.
7780not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7781requires_config_enabled MBEDTLS_RSA_C
7782requires_config_enabled MBEDTLS_ECDSA_C
7783requires_config_enabled MBEDTLS_SHA256_C
7784requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7785requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7786requires_config_enabled MBEDTLS_AES_C
7787requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7788run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7789 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7790 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7791 crt_file=data_files/server7_int-ca.crt \
7792 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7793 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7794 exchanges=2 renegotiation=1 \
7795 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7796 hs_timeout=10000-60000 \
7797 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7798 "$P_CLI dtls=1 debug_level=2 \
7799 crt_file=data_files/server8_int-ca2.crt \
7800 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7801 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7802 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7803 hs_timeout=10000-60000 \
7804 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7805 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7806 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7807 -s "found fragmented DTLS handshake message" \
7808 -c "found fragmented DTLS handshake message" \
7809 -C "error"
7810
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7811# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7812requires_config_enabled MBEDTLS_RSA_C
7813requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7814requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7815requires_config_enabled MBEDTLS_AES_C
7816requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7817client_needs_more_time 2
7818run_test "DTLS fragmenting: proxy MTU + 3d" \
7819 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7820 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7821 crt_file=data_files/server7_int-ca.crt \
7822 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7823 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7824 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7825 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7826 crt_file=data_files/server8_int-ca2.crt \
7827 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7828 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7829 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7830 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7831 0 \
7832 -s "found fragmented DTLS handshake message" \
7833 -c "found fragmented DTLS handshake message" \
7834 -C "error"
7835
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7836# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7837requires_config_enabled MBEDTLS_RSA_C
7838requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7839requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7840requires_config_enabled MBEDTLS_AES_C
7841requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7842client_needs_more_time 2
7843run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
7844 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
7845 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7846 crt_file=data_files/server7_int-ca.crt \
7847 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7848 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7849 hs_timeout=250-10000 mtu=512 nbio=2" \
7850 "$P_CLI dtls=1 debug_level=2 \
7851 crt_file=data_files/server8_int-ca2.crt \
7852 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7853 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7854 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7855 hs_timeout=250-10000 mtu=512 nbio=2" \
7856 0 \
7857 -s "found fragmented DTLS handshake message" \
7858 -c "found fragmented DTLS handshake message" \
7859 -C "error"
7860
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7861# interop tests for DTLS fragmentating with reliable connection
7862#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7863# here and below we just want to test that the we fragment in a way that
7864# pleases other implementations, so we don't need the peer to fragment
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7865requires_config_enabled MBEDTLS_RSA_C
7866requires_config_enabled MBEDTLS_ECDSA_C
7867requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7868requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7869run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
7870 "$G_SRV -u" \
7871 "$P_CLI dtls=1 debug_level=2 \
7872 crt_file=data_files/server8_int-ca2.crt \
7873 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7874 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7875 mtu=512 force_version=dtls1_2" \
7876 0 \
7877 -c "fragmenting handshake message" \
7878 -C "error"
7879
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7880requires_config_enabled MBEDTLS_RSA_C
7881requires_config_enabled MBEDTLS_ECDSA_C
7882requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7883requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7884run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
7885 "$G_SRV -u" \
7886 "$P_CLI dtls=1 debug_level=2 \
7887 crt_file=data_files/server8_int-ca2.crt \
7888 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7889 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7890 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7891 0 \
7892 -c "fragmenting handshake message" \
7893 -C "error"
7894
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7895# We use --insecure for the GnuTLS client because it expects
7896# the hostname / IP it connects to to be the name used in the
7897# certificate obtained from the server. Here, however, it
7898# connects to 127.0.0.1 while our test certificates use 'localhost'
7899# as the server name in the certificate. This will make the
7900# certifiate validation fail, but passing --insecure makes
7901# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7902requires_config_enabled MBEDTLS_RSA_C
7903requires_config_enabled MBEDTLS_ECDSA_C
7904requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7905requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7906requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7907run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7908 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7909 crt_file=data_files/server7_int-ca.crt \
7910 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7911 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7912 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7913 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7914 0 \
7915 -s "fragmenting handshake message"
7916
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7917# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7918requires_config_enabled MBEDTLS_RSA_C
7919requires_config_enabled MBEDTLS_ECDSA_C
7920requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7921requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7922requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7923run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7924 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7925 crt_file=data_files/server7_int-ca.crt \
7926 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7927 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7928 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7929 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7930 0 \
7931 -s "fragmenting handshake message"
7932
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7933requires_config_enabled MBEDTLS_RSA_C
7934requires_config_enabled MBEDTLS_ECDSA_C
7935requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7936run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
7937 "$O_SRV -dtls1_2 -verify 10" \
7938 "$P_CLI dtls=1 debug_level=2 \
7939 crt_file=data_files/server8_int-ca2.crt \
7940 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7941 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7942 mtu=512 force_version=dtls1_2" \
7943 0 \
7944 -c "fragmenting handshake message" \
7945 -C "error"
7946
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7947requires_config_enabled MBEDTLS_RSA_C
7948requires_config_enabled MBEDTLS_ECDSA_C
7949requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7950run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
7951 "$O_SRV -dtls1 -verify 10" \
7952 "$P_CLI dtls=1 debug_level=2 \
7953 crt_file=data_files/server8_int-ca2.crt \
7954 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7955 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7956 mtu=512 force_version=dtls1" \
7957 0 \
7958 -c "fragmenting handshake message" \
7959 -C "error"
7960
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7961requires_config_enabled MBEDTLS_RSA_C
7962requires_config_enabled MBEDTLS_ECDSA_C
7963requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7964run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
7965 "$P_SRV dtls=1 debug_level=2 \
7966 crt_file=data_files/server7_int-ca.crt \
7967 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7968 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7969 mtu=512 force_version=dtls1_2" \
7970 "$O_CLI -dtls1_2" \
7971 0 \
7972 -s "fragmenting handshake message"
7973
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7974requires_config_enabled MBEDTLS_RSA_C
7975requires_config_enabled MBEDTLS_ECDSA_C
7976requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7977run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
7978 "$P_SRV dtls=1 debug_level=2 \
7979 crt_file=data_files/server7_int-ca.crt \
7980 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7981 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7982 mtu=512 force_version=dtls1" \
7983 "$O_CLI -dtls1" \
7984 0 \
7985 -s "fragmenting handshake message"
7986
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7987# interop tests for DTLS fragmentating with unreliable connection
7988#
7989# again we just want to test that the we fragment in a way that
7990# pleases other implementations, so we don't need the peer to fragment
7991requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7992requires_config_enabled MBEDTLS_RSA_C
7993requires_config_enabled MBEDTLS_ECDSA_C
7994requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7995client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7996run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
7997 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7998 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7999 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8000 crt_file=data_files/server8_int-ca2.crt \
8001 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8002 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8003 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8004 0 \
8005 -c "fragmenting handshake message" \
8006 -C "error"
8007
8008requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8009requires_config_enabled MBEDTLS_RSA_C
8010requires_config_enabled MBEDTLS_ECDSA_C
8011requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8012client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8013run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
8014 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8015 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8016 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8017 crt_file=data_files/server8_int-ca2.crt \
8018 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8019 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8020 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8021 0 \
8022 -c "fragmenting handshake message" \
8023 -C "error"
8024
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8025requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8026requires_config_enabled MBEDTLS_RSA_C
8027requires_config_enabled MBEDTLS_ECDSA_C
8028requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8029client_needs_more_time 4
8030run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
8031 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8032 "$P_SRV dtls=1 debug_level=2 \
8033 crt_file=data_files/server7_int-ca.crt \
8034 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8035 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8036 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8037 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8038 0 \
8039 -s "fragmenting handshake message"
8040
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8041requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8042requires_config_enabled MBEDTLS_RSA_C
8043requires_config_enabled MBEDTLS_ECDSA_C
8044requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8045client_needs_more_time 4
8046run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
8047 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8048 "$P_SRV dtls=1 debug_level=2 \
8049 crt_file=data_files/server7_int-ca.crt \
8050 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8051 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8052 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8053 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8054 0 \
8055 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8056
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8057## Interop test with OpenSSL might trigger a bug in recent versions (including
8058## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8059## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8060## They should be re-enabled once a fixed version of OpenSSL is available
8061## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8062skip_next_test
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8063requires_config_enabled MBEDTLS_RSA_C
8064requires_config_enabled MBEDTLS_ECDSA_C
8065requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8066client_needs_more_time 4
8067run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
8068 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8069 "$O_SRV -dtls1_2 -verify 10" \
8070 "$P_CLI dtls=1 debug_level=2 \
8071 crt_file=data_files/server8_int-ca2.crt \
8072 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8073 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8074 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8075 0 \
8076 -c "fragmenting handshake message" \
8077 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8078
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8079skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8080requires_config_enabled MBEDTLS_RSA_C
8081requires_config_enabled MBEDTLS_ECDSA_C
8082requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8083client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8084run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
8085 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8086 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8087 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8088 crt_file=data_files/server8_int-ca2.crt \
8089 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8090 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8091 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8092 0 \
8093 -c "fragmenting handshake message" \
8094 -C "error"
8095
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8096skip_next_test
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8097requires_config_enabled MBEDTLS_RSA_C
8098requires_config_enabled MBEDTLS_ECDSA_C
8099requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8100client_needs_more_time 4
8101run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
8102 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8103 "$P_SRV dtls=1 debug_level=2 \
8104 crt_file=data_files/server7_int-ca.crt \
8105 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8106 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8107 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8108 "$O_CLI -dtls1_2" \
8109 0 \
8110 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8111
8112# -nbio is added to prevent s_client from blocking in case of duplicated
8113# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8114skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8115requires_config_enabled MBEDTLS_RSA_C
8116requires_config_enabled MBEDTLS_ECDSA_C
8117requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8118client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8119run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
8120 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8121 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8122 crt_file=data_files/server7_int-ca.crt \
8123 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8124 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8125 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8126 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8127 0 \
8128 -s "fragmenting handshake message"
8129
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8130# Tests for specific things with "unreliable" UDP connection
8131
8132not_with_valgrind # spurious resend due to timeout
8133run_test "DTLS proxy: reference" \
8134 -p "$P_PXY" \
8135 "$P_SRV dtls=1 debug_level=2" \
8136 "$P_CLI dtls=1 debug_level=2" \
8137 0 \
8138 -C "replayed record" \
8139 -S "replayed record" \
Hanno Beckere03eb7b2019-07-19 15:43:09 +0100[diff] [blame]8140 -C "Buffer record from epoch" \
8141 -S "Buffer record from epoch" \
8142 -C "ssl_buffer_message" \
8143 -S "ssl_buffer_message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8144 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8145 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8146 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8147 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8148 -c "HTTP/1.0 200 OK"
8149
8150not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8151run_test "DTLS proxy: duplicate every packet" \
8152 -p "$P_PXY duplicate=1" \
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]8153 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8154 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8155 0 \
8156 -c "replayed record" \
8157 -s "replayed record" \
8158 -c "record from another epoch" \
8159 -s "record from another epoch" \
8160 -S "resend" \
8161 -s "Extra-header:" \
8162 -c "HTTP/1.0 200 OK"
8163
8164run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
8165 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8166 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
8167 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8168 0 \
8169 -c "replayed record" \
8170 -S "replayed record" \
8171 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8172 -s "record from another epoch" \
8173 -c "resend" \
8174 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8175 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8176 -c "HTTP/1.0 200 OK"
8177
8178run_test "DTLS proxy: multiple records in same datagram" \
8179 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8180 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8181 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8182 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8183 -c "next record in same datagram" \
8184 -s "next record in same datagram"
8185
8186run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
8187 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8188 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8189 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8190 0 \
8191 -c "next record in same datagram" \
8192 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8193
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8194run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
8195 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8196 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
8197 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8198 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8199 -c "discarding invalid record (mac)" \
8200 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8201 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8202 -c "HTTP/1.0 200 OK" \
8203 -S "too many records with bad MAC" \
8204 -S "Verification of the message MAC failed"
8205
8206run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
8207 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8208 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
8209 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8210 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8211 -C "discarding invalid record (mac)" \
8212 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8213 -S "Extra-header:" \
8214 -C "HTTP/1.0 200 OK" \
8215 -s "too many records with bad MAC" \
8216 -s "Verification of the message MAC failed"
8217
8218run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
8219 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8220 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
8221 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8222 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8223 -c "discarding invalid record (mac)" \
8224 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8225 -s "Extra-header:" \
8226 -c "HTTP/1.0 200 OK" \
8227 -S "too many records with bad MAC" \
8228 -S "Verification of the message MAC failed"
8229
8230run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
8231 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8232 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
8233 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8234 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8235 -c "discarding invalid record (mac)" \
8236 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8237 -s "Extra-header:" \
8238 -c "HTTP/1.0 200 OK" \
8239 -s "too many records with bad MAC" \
8240 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8241
8242run_test "DTLS proxy: delay ChangeCipherSpec" \
8243 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]8244 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
8245 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8246 0 \
8247 -c "record from another epoch" \
8248 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8249 -s "Extra-header:" \
8250 -c "HTTP/1.0 200 OK"
8251
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8252# Tests for reordering support with DTLS
8253
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8254run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
8255 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8256 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8257 hs_timeout=2500-60000" \
8258 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8259 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8260 0 \
8261 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8262 -c "Next handshake message has been buffered - load"\
8263 -S "Buffering HS message" \
8264 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8265 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8266 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8267 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8268 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8269
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8270run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
8271 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8272 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8273 hs_timeout=2500-60000" \
8274 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8275 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8276 0 \
8277 -c "Buffering HS message" \
8278 -c "found fragmented DTLS handshake message"\
8279 -c "Next handshake message 1 not or only partially bufffered" \
8280 -c "Next handshake message has been buffered - load"\
8281 -S "Buffering HS message" \
8282 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8283 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8284 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8285 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8286 -S "Remember CCS message"
8287
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8288# The client buffers the ServerKeyExchange before receiving the fragmented
8289# Certificate message; at the time of writing, together these are aroudn 1200b
8290# in size, so that the bound below ensures that the certificate can be reassembled
8291# while keeping the ServerKeyExchange.
8292requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
8293run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8294 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8295 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8296 hs_timeout=2500-60000" \
8297 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8298 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8299 0 \
8300 -c "Buffering HS message" \
8301 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8302 -C "attempt to make space by freeing buffered messages" \
8303 -S "Buffering HS message" \
8304 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8305 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8306 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8307 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8308 -S "Remember CCS message"
8309
8310# The size constraints ensure that the delayed certificate message can't
8311# be reassembled while keeping the ServerKeyExchange message, but it can
8312# when dropping it first.
8313requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
8314requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
8315run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
8316 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8317 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8318 hs_timeout=2500-60000" \
8319 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8320 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8321 0 \
8322 -c "Buffering HS message" \
8323 -c "attempt to make space by freeing buffered future messages" \
8324 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8325 -S "Buffering HS message" \
8326 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8327 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8328 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8329 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8330 -S "Remember CCS message"
8331
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8332run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
8333 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8334 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
8335 hs_timeout=2500-60000" \
8336 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8337 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8338 0 \
8339 -C "Buffering HS message" \
8340 -C "Next handshake message has been buffered - load"\
8341 -s "Buffering HS message" \
8342 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8343 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8344 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8345 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8346 -S "Remember CCS message"
8347
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]8348# This needs session tickets; otherwise CCS is the first message in its flight
8349requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8350run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
8351 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8352 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8353 hs_timeout=2500-60000" \
8354 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8355 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8356 0 \
8357 -C "Buffering HS message" \
8358 -C "Next handshake message has been buffered - load"\
8359 -S "Buffering HS message" \
8360 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8361 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8362 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8363 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8364 -S "Remember CCS message"
8365
8366run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
8367 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8368 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8369 hs_timeout=2500-60000" \
8370 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8371 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8372 0 \
8373 -C "Buffering HS message" \
8374 -C "Next handshake message has been buffered - load"\
8375 -S "Buffering HS message" \
8376 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8377 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8378 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8379 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8380 -s "Remember CCS message"
8381
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8382run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8383 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8384 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8385 hs_timeout=2500-60000" \
8386 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8387 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]8388 0 \
8389 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8390 -s "Found buffered record from current epoch - load" \
8391 -c "Buffer record from epoch 1" \
8392 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8393
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8394# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
8395# from the server are delayed, so that the encrypted Finished message
8396# is received and buffered. When the fragmented NewSessionTicket comes
8397# in afterwards, the encrypted Finished message must be freed in order
8398# to make space for the NewSessionTicket to be reassembled.
8399# This works only in very particular circumstances:
8400# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
8401# of the NewSessionTicket, but small enough to also allow buffering of
8402# the encrypted Finished message.
8403# - The MTU setting on the server must be so small that the NewSessionTicket
8404# needs to be fragmented.
8405# - All messages sent by the server must be small enough to be either sent
8406# without fragmentation or be reassembled within the bounds of
8407# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
8408# handshake, omitting CRTs.
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8409requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
8410requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8411run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
8412 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8413 "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8414 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
8415 0 \
8416 -s "Buffer record from epoch 1" \
8417 -s "Found buffered record from current epoch - load" \
8418 -c "Buffer record from epoch 1" \
8419 -C "Found buffered record from current epoch - load" \
8420 -c "Enough space available after freeing future epoch record"
8421
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]8422# Tests for "randomly unreliable connection": try a variety of flows and peers
8423
8424client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8425run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
8426 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8427 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8428 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8429 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8430 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8431 0 \
8432 -s "Extra-header:" \
8433 -c "HTTP/1.0 200 OK"
8434
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8435client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8436run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
8437 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8438 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8439 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8440 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
8441 0 \
8442 -s "Extra-header:" \
8443 -c "HTTP/1.0 200 OK"
8444
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8445client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8446run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
8447 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8448 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8449 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8450 0 \
8451 -s "Extra-header:" \
8452 -c "HTTP/1.0 200 OK"
8453
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8454client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8455run_test "DTLS proxy: 3d, FS, client auth" \
8456 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8457 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
8458 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8459 0 \
8460 -s "Extra-header:" \
8461 -c "HTTP/1.0 200 OK"
8462
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8463client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8464run_test "DTLS proxy: 3d, FS, ticket" \
8465 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8466 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
8467 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8468 0 \
8469 -s "Extra-header:" \
8470 -c "HTTP/1.0 200 OK"
8471
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8472client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8473run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
8474 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8475 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
8476 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8477 0 \
8478 -s "Extra-header:" \
8479 -c "HTTP/1.0 200 OK"
8480
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8481client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8482run_test "DTLS proxy: 3d, max handshake, nbio" \
8483 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8484 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8485 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8486 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8487 0 \
8488 -s "Extra-header:" \
8489 -c "HTTP/1.0 200 OK"
8490
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8491client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8492requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8493requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8494requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8495run_test "DTLS proxy: 3d, min handshake, resumption" \
8496 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8497 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8498 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8499 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8500 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8501 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8502 0 \
8503 -s "a session has been resumed" \
8504 -c "a session has been resumed" \
8505 -s "Extra-header:" \
8506 -c "HTTP/1.0 200 OK"
8507
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8508client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8509requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8510requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8511requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8512run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
8513 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8514 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8515 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8516 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8517 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8518 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
8519 0 \
8520 -s "a session has been resumed" \
8521 -c "a session has been resumed" \
8522 -s "Extra-header:" \
8523 -c "HTTP/1.0 200 OK"
8524
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8525client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8526requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8527run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8528 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8529 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8530 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8531 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8532 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8533 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8534 0 \
8535 -c "=> renegotiate" \
8536 -s "=> renegotiate" \
8537 -s "Extra-header:" \
8538 -c "HTTP/1.0 200 OK"
8539
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8540client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8541requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8542run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
8543 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8544 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8545 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8546 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8547 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8548 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8549 0 \
8550 -c "=> renegotiate" \
8551 -s "=> renegotiate" \
8552 -s "Extra-header:" \
8553 -c "HTTP/1.0 200 OK"
8554
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8555client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8556requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8557run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8558 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8559 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8560 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8561 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8562 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8563 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8564 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8565 0 \
8566 -c "=> renegotiate" \
8567 -s "=> renegotiate" \
8568 -s "Extra-header:" \
8569 -c "HTTP/1.0 200 OK"
8570
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8571client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8572requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8573run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8574 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8575 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8576 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8577 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8578 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8579 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8580 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8581 0 \
8582 -c "=> renegotiate" \
8583 -s "=> renegotiate" \
8584 -s "Extra-header:" \
8585 -c "HTTP/1.0 200 OK"
8586
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8587## Interop tests with OpenSSL might trigger a bug in recent versions (including
8588## all versions installed on the CI machines), reported here:
8589## Bug report: https://github.com/openssl/openssl/issues/6902
8590## They should be re-enabled once a fixed version of OpenSSL is available
8591## (this should happen in some 1.1.1_ release according to the ticket).
8592skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8593client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8594not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8595run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8596 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8597 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8598 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8599 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8600 -c "HTTP/1.0 200 OK"
8601
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8602skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8603client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8604not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8605run_test "DTLS proxy: 3d, openssl server, fragmentation" \
8606 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8607 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8608 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8609 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8610 -c "HTTP/1.0 200 OK"
8611
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8612skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8613client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8614not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8615run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
8616 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8617 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8618 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8619 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8620 -c "HTTP/1.0 200 OK"
8621
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]8622requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8623client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8624not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8625run_test "DTLS proxy: 3d, gnutls server" \
8626 -p "$P_PXY drop=5 delay=5 duplicate=5" \
8627 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8628 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8629 0 \
8630 -s "Extra-header:" \
8631 -c "Extra-header:"
8632
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8633requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8634client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8635not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8636run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
8637 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8638 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8639 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8640 0 \
8641 -s "Extra-header:" \
8642 -c "Extra-header:"
8643
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8644requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8645client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8646not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8647run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
8648 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8649 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8650 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8651 0 \
8652 -s "Extra-header:" \
8653 -c "Extra-header:"
8654
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]8655# Final report
8656
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8657echo "------------------------------------------------------------------------"
8658
8659if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8660 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8661else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8662 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8663fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]8664PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]8665echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8666
8667exit $FAILS