TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / cfdf8f4d8f8f56ac3a6a71d8afce4f27d622990b / . / tests / ssl-opt.sh
blob: 5cded213eed13e6d9dd0c8732d83d4a56d05aa42 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]24if cd $( dirname $0 ); then :; else
25 echo "cd $( dirname $0 ) failed" >&2
26 exit 1
27fi
28
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]29# default values, can be overriden by the environment
30: ${P_SRV:=../programs/ssl/ssl_server2}
31: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]32: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]33: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]34: ${GNUTLS_CLI:=gnutls-cli}
35: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]36: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]37
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]38O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]39O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]40G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]41G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]42TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]43
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]44# alternative versions of OpenSSL and GnuTLS (no default path)
45
46if [ -n "${OPENSSL_LEGACY:-}" ]; then
47 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
48 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
49else
50 O_LEGACY_SRV=false
51 O_LEGACY_CLI=false
52fi
53
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]54if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]55 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
56else
57 G_NEXT_SRV=false
58fi
59
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]60if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]61 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
62else
63 G_NEXT_CLI=false
64fi
65
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]66TESTS=0
67FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]68SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]69
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]70CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]71
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]73FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]74EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]75
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]76SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]77RUN_TEST_NUMBER=''
78
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]79PRESERVE_LOGS=0
80
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]81# Pick a "unique" server port in the range 10000-19999, and a proxy
82# port which is this plus 10000. Each port number may be independently
83# overridden by a command line option.
84SRV_PORT=$(($$ % 10000 + 10000))
85PXY_PORT=$((SRV_PORT + 10000))
86
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]87print_usage() {
88 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]89 printf " -h|--help\tPrint this help.\n"
90 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]91 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
92 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]93 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]94 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]95 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]96 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
97 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]98 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]99}
100
101get_options() {
102 while [ $# -gt 0 ]; do
103 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]104 -f|--filter)
105 shift; FILTER=$1
106 ;;
107 -e|--exclude)
108 shift; EXCLUDE=$1
109 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 -m|--memcheck)
111 MEMCHECK=1
112 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]113 -n|--number)
114 shift; RUN_TEST_NUMBER=$1
115 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]116 -s|--show-numbers)
117 SHOW_TEST_NUMBER=1
118 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]119 -p|--preserve-logs)
120 PRESERVE_LOGS=1
121 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]122 --port)
123 shift; SRV_PORT=$1
124 ;;
125 --proxy-port)
126 shift; PXY_PORT=$1
127 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]128 --seed)
129 shift; SEED="$1"
130 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]131 -h|--help)
132 print_usage
133 exit 0
134 ;;
135 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]136 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]137 print_usage
138 exit 1
139 ;;
140 esac
141 shift
142 done
143}
144
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]145# Skip next test; use this macro to skip tests which are legitimate
146# in theory and expected to be re-introduced at some point, but
147# aren't expected to succeed at the moment due to problems outside
148# our control (such as bugs in other TLS implementations).
149skip_next_test() {
150 SKIP_NEXT="YES"
151}
152
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]153# skip next test if the flag is not enabled in config.h
154requires_config_enabled() {
155 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
156 SKIP_NEXT="YES"
157 fi
158}
159
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]160# skip next test if the flag is enabled in config.h
161requires_config_disabled() {
162 if grep "^#define $1" $CONFIG_H > /dev/null; then
163 SKIP_NEXT="YES"
164 fi
165}
166
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]167get_config_value_or_default() {
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]168 NAME="$1"
Hanno Beckere6045562018-08-28 11:24:55 +0100[diff] [blame]169 DEF_VAL=$( grep ".*#define.*${NAME}" ../include/mbedtls/config.h |
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]170 sed 's/^.*\s\([0-9]*\)$/\1/' )
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]171 ../scripts/config.pl get $NAME || echo "$DEF_VAL"
172}
173
174requires_config_value_at_least() {
175 VAL=$( get_config_value_or_default "$1" )
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]176 if [ "$VAL" -lt "$2" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
181requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]182 VAL=$( get_config_value_or_default "$1" )
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]183 if [ "$VAL" -gt "$2" ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]188# skip next test if OpenSSL doesn't support FALLBACK_SCSV
189requires_openssl_with_fallback_scsv() {
190 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
191 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
192 then
193 OPENSSL_HAS_FBSCSV="YES"
194 else
195 OPENSSL_HAS_FBSCSV="NO"
196 fi
197 fi
198 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
199 SKIP_NEXT="YES"
200 fi
201}
202
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]203# skip next test if GnuTLS isn't available
204requires_gnutls() {
205 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]206 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]207 GNUTLS_AVAILABLE="YES"
208 else
209 GNUTLS_AVAILABLE="NO"
210 fi
211 fi
212 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
213 SKIP_NEXT="YES"
214 fi
215}
216
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]217# skip next test if GnuTLS-next isn't available
218requires_gnutls_next() {
219 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
220 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
221 GNUTLS_NEXT_AVAILABLE="YES"
222 else
223 GNUTLS_NEXT_AVAILABLE="NO"
224 fi
225 fi
226 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
227 SKIP_NEXT="YES"
228 fi
229}
230
231# skip next test if OpenSSL-legacy isn't available
232requires_openssl_legacy() {
233 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
234 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
235 OPENSSL_LEGACY_AVAILABLE="YES"
236 else
237 OPENSSL_LEGACY_AVAILABLE="NO"
238 fi
239 fi
240 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
241 SKIP_NEXT="YES"
242 fi
243}
244
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]245# skip next test if IPv6 isn't available on this host
246requires_ipv6() {
247 if [ -z "${HAS_IPV6:-}" ]; then
248 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
249 SRV_PID=$!
250 sleep 1
251 kill $SRV_PID >/dev/null 2>&1
252 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
253 HAS_IPV6="NO"
254 else
255 HAS_IPV6="YES"
256 fi
257 rm -r $SRV_OUT
258 fi
259
260 if [ "$HAS_IPV6" = "NO" ]; then
261 SKIP_NEXT="YES"
262 fi
263}
264
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]265# skip next test if it's i686 or uname is not available
266requires_not_i686() {
267 if [ -z "${IS_I686:-}" ]; then
268 IS_I686="YES"
269 if which "uname" >/dev/null 2>&1; then
270 if [ -z "$(uname -a | grep i686)" ]; then
271 IS_I686="NO"
272 fi
273 fi
274 fi
275 if [ "$IS_I686" = "YES" ]; then
276 SKIP_NEXT="YES"
277 fi
278}
279
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]280# Calculate the input & output maximum content lengths set in the config
281MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
282MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
283MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
284
285if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
286 MAX_CONTENT_LEN="$MAX_IN_LEN"
287fi
288if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
289 MAX_CONTENT_LEN="$MAX_OUT_LEN"
290fi
291
292# skip the next test if the SSL output buffer is less than 16KB
293requires_full_size_output_buffer() {
294 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
295 SKIP_NEXT="YES"
296 fi
297}
298
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]299# skip the next test if valgrind is in use
300not_with_valgrind() {
301 if [ "$MEMCHECK" -gt 0 ]; then
302 SKIP_NEXT="YES"
303 fi
304}
305
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]306# skip the next test if valgrind is NOT in use
307only_with_valgrind() {
308 if [ "$MEMCHECK" -eq 0 ]; then
309 SKIP_NEXT="YES"
310 fi
311}
312
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]313# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]314client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]315 CLI_DELAY_FACTOR=$1
316}
317
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]318# wait for the given seconds after the client finished in the next test
319server_needs_more_time() {
320 SRV_DELAY_SECONDS=$1
321}
322
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]323# print_name <name>
324print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]325 TESTS=$(( $TESTS + 1 ))
326 LINE=""
327
328 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
329 LINE="$TESTS "
330 fi
331
332 LINE="$LINE$1"
333 printf "$LINE "
334 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]335 for i in `seq 1 $LEN`; do printf '.'; done
336 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]337
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]338}
339
340# fail <message>
341fail() {
342 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]343 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]344
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]345 mv $SRV_OUT o-srv-${TESTS}.log
346 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]347 if [ -n "$PXY_CMD" ]; then
348 mv $PXY_OUT o-pxy-${TESTS}.log
349 fi
350 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]351
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]352 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]353 echo " ! server output:"
354 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]355 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]356 echo " ! client output:"
357 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]358 if [ -n "$PXY_CMD" ]; then
359 echo " ! ========================================================"
360 echo " ! proxy output:"
361 cat o-pxy-${TESTS}.log
362 fi
363 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]364 fi
365
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]366 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]367}
368
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]369# is_polar <cmd_line>
370is_polar() {
371 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
372}
373
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]374# openssl s_server doesn't have -www with DTLS
375check_osrv_dtls() {
376 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
377 NEEDS_INPUT=1
378 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
379 else
380 NEEDS_INPUT=0
381 fi
382}
383
384# provide input to commands that need it
385provide_input() {
386 if [ $NEEDS_INPUT -eq 0 ]; then
387 return
388 fi
389
390 while true; do
391 echo "HTTP/1.0 200 OK"
392 sleep 1
393 done
394}
395
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]396# has_mem_err <log_file_name>
397has_mem_err() {
398 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
399 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
400 then
401 return 1 # false: does not have errors
402 else
403 return 0 # true: has errors
404 fi
405}
406
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]407# Wait for process $2 to be listening on port $1
408if type lsof >/dev/null 2>/dev/null; then
409 wait_server_start() {
410 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]411 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]412 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]413 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]414 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]415 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]416 # Make a tight loop, server normally takes less than 1s to start.
417 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
418 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
419 echo "SERVERSTART TIMEOUT"
420 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
421 break
422 fi
423 # Linux and *BSD support decimal arguments to sleep. On other
424 # OSes this may be a tight loop.
425 sleep 0.1 2>/dev/null || true
426 done
427 }
428else
Gilles Peskinea9312652018-06-29 15:48:13 +0200[diff] [blame]429 echo "Warning: lsof not available, wait_server_start = sleep"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]430 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]431 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]432 }
433fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]434
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]435# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]436# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]437# acceptable bounds
438check_server_hello_time() {
439 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]440 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]441 # Get the Unix timestamp for now
442 CUR_TIME=$(date +'%s')
443 THRESHOLD_IN_SECS=300
444
445 # Check if the ServerHello time was printed
446 if [ -z "$SERVER_HELLO_TIME" ]; then
447 return 1
448 fi
449
450 # Check the time in ServerHello is within acceptable bounds
451 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
452 # The time in ServerHello is at least 5 minutes before now
453 return 1
454 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]455 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]456 return 1
457 else
458 return 0
459 fi
460}
461
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]462# wait for client to terminate and set CLI_EXIT
463# must be called right after starting the client
464wait_client_done() {
465 CLI_PID=$!
466
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]467 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
468 CLI_DELAY_FACTOR=1
469
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]470 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]471 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]472
473 wait $CLI_PID
474 CLI_EXIT=$?
475
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]476 kill $DOG_PID >/dev/null 2>&1
477 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]478
479 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]480
481 sleep $SRV_DELAY_SECONDS
482 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]483}
484
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]485# check if the given command uses dtls and sets global variable DTLS
486detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]487 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]488 DTLS=1
489 else
490 DTLS=0
491 fi
492}
493
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]494# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]495# Options: -s pattern pattern that must be present in server output
496# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]497# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]498# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]499# -S pattern pattern that must be absent in server output
500# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]501# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]502# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]503run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]504 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]505 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]506
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]507 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
508 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]509 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]510 return
511 fi
512
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]513 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]514
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]515 # Do we only run numbered tests?
516 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
517 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
518 else
519 SKIP_NEXT="YES"
520 fi
521
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]522 # should we skip?
523 if [ "X$SKIP_NEXT" = "XYES" ]; then
524 SKIP_NEXT="NO"
525 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]526 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]527 return
528 fi
529
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]530 # does this test use a proxy?
531 if [ "X$1" = "X-p" ]; then
532 PXY_CMD="$2"
533 shift 2
534 else
535 PXY_CMD=""
536 fi
537
538 # get commands and client output
539 SRV_CMD="$1"
540 CLI_CMD="$2"
541 CLI_EXPECT="$3"
542 shift 3
543
544 # fix client port
545 if [ -n "$PXY_CMD" ]; then
546 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
547 else
548 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
549 fi
550
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]551 # update DTLS variable
552 detect_dtls "$SRV_CMD"
553
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]554 # prepend valgrind to our commands if active
555 if [ "$MEMCHECK" -gt 0 ]; then
556 if is_polar "$SRV_CMD"; then
557 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
558 fi
559 if is_polar "$CLI_CMD"; then
560 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
561 fi
562 fi
563
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]564 TIMES_LEFT=2
565 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]566 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]567
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]568 # run the commands
569 if [ -n "$PXY_CMD" ]; then
570 echo "$PXY_CMD" > $PXY_OUT
571 $PXY_CMD >> $PXY_OUT 2>&1 &
572 PXY_PID=$!
573 # assume proxy starts faster than server
574 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]575
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]576 check_osrv_dtls
577 echo "$SRV_CMD" > $SRV_OUT
578 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
579 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]580 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]581
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]582 echo "$CLI_CMD" > $CLI_OUT
583 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
584 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]585
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]586 sleep 0.05
587
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]588 # terminate the server (and the proxy)
589 kill $SRV_PID
590 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]591
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]592 if [ -n "$PXY_CMD" ]; then
593 kill $PXY_PID >/dev/null 2>&1
594 wait $PXY_PID
595 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]596
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]597 # retry only on timeouts
598 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
599 printf "RETRY "
600 else
601 TIMES_LEFT=0
602 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]603 done
604
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]605 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]606 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]607 # expected client exit to incorrectly succeed in case of catastrophic
608 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]609 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]610 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]611 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]612 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]613 return
614 fi
615 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]616 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]617 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]618 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]619 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]620 return
621 fi
622 fi
623
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]624 # check server exit code
625 if [ $? != 0 ]; then
626 fail "server fail"
627 return
628 fi
629
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]630 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]631 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
632 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]633 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]634 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]635 return
636 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]637
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]638 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]639 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]640 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]641 while [ $# -gt 0 ]
642 do
643 case $1 in
644 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]645 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]646 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]647 return
648 fi
649 ;;
650
651 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]652 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]653 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]654 return
655 fi
656 ;;
657
658 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]659 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]660 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]661 return
662 fi
663 ;;
664
665 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]666 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]667 fail "pattern '$2' MUST NOT be present in the Client output"
668 return
669 fi
670 ;;
671
672 # The filtering in the following two options (-u and -U) do the following
673 # - ignore valgrind output
674 # - filter out everything but lines right after the pattern occurances
675 # - keep one of each non-unique line
676 # - count how many lines remain
677 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
678 # if there were no duplicates.
679 "-U")
680 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
681 fail "lines following pattern '$2' must be unique in Server output"
682 return
683 fi
684 ;;
685
686 "-u")
687 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
688 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]689 return
690 fi
691 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]692 "-F")
693 if ! $2 "$SRV_OUT"; then
694 fail "function call to '$2' failed on Server output"
695 return
696 fi
697 ;;
698 "-f")
699 if ! $2 "$CLI_OUT"; then
700 fail "function call to '$2' failed on Client output"
701 return
702 fi
703 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]704
705 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]706 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]707 exit 1
708 esac
709 shift 2
710 done
711
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]712 # check valgrind's results
713 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]714 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]715 fail "Server has memory errors"
716 return
717 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]718 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]719 fail "Client has memory errors"
720 return
721 fi
722 fi
723
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]724 # if we're here, everything is ok
725 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]726 if [ "$PRESERVE_LOGS" -gt 0 ]; then
727 mv $SRV_OUT o-srv-${TESTS}.log
728 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]729 if [ -n "$PXY_CMD" ]; then
730 mv $PXY_OUT o-pxy-${TESTS}.log
731 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]732 fi
733
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]734 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]735}
736
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]737cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]738 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]739 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
740 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
741 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
742 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]743 exit 1
744}
745
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]746#
747# MAIN
748#
749
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]750get_options "$@"
751
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]752# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]753P_SRV_BIN="${P_SRV%%[ ]*}"
754P_CLI_BIN="${P_CLI%%[ ]*}"
755P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]756if [ ! -x "$P_SRV_BIN" ]; then
757 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]758 exit 1
759fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]760if [ ! -x "$P_CLI_BIN" ]; then
761 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]762 exit 1
763fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]764if [ ! -x "$P_PXY_BIN" ]; then
765 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]766 exit 1
767fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]768if [ "$MEMCHECK" -gt 0 ]; then
769 if which valgrind >/dev/null 2>&1; then :; else
770 echo "Memcheck not possible. Valgrind not found"
771 exit 1
772 fi
773fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]774if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
775 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]776 exit 1
777fi
778
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]779# used by watchdog
780MAIN_PID="$$"
781
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]782# We use somewhat arbitrary delays for tests:
783# - how long do we wait for the server to start (when lsof not available)?
784# - how long do we allow for the client to finish?
785# (not to check performance, just to avoid waiting indefinitely)
786# Things are slower with valgrind, so give extra time here.
787#
788# Note: without lsof, there is a trade-off between the running time of this
789# script and the risk of spurious errors because we didn't wait long enough.
790# The watchdog delay on the other hand doesn't affect normal running time of
791# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]792if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]793 START_DELAY=6
794 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]795else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]796 START_DELAY=2
797 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]798fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]799
800# some particular tests need more time:
801# - for the client, we multiply the usual watchdog limit by a factor
802# - for the server, we sleep for a number of seconds after the client exits
803# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]804CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]805SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]806
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]807# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]808# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]809P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
810P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]811P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]812O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]813O_CLI="$O_CLI -connect localhost:+SRV_PORT"
814G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]815G_CLI="$G_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]816
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]817if [ -n "${OPENSSL_LEGACY:-}" ]; then
818 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
819 O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
820fi
821
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]822if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]823 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
824fi
825
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]826if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]827 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]828fi
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]829
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]830# Allow SHA-1, because many of our test certificates use it
831P_SRV="$P_SRV allow_sha1=1"
832P_CLI="$P_CLI allow_sha1=1"
833
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]834# Also pick a unique name for intermediate files
835SRV_OUT="srv_out.$$"
836CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]837PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]838SESSION="session.$$"
839
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]840SKIP_NEXT="NO"
841
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]842trap cleanup INT TERM HUP
843
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]844# Basic test
845
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]846# Checks that:
847# - things work with all ciphersuites active (used with config-full in all.sh)
848# - the expected (highest security) parameters are selected
849# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]850run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]851 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]852 "$P_CLI" \
853 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]854 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]855 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]856 -s "client hello v3, signature_algorithm ext: 6" \
857 -s "ECDHE curve: secp521r1" \
858 -S "error" \
859 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]860
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]861run_test "Default, DTLS" \
862 "$P_SRV dtls=1" \
863 "$P_CLI dtls=1" \
864 0 \
865 -s "Protocol is DTLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]866 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]867
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame^]868# Test using an opaque private key for client authentication
869requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
870requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
871requires_config_enabled MBEDTLS_ECDSA_C
872requires_config_enabled MBEDTLS_SHA256_C
873run_test "Opaque key for client authentication" \
874 "$P_SRV auth_mode=required" \
875 "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
876 key_file=data_files/server5.key" \
877 0 \
878 -c "key type: Opaque" \
879 -s "Verifying peer X.509 certificate... ok" \
880 -S "error" \
881 -C "error"
882
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]883# Test current time in ServerHello
884requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]885run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]886 "$P_SRV debug_level=3" \
887 "$P_CLI debug_level=3" \
888 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]889 -f "check_server_hello_time" \
890 -F "check_server_hello_time"
891
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]892# Test for uniqueness of IVs in AEAD ciphersuites
893run_test "Unique IV in GCM" \
894 "$P_SRV exchanges=20 debug_level=4" \
895 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
896 0 \
897 -u "IV used" \
898 -U "IV used"
899
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]900# Tests for rc4 option
901
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]902requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]903run_test "RC4: server disabled, client enabled" \
904 "$P_SRV" \
905 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
906 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]907 -s "SSL - The server has no ciphersuites in common"
908
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]909requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]910run_test "RC4: server half, client enabled" \
911 "$P_SRV arc4=1" \
912 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
913 1 \
914 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]915
916run_test "RC4: server enabled, client disabled" \
917 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
918 "$P_CLI" \
919 1 \
920 -s "SSL - The server has no ciphersuites in common"
921
922run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]923 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]924 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
925 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]926 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]927 -S "SSL - The server has no ciphersuites in common"
928
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]929# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
930
931requires_gnutls
932requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
933run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
934 "$G_SRV"\
935 "$P_CLI force_version=tls1_1" \
936 0
937
938requires_gnutls
939requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
940run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
941 "$G_SRV"\
942 "$P_CLI force_version=tls1" \
943 0
944
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]945# Tests for SHA-1 support
946
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]947requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]948run_test "SHA-1 forbidden by default in server certificate" \
949 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
950 "$P_CLI debug_level=2 allow_sha1=0" \
951 1 \
952 -c "The certificate is signed with an unacceptable hash"
953
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]954requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
955run_test "SHA-1 forbidden by default in server certificate" \
956 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
957 "$P_CLI debug_level=2 allow_sha1=0" \
958 0
959
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]960run_test "SHA-1 explicitly allowed in server certificate" \
961 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
962 "$P_CLI allow_sha1=1" \
963 0
964
965run_test "SHA-256 allowed by default in server certificate" \
966 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
967 "$P_CLI allow_sha1=0" \
968 0
969
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]970requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]971run_test "SHA-1 forbidden by default in client certificate" \
972 "$P_SRV auth_mode=required allow_sha1=0" \
973 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
974 1 \
975 -s "The certificate is signed with an unacceptable hash"
976
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]977requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
978run_test "SHA-1 forbidden by default in client certificate" \
979 "$P_SRV auth_mode=required allow_sha1=0" \
980 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
981 0
982
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]983run_test "SHA-1 explicitly allowed in client certificate" \
984 "$P_SRV auth_mode=required allow_sha1=1" \
985 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
986 0
987
988run_test "SHA-256 allowed by default in client certificate" \
989 "$P_SRV auth_mode=required allow_sha1=0" \
990 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
991 0
992
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]993# Tests for datagram packing
994run_test "DTLS: multiple records in same datagram, client and server" \
995 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
996 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
997 0 \
998 -c "next record in same datagram" \
999 -s "next record in same datagram"
1000
1001run_test "DTLS: multiple records in same datagram, client only" \
1002 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1003 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1004 0 \
1005 -s "next record in same datagram" \
1006 -C "next record in same datagram"
1007
1008run_test "DTLS: multiple records in same datagram, server only" \
1009 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1010 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1011 0 \
1012 -S "next record in same datagram" \
1013 -c "next record in same datagram"
1014
1015run_test "DTLS: multiple records in same datagram, neither client nor server" \
1016 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1017 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1018 0 \
1019 -S "next record in same datagram" \
1020 -C "next record in same datagram"
1021
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1022# Tests for Truncated HMAC extension
1023
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1024run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1025 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1026 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1027 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1028 -s "dumping 'expected mac' (20 bytes)" \
1029 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1030
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1031requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1032run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1033 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1034 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1035 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1036 -s "dumping 'expected mac' (20 bytes)" \
1037 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1038
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1039requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1040run_test "Truncated HMAC: client enabled, server default" \
1041 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1042 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1043 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1044 -s "dumping 'expected mac' (20 bytes)" \
1045 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1046
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1047requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1048run_test "Truncated HMAC: client enabled, server disabled" \
1049 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1050 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1051 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1052 -s "dumping 'expected mac' (20 bytes)" \
1053 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1054
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1055requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1056run_test "Truncated HMAC: client disabled, server enabled" \
1057 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1058 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1059 0 \
1060 -s "dumping 'expected mac' (20 bytes)" \
1061 -S "dumping 'expected mac' (10 bytes)"
1062
1063requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1064run_test "Truncated HMAC: client enabled, server enabled" \
1065 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1066 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1067 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1068 -S "dumping 'expected mac' (20 bytes)" \
1069 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1070
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1071run_test "Truncated HMAC, DTLS: client default, server default" \
1072 "$P_SRV dtls=1 debug_level=4" \
1073 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1074 0 \
1075 -s "dumping 'expected mac' (20 bytes)" \
1076 -S "dumping 'expected mac' (10 bytes)"
1077
1078requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1079run_test "Truncated HMAC, DTLS: client disabled, server default" \
1080 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1081 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1082 0 \
1083 -s "dumping 'expected mac' (20 bytes)" \
1084 -S "dumping 'expected mac' (10 bytes)"
1085
1086requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1087run_test "Truncated HMAC, DTLS: client enabled, server default" \
1088 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1089 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1090 0 \
1091 -s "dumping 'expected mac' (20 bytes)" \
1092 -S "dumping 'expected mac' (10 bytes)"
1093
1094requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1095run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1096 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1097 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1098 0 \
1099 -s "dumping 'expected mac' (20 bytes)" \
1100 -S "dumping 'expected mac' (10 bytes)"
1101
1102requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1103run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1104 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1105 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1106 0 \
1107 -s "dumping 'expected mac' (20 bytes)" \
1108 -S "dumping 'expected mac' (10 bytes)"
1109
1110requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1111run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1112 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1113 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1114 0 \
1115 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1116 -s "dumping 'expected mac' (10 bytes)"
1117
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1118# Tests for Encrypt-then-MAC extension
1119
1120run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1121 "$P_SRV debug_level=3 \
1122 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1123 "$P_CLI debug_level=3" \
1124 0 \
1125 -c "client hello, adding encrypt_then_mac extension" \
1126 -s "found encrypt then mac extension" \
1127 -s "server hello, adding encrypt then mac extension" \
1128 -c "found encrypt_then_mac extension" \
1129 -c "using encrypt then mac" \
1130 -s "using encrypt then mac"
1131
1132run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1133 "$P_SRV debug_level=3 etm=0 \
1134 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1135 "$P_CLI debug_level=3 etm=1" \
1136 0 \
1137 -c "client hello, adding encrypt_then_mac extension" \
1138 -s "found encrypt then mac extension" \
1139 -S "server hello, adding encrypt then mac extension" \
1140 -C "found encrypt_then_mac extension" \
1141 -C "using encrypt then mac" \
1142 -S "using encrypt then mac"
1143
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1144run_test "Encrypt then MAC: client enabled, aead cipher" \
1145 "$P_SRV debug_level=3 etm=1 \
1146 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
1147 "$P_CLI debug_level=3 etm=1" \
1148 0 \
1149 -c "client hello, adding encrypt_then_mac extension" \
1150 -s "found encrypt then mac extension" \
1151 -S "server hello, adding encrypt then mac extension" \
1152 -C "found encrypt_then_mac extension" \
1153 -C "using encrypt then mac" \
1154 -S "using encrypt then mac"
1155
1156run_test "Encrypt then MAC: client enabled, stream cipher" \
1157 "$P_SRV debug_level=3 etm=1 \
1158 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1159 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1160 0 \
1161 -c "client hello, adding encrypt_then_mac extension" \
1162 -s "found encrypt then mac extension" \
1163 -S "server hello, adding encrypt then mac extension" \
1164 -C "found encrypt_then_mac extension" \
1165 -C "using encrypt then mac" \
1166 -S "using encrypt then mac"
1167
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1168run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1169 "$P_SRV debug_level=3 etm=1 \
1170 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1171 "$P_CLI debug_level=3 etm=0" \
1172 0 \
1173 -C "client hello, adding encrypt_then_mac extension" \
1174 -S "found encrypt then mac extension" \
1175 -S "server hello, adding encrypt then mac extension" \
1176 -C "found encrypt_then_mac extension" \
1177 -C "using encrypt then mac" \
1178 -S "using encrypt then mac"
1179
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1180requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1181run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1182 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1183 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1184 "$P_CLI debug_level=3 force_version=ssl3" \
1185 0 \
1186 -C "client hello, adding encrypt_then_mac extension" \
1187 -S "found encrypt then mac extension" \
1188 -S "server hello, adding encrypt then mac extension" \
1189 -C "found encrypt_then_mac extension" \
1190 -C "using encrypt then mac" \
1191 -S "using encrypt then mac"
1192
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1193requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1194run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1195 "$P_SRV debug_level=3 force_version=ssl3 \
1196 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1197 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1198 0 \
1199 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1200 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1201 -S "server hello, adding encrypt then mac extension" \
1202 -C "found encrypt_then_mac extension" \
1203 -C "using encrypt then mac" \
1204 -S "using encrypt then mac"
1205
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1206# Tests for Extended Master Secret extension
1207
1208run_test "Extended Master Secret: default" \
1209 "$P_SRV debug_level=3" \
1210 "$P_CLI debug_level=3" \
1211 0 \
1212 -c "client hello, adding extended_master_secret extension" \
1213 -s "found extended master secret extension" \
1214 -s "server hello, adding extended master secret extension" \
1215 -c "found extended_master_secret extension" \
1216 -c "using extended master secret" \
1217 -s "using extended master secret"
1218
1219run_test "Extended Master Secret: client enabled, server disabled" \
1220 "$P_SRV debug_level=3 extended_ms=0" \
1221 "$P_CLI debug_level=3 extended_ms=1" \
1222 0 \
1223 -c "client hello, adding extended_master_secret extension" \
1224 -s "found extended master secret extension" \
1225 -S "server hello, adding extended master secret extension" \
1226 -C "found extended_master_secret extension" \
1227 -C "using extended master secret" \
1228 -S "using extended master secret"
1229
1230run_test "Extended Master Secret: client disabled, server enabled" \
1231 "$P_SRV debug_level=3 extended_ms=1" \
1232 "$P_CLI debug_level=3 extended_ms=0" \
1233 0 \
1234 -C "client hello, adding extended_master_secret extension" \
1235 -S "found extended master secret extension" \
1236 -S "server hello, adding extended master secret extension" \
1237 -C "found extended_master_secret extension" \
1238 -C "using extended master secret" \
1239 -S "using extended master secret"
1240
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1241requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1242run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1243 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1244 "$P_CLI debug_level=3 force_version=ssl3" \
1245 0 \
1246 -C "client hello, adding extended_master_secret extension" \
1247 -S "found extended master secret extension" \
1248 -S "server hello, adding extended master secret extension" \
1249 -C "found extended_master_secret extension" \
1250 -C "using extended master secret" \
1251 -S "using extended master secret"
1252
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1253requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1254run_test "Extended Master Secret: client enabled, server SSLv3" \
1255 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1256 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1257 0 \
1258 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1259 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1260 -S "server hello, adding extended master secret extension" \
1261 -C "found extended_master_secret extension" \
1262 -C "using extended master secret" \
1263 -S "using extended master secret"
1264
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1265# Tests for FALLBACK_SCSV
1266
1267run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1268 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1269 "$P_CLI debug_level=3 force_version=tls1_1" \
1270 0 \
1271 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1272 -S "received FALLBACK_SCSV" \
1273 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1274 -C "is a fatal alert message (msg 86)"
1275
1276run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1277 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1278 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1279 0 \
1280 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1281 -S "received FALLBACK_SCSV" \
1282 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1283 -C "is a fatal alert message (msg 86)"
1284
1285run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1286 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1287 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1288 1 \
1289 -c "adding FALLBACK_SCSV" \
1290 -s "received FALLBACK_SCSV" \
1291 -s "inapropriate fallback" \
1292 -c "is a fatal alert message (msg 86)"
1293
1294run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1295 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1296 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1297 0 \
1298 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1299 -s "received FALLBACK_SCSV" \
1300 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1301 -C "is a fatal alert message (msg 86)"
1302
1303requires_openssl_with_fallback_scsv
1304run_test "Fallback SCSV: default, openssl server" \
1305 "$O_SRV" \
1306 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1307 0 \
1308 -C "adding FALLBACK_SCSV" \
1309 -C "is a fatal alert message (msg 86)"
1310
1311requires_openssl_with_fallback_scsv
1312run_test "Fallback SCSV: enabled, openssl server" \
1313 "$O_SRV" \
1314 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1315 1 \
1316 -c "adding FALLBACK_SCSV" \
1317 -c "is a fatal alert message (msg 86)"
1318
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1319requires_openssl_with_fallback_scsv
1320run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1321 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1322 "$O_CLI -tls1_1" \
1323 0 \
1324 -S "received FALLBACK_SCSV" \
1325 -S "inapropriate fallback"
1326
1327requires_openssl_with_fallback_scsv
1328run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1329 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1330 "$O_CLI -tls1_1 -fallback_scsv" \
1331 1 \
1332 -s "received FALLBACK_SCSV" \
1333 -s "inapropriate fallback"
1334
1335requires_openssl_with_fallback_scsv
1336run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1337 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1338 "$O_CLI -fallback_scsv" \
1339 0 \
1340 -s "received FALLBACK_SCSV" \
1341 -S "inapropriate fallback"
1342
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]1343# Test sending and receiving empty application data records
1344
1345run_test "Encrypt then MAC: empty application data record" \
1346 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1347 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1348 0 \
1349 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1350 -s "dumping 'input payload after decrypt' (0 bytes)" \
1351 -c "0 bytes written in 1 fragments"
1352
1353run_test "Default, no Encrypt then MAC: empty application data record" \
1354 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1355 "$P_CLI auth_mode=none etm=0 request_size=0" \
1356 0 \
1357 -s "dumping 'input payload after decrypt' (0 bytes)" \
1358 -c "0 bytes written in 1 fragments"
1359
1360run_test "Encrypt then MAC, DTLS: empty application data record" \
1361 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1362 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1363 0 \
1364 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1365 -s "dumping 'input payload after decrypt' (0 bytes)" \
1366 -c "0 bytes written in 1 fragments"
1367
1368run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
1369 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1370 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1371 0 \
1372 -s "dumping 'input payload after decrypt' (0 bytes)" \
1373 -c "0 bytes written in 1 fragments"
1374
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1375## ClientHello generated with
1376## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1377## then manually twiddling the ciphersuite list.
1378## The ClientHello content is spelled out below as a hex string as
1379## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1380## The expected response is an inappropriate_fallback alert.
1381requires_openssl_with_fallback_scsv
1382run_test "Fallback SCSV: beginning of list" \
1383 "$P_SRV debug_level=2" \
1384 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1385 0 \
1386 -s "received FALLBACK_SCSV" \
1387 -s "inapropriate fallback"
1388
1389requires_openssl_with_fallback_scsv
1390run_test "Fallback SCSV: end of list" \
1391 "$P_SRV debug_level=2" \
1392 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1393 0 \
1394 -s "received FALLBACK_SCSV" \
1395 -s "inapropriate fallback"
1396
1397## Here the expected response is a valid ServerHello prefix, up to the random.
1398requires_openssl_with_fallback_scsv
1399run_test "Fallback SCSV: not in list" \
1400 "$P_SRV debug_level=2" \
1401 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1402 0 \
1403 -S "received FALLBACK_SCSV" \
1404 -S "inapropriate fallback"
1405
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1406# Tests for CBC 1/n-1 record splitting
1407
1408run_test "CBC Record splitting: TLS 1.2, no splitting" \
1409 "$P_SRV" \
1410 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1411 request_size=123 force_version=tls1_2" \
1412 0 \
1413 -s "Read from client: 123 bytes read" \
1414 -S "Read from client: 1 bytes read" \
1415 -S "122 bytes read"
1416
1417run_test "CBC Record splitting: TLS 1.1, no splitting" \
1418 "$P_SRV" \
1419 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1420 request_size=123 force_version=tls1_1" \
1421 0 \
1422 -s "Read from client: 123 bytes read" \
1423 -S "Read from client: 1 bytes read" \
1424 -S "122 bytes read"
1425
1426run_test "CBC Record splitting: TLS 1.0, splitting" \
1427 "$P_SRV" \
1428 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1429 request_size=123 force_version=tls1" \
1430 0 \
1431 -S "Read from client: 123 bytes read" \
1432 -s "Read from client: 1 bytes read" \
1433 -s "122 bytes read"
1434
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1435requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1436run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1437 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1438 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1439 request_size=123 force_version=ssl3" \
1440 0 \
1441 -S "Read from client: 123 bytes read" \
1442 -s "Read from client: 1 bytes read" \
1443 -s "122 bytes read"
1444
1445run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1446 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1447 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1448 request_size=123 force_version=tls1" \
1449 0 \
1450 -s "Read from client: 123 bytes read" \
1451 -S "Read from client: 1 bytes read" \
1452 -S "122 bytes read"
1453
1454run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1455 "$P_SRV" \
1456 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1457 request_size=123 force_version=tls1 recsplit=0" \
1458 0 \
1459 -s "Read from client: 123 bytes read" \
1460 -S "Read from client: 1 bytes read" \
1461 -S "122 bytes read"
1462
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1463run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1464 "$P_SRV nbio=2" \
1465 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1466 request_size=123 force_version=tls1" \
1467 0 \
1468 -S "Read from client: 123 bytes read" \
1469 -s "Read from client: 1 bytes read" \
1470 -s "122 bytes read"
1471
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1472# Tests for Session Tickets
1473
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1474run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1475 "$P_SRV debug_level=3 tickets=1" \
1476 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1477 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1478 -c "client hello, adding session ticket extension" \
1479 -s "found session ticket extension" \
1480 -s "server hello, adding session ticket extension" \
1481 -c "found session_ticket extension" \
1482 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1483 -S "session successfully restored from cache" \
1484 -s "session successfully restored from ticket" \
1485 -s "a session has been resumed" \
1486 -c "a session has been resumed"
1487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1488run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1489 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1490 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1491 0 \
1492 -c "client hello, adding session ticket extension" \
1493 -s "found session ticket extension" \
1494 -s "server hello, adding session ticket extension" \
1495 -c "found session_ticket extension" \
1496 -c "parse new session ticket" \
1497 -S "session successfully restored from cache" \
1498 -s "session successfully restored from ticket" \
1499 -s "a session has been resumed" \
1500 -c "a session has been resumed"
1501
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1502run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1503 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1504 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1505 0 \
1506 -c "client hello, adding session ticket extension" \
1507 -s "found session ticket extension" \
1508 -s "server hello, adding session ticket extension" \
1509 -c "found session_ticket extension" \
1510 -c "parse new session ticket" \
1511 -S "session successfully restored from cache" \
1512 -S "session successfully restored from ticket" \
1513 -S "a session has been resumed" \
1514 -C "a session has been resumed"
1515
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1516run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1517 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1518 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1519 0 \
1520 -c "client hello, adding session ticket extension" \
1521 -c "found session_ticket extension" \
1522 -c "parse new session ticket" \
1523 -c "a session has been resumed"
1524
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1525run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1526 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1527 "( $O_CLI -sess_out $SESSION; \
1528 $O_CLI -sess_in $SESSION; \
1529 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1530 0 \
1531 -s "found session ticket extension" \
1532 -s "server hello, adding session ticket extension" \
1533 -S "session successfully restored from cache" \
1534 -s "session successfully restored from ticket" \
1535 -s "a session has been resumed"
1536
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]1537# Tests for Session Tickets with DTLS
1538
1539run_test "Session resume using tickets, DTLS: basic" \
1540 "$P_SRV debug_level=3 dtls=1 tickets=1" \
1541 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
1542 0 \
1543 -c "client hello, adding session ticket extension" \
1544 -s "found session ticket extension" \
1545 -s "server hello, adding session ticket extension" \
1546 -c "found session_ticket extension" \
1547 -c "parse new session ticket" \
1548 -S "session successfully restored from cache" \
1549 -s "session successfully restored from ticket" \
1550 -s "a session has been resumed" \
1551 -c "a session has been resumed"
1552
1553run_test "Session resume using tickets, DTLS: cache disabled" \
1554 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
1555 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
1556 0 \
1557 -c "client hello, adding session ticket extension" \
1558 -s "found session ticket extension" \
1559 -s "server hello, adding session ticket extension" \
1560 -c "found session_ticket extension" \
1561 -c "parse new session ticket" \
1562 -S "session successfully restored from cache" \
1563 -s "session successfully restored from ticket" \
1564 -s "a session has been resumed" \
1565 -c "a session has been resumed"
1566
1567run_test "Session resume using tickets, DTLS: timeout" \
1568 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
1569 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
1570 0 \
1571 -c "client hello, adding session ticket extension" \
1572 -s "found session ticket extension" \
1573 -s "server hello, adding session ticket extension" \
1574 -c "found session_ticket extension" \
1575 -c "parse new session ticket" \
1576 -S "session successfully restored from cache" \
1577 -S "session successfully restored from ticket" \
1578 -S "a session has been resumed" \
1579 -C "a session has been resumed"
1580
1581run_test "Session resume using tickets, DTLS: openssl server" \
1582 "$O_SRV -dtls1" \
1583 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1584 0 \
1585 -c "client hello, adding session ticket extension" \
1586 -c "found session_ticket extension" \
1587 -c "parse new session ticket" \
1588 -c "a session has been resumed"
1589
1590run_test "Session resume using tickets, DTLS: openssl client" \
1591 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1592 "( $O_CLI -dtls1 -sess_out $SESSION; \
1593 $O_CLI -dtls1 -sess_in $SESSION; \
1594 rm -f $SESSION )" \
1595 0 \
1596 -s "found session ticket extension" \
1597 -s "server hello, adding session ticket extension" \
1598 -S "session successfully restored from cache" \
1599 -s "session successfully restored from ticket" \
1600 -s "a session has been resumed"
1601
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1602# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1603
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1604run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1605 "$P_SRV debug_level=3 tickets=0" \
1606 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1607 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1608 -c "client hello, adding session ticket extension" \
1609 -s "found session ticket extension" \
1610 -S "server hello, adding session ticket extension" \
1611 -C "found session_ticket extension" \
1612 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1613 -s "session successfully restored from cache" \
1614 -S "session successfully restored from ticket" \
1615 -s "a session has been resumed" \
1616 -c "a session has been resumed"
1617
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1618run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1619 "$P_SRV debug_level=3 tickets=1" \
1620 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1621 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1622 -C "client hello, adding session ticket extension" \
1623 -S "found session ticket extension" \
1624 -S "server hello, adding session ticket extension" \
1625 -C "found session_ticket extension" \
1626 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1627 -s "session successfully restored from cache" \
1628 -S "session successfully restored from ticket" \
1629 -s "a session has been resumed" \
1630 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1631
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1632run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1633 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1634 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1635 0 \
1636 -S "session successfully restored from cache" \
1637 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1638 -S "a session has been resumed" \
1639 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1640
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1641run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1642 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1643 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1644 0 \
1645 -s "session successfully restored from cache" \
1646 -S "session successfully restored from ticket" \
1647 -s "a session has been resumed" \
1648 -c "a session has been resumed"
1649
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1650run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1651 "$P_SRV debug_level=3 tickets=0" \
1652 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1653 0 \
1654 -s "session successfully restored from cache" \
1655 -S "session successfully restored from ticket" \
1656 -s "a session has been resumed" \
1657 -c "a session has been resumed"
1658
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1659run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1660 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1661 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1662 0 \
1663 -S "session successfully restored from cache" \
1664 -S "session successfully restored from ticket" \
1665 -S "a session has been resumed" \
1666 -C "a session has been resumed"
1667
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1668run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1669 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1670 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1671 0 \
1672 -s "session successfully restored from cache" \
1673 -S "session successfully restored from ticket" \
1674 -s "a session has been resumed" \
1675 -c "a session has been resumed"
1676
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1677run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1678 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1679 "( $O_CLI -sess_out $SESSION; \
1680 $O_CLI -sess_in $SESSION; \
1681 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1682 0 \
1683 -s "found session ticket extension" \
1684 -S "server hello, adding session ticket extension" \
1685 -s "session successfully restored from cache" \
1686 -S "session successfully restored from ticket" \
1687 -s "a session has been resumed"
1688
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1689run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1690 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1691 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1692 0 \
1693 -C "found session_ticket extension" \
1694 -C "parse new session ticket" \
1695 -c "a session has been resumed"
1696
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]1697# Tests for Session Resume based on session-ID and cache, DTLS
1698
1699run_test "Session resume using cache, DTLS: tickets enabled on client" \
1700 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1701 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1702 0 \
1703 -c "client hello, adding session ticket extension" \
1704 -s "found session ticket extension" \
1705 -S "server hello, adding session ticket extension" \
1706 -C "found session_ticket extension" \
1707 -C "parse new session ticket" \
1708 -s "session successfully restored from cache" \
1709 -S "session successfully restored from ticket" \
1710 -s "a session has been resumed" \
1711 -c "a session has been resumed"
1712
1713run_test "Session resume using cache, DTLS: tickets enabled on server" \
1714 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1715 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1716 0 \
1717 -C "client hello, adding session ticket extension" \
1718 -S "found session ticket extension" \
1719 -S "server hello, adding session ticket extension" \
1720 -C "found session_ticket extension" \
1721 -C "parse new session ticket" \
1722 -s "session successfully restored from cache" \
1723 -S "session successfully restored from ticket" \
1724 -s "a session has been resumed" \
1725 -c "a session has been resumed"
1726
1727run_test "Session resume using cache, DTLS: cache_max=0" \
1728 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
1729 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1730 0 \
1731 -S "session successfully restored from cache" \
1732 -S "session successfully restored from ticket" \
1733 -S "a session has been resumed" \
1734 -C "a session has been resumed"
1735
1736run_test "Session resume using cache, DTLS: cache_max=1" \
1737 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
1738 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1739 0 \
1740 -s "session successfully restored from cache" \
1741 -S "session successfully restored from ticket" \
1742 -s "a session has been resumed" \
1743 -c "a session has been resumed"
1744
1745run_test "Session resume using cache, DTLS: timeout > delay" \
1746 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1747 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
1748 0 \
1749 -s "session successfully restored from cache" \
1750 -S "session successfully restored from ticket" \
1751 -s "a session has been resumed" \
1752 -c "a session has been resumed"
1753
1754run_test "Session resume using cache, DTLS: timeout < delay" \
1755 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
1756 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
1757 0 \
1758 -S "session successfully restored from cache" \
1759 -S "session successfully restored from ticket" \
1760 -S "a session has been resumed" \
1761 -C "a session has been resumed"
1762
1763run_test "Session resume using cache, DTLS: no timeout" \
1764 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
1765 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
1766 0 \
1767 -s "session successfully restored from cache" \
1768 -S "session successfully restored from ticket" \
1769 -s "a session has been resumed" \
1770 -c "a session has been resumed"
1771
1772run_test "Session resume using cache, DTLS: openssl client" \
1773 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1774 "( $O_CLI -dtls1 -sess_out $SESSION; \
1775 $O_CLI -dtls1 -sess_in $SESSION; \
1776 rm -f $SESSION )" \
1777 0 \
1778 -s "found session ticket extension" \
1779 -S "server hello, adding session ticket extension" \
1780 -s "session successfully restored from cache" \
1781 -S "session successfully restored from ticket" \
1782 -s "a session has been resumed"
1783
1784run_test "Session resume using cache, DTLS: openssl server" \
1785 "$O_SRV -dtls1" \
1786 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1787 0 \
1788 -C "found session_ticket extension" \
1789 -C "parse new session ticket" \
1790 -c "a session has been resumed"
1791
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1792# Tests for Max Fragment Length extension
1793
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1794if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
1795 printf "${CONFIG_H} defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n"
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1796 exit 1
1797fi
1798
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1799if [ $MAX_CONTENT_LEN -ne 16384 ]; then
1800 printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
1801fi
1802
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1803requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1804run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1805 "$P_SRV debug_level=3" \
1806 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1807 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1808 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
1809 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1810 -C "client hello, adding max_fragment_length extension" \
1811 -S "found max fragment length extension" \
1812 -S "server hello, max_fragment_length extension" \
1813 -C "found max_fragment_length extension"
1814
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1815requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1816run_test "Max fragment length: enabled, default, larger message" \
1817 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1818 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1819 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1820 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
1821 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1822 -C "client hello, adding max_fragment_length extension" \
1823 -S "found max fragment length extension" \
1824 -S "server hello, max_fragment_length extension" \
1825 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1826 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
1827 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1828 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1829
1830requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1831run_test "Max fragment length, DTLS: enabled, default, larger message" \
1832 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1833 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1834 1 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1835 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
1836 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1837 -C "client hello, adding max_fragment_length extension" \
1838 -S "found max fragment length extension" \
1839 -S "server hello, max_fragment_length extension" \
1840 -C "found max_fragment_length extension" \
1841 -c "fragment larger than.*maximum "
1842
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1843# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
1844# (session fragment length will be 16384 regardless of mbedtls
1845# content length configuration.)
1846
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1847requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1848run_test "Max fragment length: disabled, larger message" \
1849 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1850 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1851 0 \
1852 -C "Maximum fragment length is 16384" \
1853 -S "Maximum fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1854 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
1855 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1856 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1857
1858requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1859run_test "Max fragment length DTLS: disabled, larger message" \
1860 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1861 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1862 1 \
1863 -C "Maximum fragment length is 16384" \
1864 -S "Maximum fragment length is 16384" \
1865 -c "fragment larger than.*maximum "
1866
1867requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1868run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1869 "$P_SRV debug_level=3" \
1870 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1871 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1872 -c "Maximum fragment length is 4096" \
1873 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1874 -c "client hello, adding max_fragment_length extension" \
1875 -s "found max fragment length extension" \
1876 -s "server hello, max_fragment_length extension" \
1877 -c "found max_fragment_length extension"
1878
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1879requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1880run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1881 "$P_SRV debug_level=3 max_frag_len=4096" \
1882 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1883 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1884 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1885 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1886 -C "client hello, adding max_fragment_length extension" \
1887 -S "found max fragment length extension" \
1888 -S "server hello, max_fragment_length extension" \
1889 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1890
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1891requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1892requires_gnutls
1893run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1894 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1895 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1896 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1897 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1898 -c "client hello, adding max_fragment_length extension" \
1899 -c "found max_fragment_length extension"
1900
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1901requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1902run_test "Max fragment length: client, message just fits" \
1903 "$P_SRV debug_level=3" \
1904 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1905 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1906 -c "Maximum fragment length is 2048" \
1907 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1908 -c "client hello, adding max_fragment_length extension" \
1909 -s "found max fragment length extension" \
1910 -s "server hello, max_fragment_length extension" \
1911 -c "found max_fragment_length extension" \
1912 -c "2048 bytes written in 1 fragments" \
1913 -s "2048 bytes read"
1914
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1915requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1916run_test "Max fragment length: client, larger message" \
1917 "$P_SRV debug_level=3" \
1918 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1919 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1920 -c "Maximum fragment length is 2048" \
1921 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1922 -c "client hello, adding max_fragment_length extension" \
1923 -s "found max fragment length extension" \
1924 -s "server hello, max_fragment_length extension" \
1925 -c "found max_fragment_length extension" \
1926 -c "2345 bytes written in 2 fragments" \
1927 -s "2048 bytes read" \
1928 -s "297 bytes read"
1929
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1930requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1931run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1932 "$P_SRV debug_level=3 dtls=1" \
1933 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1934 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1935 -c "Maximum fragment length is 2048" \
1936 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1937 -c "client hello, adding max_fragment_length extension" \
1938 -s "found max fragment length extension" \
1939 -s "server hello, max_fragment_length extension" \
1940 -c "found max_fragment_length extension" \
1941 -c "fragment larger than.*maximum"
1942
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1943# Tests for renegotiation
1944
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1945# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1946run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1947 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1948 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1949 0 \
1950 -C "client hello, adding renegotiation extension" \
1951 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1952 -S "found renegotiation extension" \
1953 -s "server hello, secure renegotiation extension" \
1954 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1955 -C "=> renegotiate" \
1956 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1957 -S "write hello request"
1958
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1959requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1960run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1961 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1962 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1963 0 \
1964 -c "client hello, adding renegotiation extension" \
1965 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1966 -s "found renegotiation extension" \
1967 -s "server hello, secure renegotiation extension" \
1968 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1969 -c "=> renegotiate" \
1970 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1971 -S "write hello request"
1972
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1973requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1974run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1975 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1976 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1977 0 \
1978 -c "client hello, adding renegotiation extension" \
1979 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1980 -s "found renegotiation extension" \
1981 -s "server hello, secure renegotiation extension" \
1982 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1983 -c "=> renegotiate" \
1984 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1985 -s "write hello request"
1986
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1987# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1988# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1989# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1990requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1991run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1992 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1993 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1994 0 \
1995 -c "client hello, adding renegotiation extension" \
1996 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1997 -s "found renegotiation extension" \
1998 -s "server hello, secure renegotiation extension" \
1999 -c "found renegotiation extension" \
2000 -c "=> renegotiate" \
2001 -s "=> renegotiate" \
2002 -S "write hello request" \
2003 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
2004
2005# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
2006# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
2007# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2008requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]2009run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
2010 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
2011 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2012 0 \
2013 -c "client hello, adding renegotiation extension" \
2014 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2015 -s "found renegotiation extension" \
2016 -s "server hello, secure renegotiation extension" \
2017 -c "found renegotiation extension" \
2018 -c "=> renegotiate" \
2019 -s "=> renegotiate" \
2020 -s "write hello request" \
2021 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
2022
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2023requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2024run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2025 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2026 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2027 0 \
2028 -c "client hello, adding renegotiation extension" \
2029 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2030 -s "found renegotiation extension" \
2031 -s "server hello, secure renegotiation extension" \
2032 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2033 -c "=> renegotiate" \
2034 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2035 -s "write hello request"
2036
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2037requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2038run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2039 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2040 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2041 1 \
2042 -c "client hello, adding renegotiation extension" \
2043 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2044 -S "found renegotiation extension" \
2045 -s "server hello, secure renegotiation extension" \
2046 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2047 -c "=> renegotiate" \
2048 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2049 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]2050 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2051 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2052
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2053requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2054run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2055 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2056 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2057 0 \
2058 -C "client hello, adding renegotiation extension" \
2059 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2060 -S "found renegotiation extension" \
2061 -s "server hello, secure renegotiation extension" \
2062 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2063 -C "=> renegotiate" \
2064 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2065 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]2066 -S "SSL - An unexpected message was received from our peer" \
2067 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2068
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2069requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2070run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2071 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2072 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2073 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2074 0 \
2075 -C "client hello, adding renegotiation extension" \
2076 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2077 -S "found renegotiation extension" \
2078 -s "server hello, secure renegotiation extension" \
2079 -c "found renegotiation extension" \
2080 -C "=> renegotiate" \
2081 -S "=> renegotiate" \
2082 -s "write hello request" \
2083 -S "SSL - An unexpected message was received from our peer" \
2084 -S "failed"
2085
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]2086# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2087requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2088run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2089 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2090 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2091 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2092 0 \
2093 -C "client hello, adding renegotiation extension" \
2094 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2095 -S "found renegotiation extension" \
2096 -s "server hello, secure renegotiation extension" \
2097 -c "found renegotiation extension" \
2098 -C "=> renegotiate" \
2099 -S "=> renegotiate" \
2100 -s "write hello request" \
2101 -S "SSL - An unexpected message was received from our peer" \
2102 -S "failed"
2103
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2104requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2105run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2106 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2107 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2108 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2109 0 \
2110 -C "client hello, adding renegotiation extension" \
2111 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2112 -S "found renegotiation extension" \
2113 -s "server hello, secure renegotiation extension" \
2114 -c "found renegotiation extension" \
2115 -C "=> renegotiate" \
2116 -S "=> renegotiate" \
2117 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]2118 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2119
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2120requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2121run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2122 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2123 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2124 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2125 0 \
2126 -c "client hello, adding renegotiation extension" \
2127 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2128 -s "found renegotiation extension" \
2129 -s "server hello, secure renegotiation extension" \
2130 -c "found renegotiation extension" \
2131 -c "=> renegotiate" \
2132 -s "=> renegotiate" \
2133 -s "write hello request" \
2134 -S "SSL - An unexpected message was received from our peer" \
2135 -S "failed"
2136
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2137requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2138run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2139 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2140 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2141 0 \
2142 -C "client hello, adding renegotiation extension" \
2143 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2144 -S "found renegotiation extension" \
2145 -s "server hello, secure renegotiation extension" \
2146 -c "found renegotiation extension" \
2147 -S "record counter limit reached: renegotiate" \
2148 -C "=> renegotiate" \
2149 -S "=> renegotiate" \
2150 -S "write hello request" \
2151 -S "SSL - An unexpected message was received from our peer" \
2152 -S "failed"
2153
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2154# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2155requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2156run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2157 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2158 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2159 0 \
2160 -c "client hello, adding renegotiation extension" \
2161 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2162 -s "found renegotiation extension" \
2163 -s "server hello, secure renegotiation extension" \
2164 -c "found renegotiation extension" \
2165 -s "record counter limit reached: renegotiate" \
2166 -c "=> renegotiate" \
2167 -s "=> renegotiate" \
2168 -s "write hello request" \
2169 -S "SSL - An unexpected message was received from our peer" \
2170 -S "failed"
2171
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2172requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2173run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2174 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2175 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2176 0 \
2177 -c "client hello, adding renegotiation extension" \
2178 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2179 -s "found renegotiation extension" \
2180 -s "server hello, secure renegotiation extension" \
2181 -c "found renegotiation extension" \
2182 -s "record counter limit reached: renegotiate" \
2183 -c "=> renegotiate" \
2184 -s "=> renegotiate" \
2185 -s "write hello request" \
2186 -S "SSL - An unexpected message was received from our peer" \
2187 -S "failed"
2188
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2189requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2190run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2191 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2192 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2193 0 \
2194 -C "client hello, adding renegotiation extension" \
2195 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2196 -S "found renegotiation extension" \
2197 -s "server hello, secure renegotiation extension" \
2198 -c "found renegotiation extension" \
2199 -S "record counter limit reached: renegotiate" \
2200 -C "=> renegotiate" \
2201 -S "=> renegotiate" \
2202 -S "write hello request" \
2203 -S "SSL - An unexpected message was received from our peer" \
2204 -S "failed"
2205
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2206requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2207run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2208 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2209 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2210 0 \
2211 -c "client hello, adding renegotiation extension" \
2212 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2213 -s "found renegotiation extension" \
2214 -s "server hello, secure renegotiation extension" \
2215 -c "found renegotiation extension" \
2216 -c "=> renegotiate" \
2217 -s "=> renegotiate" \
2218 -S "write hello request"
2219
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2220requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2221run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2222 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2223 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2224 0 \
2225 -c "client hello, adding renegotiation extension" \
2226 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2227 -s "found renegotiation extension" \
2228 -s "server hello, secure renegotiation extension" \
2229 -c "found renegotiation extension" \
2230 -c "=> renegotiate" \
2231 -s "=> renegotiate" \
2232 -s "write hello request"
2233
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2234requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2235run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2236 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2237 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2238 0 \
2239 -c "client hello, adding renegotiation extension" \
2240 -c "found renegotiation extension" \
2241 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2242 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2243 -C "error" \
2244 -c "HTTP/1.0 200 [Oo][Kk]"
2245
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2246requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2247requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2248run_test "Renegotiation: gnutls server strict, client-initiated" \
2249 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2250 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2251 0 \
2252 -c "client hello, adding renegotiation extension" \
2253 -c "found renegotiation extension" \
2254 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2255 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2256 -C "error" \
2257 -c "HTTP/1.0 200 [Oo][Kk]"
2258
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2259requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2260requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2261run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2262 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2263 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2264 1 \
2265 -c "client hello, adding renegotiation extension" \
2266 -C "found renegotiation extension" \
2267 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2268 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2269 -c "error" \
2270 -C "HTTP/1.0 200 [Oo][Kk]"
2271
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2272requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2273requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2274run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2275 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2276 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2277 allow_legacy=0" \
2278 1 \
2279 -c "client hello, adding renegotiation extension" \
2280 -C "found renegotiation extension" \
2281 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2282 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2283 -c "error" \
2284 -C "HTTP/1.0 200 [Oo][Kk]"
2285
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2286requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2287requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2288run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2289 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2290 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2291 allow_legacy=1" \
2292 0 \
2293 -c "client hello, adding renegotiation extension" \
2294 -C "found renegotiation extension" \
2295 -c "=> renegotiate" \
2296 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2297 -C "error" \
2298 -c "HTTP/1.0 200 [Oo][Kk]"
2299
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2300requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]2301run_test "Renegotiation: DTLS, client-initiated" \
2302 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
2303 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
2304 0 \
2305 -c "client hello, adding renegotiation extension" \
2306 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2307 -s "found renegotiation extension" \
2308 -s "server hello, secure renegotiation extension" \
2309 -c "found renegotiation extension" \
2310 -c "=> renegotiate" \
2311 -s "=> renegotiate" \
2312 -S "write hello request"
2313
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2314requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2315run_test "Renegotiation: DTLS, server-initiated" \
2316 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2317 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2318 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2319 0 \
2320 -c "client hello, adding renegotiation extension" \
2321 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2322 -s "found renegotiation extension" \
2323 -s "server hello, secure renegotiation extension" \
2324 -c "found renegotiation extension" \
2325 -c "=> renegotiate" \
2326 -s "=> renegotiate" \
2327 -s "write hello request"
2328
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2329requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2330run_test "Renegotiation: DTLS, renego_period overflow" \
2331 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2332 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2333 0 \
2334 -c "client hello, adding renegotiation extension" \
2335 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2336 -s "found renegotiation extension" \
2337 -s "server hello, secure renegotiation extension" \
2338 -s "record counter limit reached: renegotiate" \
2339 -c "=> renegotiate" \
2340 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2341 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2342
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2343requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2344requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2345run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2346 "$G_SRV -u --mtu 4096" \
2347 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2348 0 \
2349 -c "client hello, adding renegotiation extension" \
2350 -c "found renegotiation extension" \
2351 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2352 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2353 -C "error" \
2354 -s "Extra-header:"
2355
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2356# Test for the "secure renegotation" extension only (no actual renegotiation)
2357
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2358requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2359run_test "Renego ext: gnutls server strict, client default" \
2360 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2361 "$P_CLI debug_level=3" \
2362 0 \
2363 -c "found renegotiation extension" \
2364 -C "error" \
2365 -c "HTTP/1.0 200 [Oo][Kk]"
2366
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2367requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2368run_test "Renego ext: gnutls server unsafe, client default" \
2369 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2370 "$P_CLI debug_level=3" \
2371 0 \
2372 -C "found renegotiation extension" \
2373 -C "error" \
2374 -c "HTTP/1.0 200 [Oo][Kk]"
2375
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2376requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2377run_test "Renego ext: gnutls server unsafe, client break legacy" \
2378 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2379 "$P_CLI debug_level=3 allow_legacy=-1" \
2380 1 \
2381 -C "found renegotiation extension" \
2382 -c "error" \
2383 -C "HTTP/1.0 200 [Oo][Kk]"
2384
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2385requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2386run_test "Renego ext: gnutls client strict, server default" \
2387 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2388 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2389 0 \
2390 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2391 -s "server hello, secure renegotiation extension"
2392
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2393requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2394run_test "Renego ext: gnutls client unsafe, server default" \
2395 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2396 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2397 0 \
2398 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2399 -S "server hello, secure renegotiation extension"
2400
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2401requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2402run_test "Renego ext: gnutls client unsafe, server break legacy" \
2403 "$P_SRV debug_level=3 allow_legacy=-1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2404 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2405 1 \
2406 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2407 -S "server hello, secure renegotiation extension"
2408
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2409# Tests for silently dropping trailing extra bytes in .der certificates
2410
2411requires_gnutls
2412run_test "DER format: no trailing bytes" \
2413 "$P_SRV crt_file=data_files/server5-der0.crt \
2414 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2415 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2416 0 \
2417 -c "Handshake was completed" \
2418
2419requires_gnutls
2420run_test "DER format: with a trailing zero byte" \
2421 "$P_SRV crt_file=data_files/server5-der1a.crt \
2422 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2423 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2424 0 \
2425 -c "Handshake was completed" \
2426
2427requires_gnutls
2428run_test "DER format: with a trailing random byte" \
2429 "$P_SRV crt_file=data_files/server5-der1b.crt \
2430 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2431 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2432 0 \
2433 -c "Handshake was completed" \
2434
2435requires_gnutls
2436run_test "DER format: with 2 trailing random bytes" \
2437 "$P_SRV crt_file=data_files/server5-der2.crt \
2438 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2439 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2440 0 \
2441 -c "Handshake was completed" \
2442
2443requires_gnutls
2444run_test "DER format: with 4 trailing random bytes" \
2445 "$P_SRV crt_file=data_files/server5-der4.crt \
2446 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2447 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2448 0 \
2449 -c "Handshake was completed" \
2450
2451requires_gnutls
2452run_test "DER format: with 8 trailing random bytes" \
2453 "$P_SRV crt_file=data_files/server5-der8.crt \
2454 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2455 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2456 0 \
2457 -c "Handshake was completed" \
2458
2459requires_gnutls
2460run_test "DER format: with 9 trailing random bytes" \
2461 "$P_SRV crt_file=data_files/server5-der9.crt \
2462 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]2463 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2464 0 \
2465 -c "Handshake was completed" \
2466
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2467# Tests for auth_mode
2468
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2469run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2470 "$P_SRV crt_file=data_files/server5-badsign.crt \
2471 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2472 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2473 1 \
2474 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2475 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2476 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2477 -c "X509 - Certificate verification failed"
2478
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2479run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2480 "$P_SRV crt_file=data_files/server5-badsign.crt \
2481 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2482 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2483 0 \
2484 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2485 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2486 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2487 -C "X509 - Certificate verification failed"
2488
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2489run_test "Authentication: server goodcert, client optional, no trusted CA" \
2490 "$P_SRV" \
2491 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2492 0 \
2493 -c "x509_verify_cert() returned" \
2494 -c "! The certificate is not correctly signed by the trusted CA" \
2495 -c "! Certificate verification flags"\
2496 -C "! mbedtls_ssl_handshake returned" \
2497 -C "X509 - Certificate verification failed" \
2498 -C "SSL - No CA Chain is set, but required to operate"
2499
2500run_test "Authentication: server goodcert, client required, no trusted CA" \
2501 "$P_SRV" \
2502 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2503 1 \
2504 -c "x509_verify_cert() returned" \
2505 -c "! The certificate is not correctly signed by the trusted CA" \
2506 -c "! Certificate verification flags"\
2507 -c "! mbedtls_ssl_handshake returned" \
2508 -c "SSL - No CA Chain is set, but required to operate"
2509
2510# The purpose of the next two tests is to test the client's behaviour when receiving a server
2511# certificate with an unsupported elliptic curve. This should usually not happen because
2512# the client informs the server about the supported curves - it does, though, in the
2513# corner case of a static ECDH suite, because the server doesn't check the curve on that
2514# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2515# different means to have the server ignoring the client's supported curve list.
2516
2517requires_config_enabled MBEDTLS_ECP_C
2518run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2519 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2520 crt_file=data_files/server5.ku-ka.crt" \
2521 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2522 1 \
2523 -c "bad certificate (EC key curve)"\
2524 -c "! Certificate verification flags"\
2525 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2526
2527requires_config_enabled MBEDTLS_ECP_C
2528run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2529 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2530 crt_file=data_files/server5.ku-ka.crt" \
2531 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2532 1 \
2533 -c "bad certificate (EC key curve)"\
2534 -c "! Certificate verification flags"\
2535 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2536
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2537run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2538 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2539 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2540 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2541 0 \
2542 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2543 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2544 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2545 -C "X509 - Certificate verification failed"
2546
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2547run_test "Authentication: client SHA256, server required" \
2548 "$P_SRV auth_mode=required" \
2549 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2550 key_file=data_files/server6.key \
2551 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2552 0 \
2553 -c "Supported Signature Algorithm found: 4," \
2554 -c "Supported Signature Algorithm found: 5,"
2555
2556run_test "Authentication: client SHA384, server required" \
2557 "$P_SRV auth_mode=required" \
2558 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2559 key_file=data_files/server6.key \
2560 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2561 0 \
2562 -c "Supported Signature Algorithm found: 4," \
2563 -c "Supported Signature Algorithm found: 5,"
2564
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2565requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2566run_test "Authentication: client has no cert, server required (SSLv3)" \
2567 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2568 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2569 key_file=data_files/server5.key" \
2570 1 \
2571 -S "skip write certificate request" \
2572 -C "skip parse certificate request" \
2573 -c "got a certificate request" \
2574 -c "got no certificate to send" \
2575 -S "x509_verify_cert() returned" \
2576 -s "client has no certificate" \
2577 -s "! mbedtls_ssl_handshake returned" \
2578 -c "! mbedtls_ssl_handshake returned" \
2579 -s "No client certification received from the client, but required by the authentication mode"
2580
2581run_test "Authentication: client has no cert, server required (TLS)" \
2582 "$P_SRV debug_level=3 auth_mode=required" \
2583 "$P_CLI debug_level=3 crt_file=none \
2584 key_file=data_files/server5.key" \
2585 1 \
2586 -S "skip write certificate request" \
2587 -C "skip parse certificate request" \
2588 -c "got a certificate request" \
2589 -c "= write certificate$" \
2590 -C "skip write certificate$" \
2591 -S "x509_verify_cert() returned" \
2592 -s "client has no certificate" \
2593 -s "! mbedtls_ssl_handshake returned" \
2594 -c "! mbedtls_ssl_handshake returned" \
2595 -s "No client certification received from the client, but required by the authentication mode"
2596
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2597run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2598 "$P_SRV debug_level=3 auth_mode=required" \
2599 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2600 key_file=data_files/server5.key" \
2601 1 \
2602 -S "skip write certificate request" \
2603 -C "skip parse certificate request" \
2604 -c "got a certificate request" \
2605 -C "skip write certificate" \
2606 -C "skip write certificate verify" \
2607 -S "skip parse certificate verify" \
2608 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2609 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2610 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2611 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2612 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2613 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2614# We don't check that the client receives the alert because it might
2615# detect that its write end of the connection is closed and abort
2616# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2617
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2618run_test "Authentication: client cert not trusted, server required" \
2619 "$P_SRV debug_level=3 auth_mode=required" \
2620 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2621 key_file=data_files/server5.key" \
2622 1 \
2623 -S "skip write certificate request" \
2624 -C "skip parse certificate request" \
2625 -c "got a certificate request" \
2626 -C "skip write certificate" \
2627 -C "skip write certificate verify" \
2628 -S "skip parse certificate verify" \
2629 -s "x509_verify_cert() returned" \
2630 -s "! The certificate is not correctly signed by the trusted CA" \
2631 -s "! mbedtls_ssl_handshake returned" \
2632 -c "! mbedtls_ssl_handshake returned" \
2633 -s "X509 - Certificate verification failed"
2634
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2635run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2636 "$P_SRV debug_level=3 auth_mode=optional" \
2637 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2638 key_file=data_files/server5.key" \
2639 0 \
2640 -S "skip write certificate request" \
2641 -C "skip parse certificate request" \
2642 -c "got a certificate request" \
2643 -C "skip write certificate" \
2644 -C "skip write certificate verify" \
2645 -S "skip parse certificate verify" \
2646 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2647 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2648 -S "! mbedtls_ssl_handshake returned" \
2649 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2650 -S "X509 - Certificate verification failed"
2651
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2652run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2653 "$P_SRV debug_level=3 auth_mode=none" \
2654 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2655 key_file=data_files/server5.key" \
2656 0 \
2657 -s "skip write certificate request" \
2658 -C "skip parse certificate request" \
2659 -c "got no certificate request" \
2660 -c "skip write certificate" \
2661 -c "skip write certificate verify" \
2662 -s "skip parse certificate verify" \
2663 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2664 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2665 -S "! mbedtls_ssl_handshake returned" \
2666 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2667 -S "X509 - Certificate verification failed"
2668
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2669run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2670 "$P_SRV debug_level=3 auth_mode=optional" \
2671 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2672 0 \
2673 -S "skip write certificate request" \
2674 -C "skip parse certificate request" \
2675 -c "got a certificate request" \
2676 -C "skip write certificate$" \
2677 -C "got no certificate to send" \
2678 -S "SSLv3 client has no certificate" \
2679 -c "skip write certificate verify" \
2680 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2681 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2682 -S "! mbedtls_ssl_handshake returned" \
2683 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2684 -S "X509 - Certificate verification failed"
2685
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2686run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2687 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2688 "$O_CLI" \
2689 0 \
2690 -S "skip write certificate request" \
2691 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2692 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2693 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2694 -S "X509 - Certificate verification failed"
2695
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2696run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2697 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2698 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2699 0 \
2700 -C "skip parse certificate request" \
2701 -c "got a certificate request" \
2702 -C "skip write certificate$" \
2703 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2704 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2705
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2706run_test "Authentication: client no cert, openssl server required" \
2707 "$O_SRV -Verify 10" \
2708 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2709 1 \
2710 -C "skip parse certificate request" \
2711 -c "got a certificate request" \
2712 -C "skip write certificate$" \
2713 -c "skip write certificate verify" \
2714 -c "! mbedtls_ssl_handshake returned"
2715
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2716requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2717run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2718 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2719 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2720 0 \
2721 -S "skip write certificate request" \
2722 -C "skip parse certificate request" \
2723 -c "got a certificate request" \
2724 -C "skip write certificate$" \
2725 -c "skip write certificate verify" \
2726 -c "got no certificate to send" \
2727 -s "SSLv3 client has no certificate" \
2728 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2729 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2730 -S "! mbedtls_ssl_handshake returned" \
2731 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2732 -S "X509 - Certificate verification failed"
2733
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2734# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2735# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2736
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2737MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2738MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2739
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2740if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2741 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2742 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2743 printf "test value of ${MAX_IM_CA}. \n"
2744 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2745 printf "The tests assume this value and if it changes, the tests in this\n"
2746 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2747 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2748
2749 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2750fi
2751
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2752requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2753run_test "Authentication: server max_int chain, client default" \
2754 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2755 key_file=data_files/dir-maxpath/09.key" \
2756 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2757 0 \
2758 -C "X509 - A fatal error occured"
2759
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2760requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2761run_test "Authentication: server max_int+1 chain, client default" \
2762 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2763 key_file=data_files/dir-maxpath/10.key" \
2764 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2765 1 \
2766 -c "X509 - A fatal error occured"
2767
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2768requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2769run_test "Authentication: server max_int+1 chain, client optional" \
2770 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2771 key_file=data_files/dir-maxpath/10.key" \
2772 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2773 auth_mode=optional" \
2774 1 \
2775 -c "X509 - A fatal error occured"
2776
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2777requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2778run_test "Authentication: server max_int+1 chain, client none" \
2779 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2780 key_file=data_files/dir-maxpath/10.key" \
2781 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2782 auth_mode=none" \
2783 0 \
2784 -C "X509 - A fatal error occured"
2785
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2786requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2787run_test "Authentication: client max_int+1 chain, server default" \
2788 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2789 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2790 key_file=data_files/dir-maxpath/10.key" \
2791 0 \
2792 -S "X509 - A fatal error occured"
2793
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2794requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2795run_test "Authentication: client max_int+1 chain, server optional" \
2796 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2797 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2798 key_file=data_files/dir-maxpath/10.key" \
2799 1 \
2800 -s "X509 - A fatal error occured"
2801
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2802requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2803run_test "Authentication: client max_int+1 chain, server required" \
2804 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2805 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2806 key_file=data_files/dir-maxpath/10.key" \
2807 1 \
2808 -s "X509 - A fatal error occured"
2809
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2810requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2811run_test "Authentication: client max_int chain, server required" \
2812 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2813 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2814 key_file=data_files/dir-maxpath/09.key" \
2815 0 \
2816 -S "X509 - A fatal error occured"
2817
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2818# Tests for CA list in CertificateRequest messages
2819
2820run_test "Authentication: send CA list in CertificateRequest (default)" \
2821 "$P_SRV debug_level=3 auth_mode=required" \
2822 "$P_CLI crt_file=data_files/server6.crt \
2823 key_file=data_files/server6.key" \
2824 0 \
2825 -s "requested DN"
2826
2827run_test "Authentication: do not send CA list in CertificateRequest" \
2828 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2829 "$P_CLI crt_file=data_files/server6.crt \
2830 key_file=data_files/server6.key" \
2831 0 \
2832 -S "requested DN"
2833
2834run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2835 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2836 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2837 key_file=data_files/server5.key" \
2838 1 \
2839 -S "requested DN" \
2840 -s "x509_verify_cert() returned" \
2841 -s "! The certificate is not correctly signed by the trusted CA" \
2842 -s "! mbedtls_ssl_handshake returned" \
2843 -c "! mbedtls_ssl_handshake returned" \
2844 -s "X509 - Certificate verification failed"
2845
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2846# Tests for certificate selection based on SHA verson
2847
2848run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2849 "$P_SRV crt_file=data_files/server5.crt \
2850 key_file=data_files/server5.key \
2851 crt_file2=data_files/server5-sha1.crt \
2852 key_file2=data_files/server5.key" \
2853 "$P_CLI force_version=tls1_2" \
2854 0 \
2855 -c "signed using.*ECDSA with SHA256" \
2856 -C "signed using.*ECDSA with SHA1"
2857
2858run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2859 "$P_SRV crt_file=data_files/server5.crt \
2860 key_file=data_files/server5.key \
2861 crt_file2=data_files/server5-sha1.crt \
2862 key_file2=data_files/server5.key" \
2863 "$P_CLI force_version=tls1_1" \
2864 0 \
2865 -C "signed using.*ECDSA with SHA256" \
2866 -c "signed using.*ECDSA with SHA1"
2867
2868run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2869 "$P_SRV crt_file=data_files/server5.crt \
2870 key_file=data_files/server5.key \
2871 crt_file2=data_files/server5-sha1.crt \
2872 key_file2=data_files/server5.key" \
2873 "$P_CLI force_version=tls1" \
2874 0 \
2875 -C "signed using.*ECDSA with SHA256" \
2876 -c "signed using.*ECDSA with SHA1"
2877
2878run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2879 "$P_SRV crt_file=data_files/server5.crt \
2880 key_file=data_files/server5.key \
2881 crt_file2=data_files/server6.crt \
2882 key_file2=data_files/server6.key" \
2883 "$P_CLI force_version=tls1_1" \
2884 0 \
2885 -c "serial number.*09" \
2886 -c "signed using.*ECDSA with SHA256" \
2887 -C "signed using.*ECDSA with SHA1"
2888
2889run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2890 "$P_SRV crt_file=data_files/server6.crt \
2891 key_file=data_files/server6.key \
2892 crt_file2=data_files/server5.crt \
2893 key_file2=data_files/server5.key" \
2894 "$P_CLI force_version=tls1_1" \
2895 0 \
2896 -c "serial number.*0A" \
2897 -c "signed using.*ECDSA with SHA256" \
2898 -C "signed using.*ECDSA with SHA1"
2899
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2900# tests for SNI
2901
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2902run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2903 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2904 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2905 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2906 0 \
2907 -S "parse ServerName extension" \
2908 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2909 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2910
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2911run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2912 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2913 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2914 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2915 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2916 0 \
2917 -s "parse ServerName extension" \
2918 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2919 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2920
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2921run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2922 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2923 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2924 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2925 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2926 0 \
2927 -s "parse ServerName extension" \
2928 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2929 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2930
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2931run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2932 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2933 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2934 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2935 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2936 1 \
2937 -s "parse ServerName extension" \
2938 -s "ssl_sni_wrapper() returned" \
2939 -s "mbedtls_ssl_handshake returned" \
2940 -c "mbedtls_ssl_handshake returned" \
2941 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2942
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2943run_test "SNI: client auth no override: optional" \
2944 "$P_SRV debug_level=3 auth_mode=optional \
2945 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2946 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2947 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2948 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2949 -S "skip write certificate request" \
2950 -C "skip parse certificate request" \
2951 -c "got a certificate request" \
2952 -C "skip write certificate" \
2953 -C "skip write certificate verify" \
2954 -S "skip parse certificate verify"
2955
2956run_test "SNI: client auth override: none -> optional" \
2957 "$P_SRV debug_level=3 auth_mode=none \
2958 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2959 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2960 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2961 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2962 -S "skip write certificate request" \
2963 -C "skip parse certificate request" \
2964 -c "got a certificate request" \
2965 -C "skip write certificate" \
2966 -C "skip write certificate verify" \
2967 -S "skip parse certificate verify"
2968
2969run_test "SNI: client auth override: optional -> none" \
2970 "$P_SRV debug_level=3 auth_mode=optional \
2971 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2972 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2973 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2974 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2975 -s "skip write certificate request" \
2976 -C "skip parse certificate request" \
2977 -c "got no certificate request" \
2978 -c "skip write certificate" \
2979 -c "skip write certificate verify" \
2980 -s "skip parse certificate verify"
2981
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2982run_test "SNI: CA no override" \
2983 "$P_SRV debug_level=3 auth_mode=optional \
2984 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2985 ca_file=data_files/test-ca.crt \
2986 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2987 "$P_CLI debug_level=3 server_name=localhost \
2988 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2989 1 \
2990 -S "skip write certificate request" \
2991 -C "skip parse certificate request" \
2992 -c "got a certificate request" \
2993 -C "skip write certificate" \
2994 -C "skip write certificate verify" \
2995 -S "skip parse certificate verify" \
2996 -s "x509_verify_cert() returned" \
2997 -s "! The certificate is not correctly signed by the trusted CA" \
2998 -S "The certificate has been revoked (is on a CRL)"
2999
3000run_test "SNI: CA override" \
3001 "$P_SRV debug_level=3 auth_mode=optional \
3002 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3003 ca_file=data_files/test-ca.crt \
3004 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
3005 "$P_CLI debug_level=3 server_name=localhost \
3006 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3007 0 \
3008 -S "skip write certificate request" \
3009 -C "skip parse certificate request" \
3010 -c "got a certificate request" \
3011 -C "skip write certificate" \
3012 -C "skip write certificate verify" \
3013 -S "skip parse certificate verify" \
3014 -S "x509_verify_cert() returned" \
3015 -S "! The certificate is not correctly signed by the trusted CA" \
3016 -S "The certificate has been revoked (is on a CRL)"
3017
3018run_test "SNI: CA override with CRL" \
3019 "$P_SRV debug_level=3 auth_mode=optional \
3020 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3021 ca_file=data_files/test-ca.crt \
3022 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
3023 "$P_CLI debug_level=3 server_name=localhost \
3024 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3025 1 \
3026 -S "skip write certificate request" \
3027 -C "skip parse certificate request" \
3028 -c "got a certificate request" \
3029 -C "skip write certificate" \
3030 -C "skip write certificate verify" \
3031 -S "skip parse certificate verify" \
3032 -s "x509_verify_cert() returned" \
3033 -S "! The certificate is not correctly signed by the trusted CA" \
3034 -s "The certificate has been revoked (is on a CRL)"
3035
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]3036# Tests for SNI and DTLS
3037
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]3038run_test "SNI: DTLS, no SNI callback" \
3039 "$P_SRV debug_level=3 dtls=1 \
3040 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
3041 "$P_CLI server_name=localhost dtls=1" \
3042 0 \
3043 -S "parse ServerName extension" \
3044 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
3045 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
3046
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]3047run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]3048 "$P_SRV debug_level=3 dtls=1 \
3049 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3050 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
3051 "$P_CLI server_name=localhost dtls=1" \
3052 0 \
3053 -s "parse ServerName extension" \
3054 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
3055 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
3056
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]3057run_test "SNI: DTLS, matching cert 2" \
3058 "$P_SRV debug_level=3 dtls=1 \
3059 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3060 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
3061 "$P_CLI server_name=polarssl.example dtls=1" \
3062 0 \
3063 -s "parse ServerName extension" \
3064 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
3065 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
3066
3067run_test "SNI: DTLS, no matching cert" \
3068 "$P_SRV debug_level=3 dtls=1 \
3069 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3070 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
3071 "$P_CLI server_name=nonesuch.example dtls=1" \
3072 1 \
3073 -s "parse ServerName extension" \
3074 -s "ssl_sni_wrapper() returned" \
3075 -s "mbedtls_ssl_handshake returned" \
3076 -c "mbedtls_ssl_handshake returned" \
3077 -c "SSL - A fatal alert message was received from our peer"
3078
3079run_test "SNI: DTLS, client auth no override: optional" \
3080 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3081 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3082 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
3083 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
3084 0 \
3085 -S "skip write certificate request" \
3086 -C "skip parse certificate request" \
3087 -c "got a certificate request" \
3088 -C "skip write certificate" \
3089 -C "skip write certificate verify" \
3090 -S "skip parse certificate verify"
3091
3092run_test "SNI: DTLS, client auth override: none -> optional" \
3093 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
3094 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3095 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
3096 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
3097 0 \
3098 -S "skip write certificate request" \
3099 -C "skip parse certificate request" \
3100 -c "got a certificate request" \
3101 -C "skip write certificate" \
3102 -C "skip write certificate verify" \
3103 -S "skip parse certificate verify"
3104
3105run_test "SNI: DTLS, client auth override: optional -> none" \
3106 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3107 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3108 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
3109 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
3110 0 \
3111 -s "skip write certificate request" \
3112 -C "skip parse certificate request" \
3113 -c "got no certificate request" \
3114 -c "skip write certificate" \
3115 -c "skip write certificate verify" \
3116 -s "skip parse certificate verify"
3117
3118run_test "SNI: DTLS, CA no override" \
3119 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3120 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3121 ca_file=data_files/test-ca.crt \
3122 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
3123 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3124 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3125 1 \
3126 -S "skip write certificate request" \
3127 -C "skip parse certificate request" \
3128 -c "got a certificate request" \
3129 -C "skip write certificate" \
3130 -C "skip write certificate verify" \
3131 -S "skip parse certificate verify" \
3132 -s "x509_verify_cert() returned" \
3133 -s "! The certificate is not correctly signed by the trusted CA" \
3134 -S "The certificate has been revoked (is on a CRL)"
3135
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]3136run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]3137 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3138 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3139 ca_file=data_files/test-ca.crt \
3140 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
3141 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3142 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3143 0 \
3144 -S "skip write certificate request" \
3145 -C "skip parse certificate request" \
3146 -c "got a certificate request" \
3147 -C "skip write certificate" \
3148 -C "skip write certificate verify" \
3149 -S "skip parse certificate verify" \
3150 -S "x509_verify_cert() returned" \
3151 -S "! The certificate is not correctly signed by the trusted CA" \
3152 -S "The certificate has been revoked (is on a CRL)"
3153
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]3154run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]3155 "$P_SRV debug_level=3 auth_mode=optional \
3156 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
3157 ca_file=data_files/test-ca.crt \
3158 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
3159 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3160 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3161 1 \
3162 -S "skip write certificate request" \
3163 -C "skip parse certificate request" \
3164 -c "got a certificate request" \
3165 -C "skip write certificate" \
3166 -C "skip write certificate verify" \
3167 -S "skip parse certificate verify" \
3168 -s "x509_verify_cert() returned" \
3169 -S "! The certificate is not correctly signed by the trusted CA" \
3170 -s "The certificate has been revoked (is on a CRL)"
3171
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3172# Tests for non-blocking I/O: exercise a variety of handshake flows
3173
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3174run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3175 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3176 "$P_CLI nbio=2 tickets=0" \
3177 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3178 -S "mbedtls_ssl_handshake returned" \
3179 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3180 -c "Read from server: .* bytes read"
3181
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3182run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3183 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
3184 "$P_CLI nbio=2 tickets=0" \
3185 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3186 -S "mbedtls_ssl_handshake returned" \
3187 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3188 -c "Read from server: .* bytes read"
3189
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3190run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3191 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3192 "$P_CLI nbio=2 tickets=1" \
3193 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3194 -S "mbedtls_ssl_handshake returned" \
3195 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3196 -c "Read from server: .* bytes read"
3197
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3198run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3199 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3200 "$P_CLI nbio=2 tickets=1" \
3201 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3202 -S "mbedtls_ssl_handshake returned" \
3203 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3204 -c "Read from server: .* bytes read"
3205
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3206run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3207 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3208 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3209 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3210 -S "mbedtls_ssl_handshake returned" \
3211 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3212 -c "Read from server: .* bytes read"
3213
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3214run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3215 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3216 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3217 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3218 -S "mbedtls_ssl_handshake returned" \
3219 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3220 -c "Read from server: .* bytes read"
3221
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3222run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3223 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3224 "$P_CLI nbio=2 tickets=0 reconnect=1" \
3225 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3226 -S "mbedtls_ssl_handshake returned" \
3227 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3228 -c "Read from server: .* bytes read"
3229
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]3230# Tests for event-driven I/O: exercise a variety of handshake flows
3231
3232run_test "Event-driven I/O: basic handshake" \
3233 "$P_SRV event=1 tickets=0 auth_mode=none" \
3234 "$P_CLI event=1 tickets=0" \
3235 0 \
3236 -S "mbedtls_ssl_handshake returned" \
3237 -C "mbedtls_ssl_handshake returned" \
3238 -c "Read from server: .* bytes read"
3239
3240run_test "Event-driven I/O: client auth" \
3241 "$P_SRV event=1 tickets=0 auth_mode=required" \
3242 "$P_CLI event=1 tickets=0" \
3243 0 \
3244 -S "mbedtls_ssl_handshake returned" \
3245 -C "mbedtls_ssl_handshake returned" \
3246 -c "Read from server: .* bytes read"
3247
3248run_test "Event-driven I/O: ticket" \
3249 "$P_SRV event=1 tickets=1 auth_mode=none" \
3250 "$P_CLI event=1 tickets=1" \
3251 0 \
3252 -S "mbedtls_ssl_handshake returned" \
3253 -C "mbedtls_ssl_handshake returned" \
3254 -c "Read from server: .* bytes read"
3255
3256run_test "Event-driven I/O: ticket + client auth" \
3257 "$P_SRV event=1 tickets=1 auth_mode=required" \
3258 "$P_CLI event=1 tickets=1" \
3259 0 \
3260 -S "mbedtls_ssl_handshake returned" \
3261 -C "mbedtls_ssl_handshake returned" \
3262 -c "Read from server: .* bytes read"
3263
3264run_test "Event-driven I/O: ticket + client auth + resume" \
3265 "$P_SRV event=1 tickets=1 auth_mode=required" \
3266 "$P_CLI event=1 tickets=1 reconnect=1" \
3267 0 \
3268 -S "mbedtls_ssl_handshake returned" \
3269 -C "mbedtls_ssl_handshake returned" \
3270 -c "Read from server: .* bytes read"
3271
3272run_test "Event-driven I/O: ticket + resume" \
3273 "$P_SRV event=1 tickets=1 auth_mode=none" \
3274 "$P_CLI event=1 tickets=1 reconnect=1" \
3275 0 \
3276 -S "mbedtls_ssl_handshake returned" \
3277 -C "mbedtls_ssl_handshake returned" \
3278 -c "Read from server: .* bytes read"
3279
3280run_test "Event-driven I/O: session-id resume" \
3281 "$P_SRV event=1 tickets=0 auth_mode=none" \
3282 "$P_CLI event=1 tickets=0 reconnect=1" \
3283 0 \
3284 -S "mbedtls_ssl_handshake returned" \
3285 -C "mbedtls_ssl_handshake returned" \
3286 -c "Read from server: .* bytes read"
3287
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]3288run_test "Event-driven I/O, DTLS: basic handshake" \
3289 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
3290 "$P_CLI dtls=1 event=1 tickets=0" \
3291 0 \
3292 -c "Read from server: .* bytes read"
3293
3294run_test "Event-driven I/O, DTLS: client auth" \
3295 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
3296 "$P_CLI dtls=1 event=1 tickets=0" \
3297 0 \
3298 -c "Read from server: .* bytes read"
3299
3300run_test "Event-driven I/O, DTLS: ticket" \
3301 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
3302 "$P_CLI dtls=1 event=1 tickets=1" \
3303 0 \
3304 -c "Read from server: .* bytes read"
3305
3306run_test "Event-driven I/O, DTLS: ticket + client auth" \
3307 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
3308 "$P_CLI dtls=1 event=1 tickets=1" \
3309 0 \
3310 -c "Read from server: .* bytes read"
3311
3312run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
3313 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
3314 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
3315 0 \
3316 -c "Read from server: .* bytes read"
3317
3318run_test "Event-driven I/O, DTLS: ticket + resume" \
3319 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
3320 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
3321 0 \
3322 -c "Read from server: .* bytes read"
3323
3324run_test "Event-driven I/O, DTLS: session-id resume" \
3325 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
3326 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
3327 0 \
3328 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]3329
3330# This test demonstrates the need for the mbedtls_ssl_check_pending function.
3331# During session resumption, the client will send its ApplicationData record
3332# within the same datagram as the Finished messages. In this situation, the
3333# server MUST NOT idle on the underlying transport after handshake completion,
3334# because the ApplicationData request has already been queued internally.
3335run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]3336 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]3337 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
3338 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
3339 0 \
3340 -c "Read from server: .* bytes read"
3341
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3342# Tests for version negotiation
3343
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3344run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3345 "$P_SRV" \
3346 "$P_CLI" \
3347 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3348 -S "mbedtls_ssl_handshake returned" \
3349 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3350 -s "Protocol is TLSv1.2" \
3351 -c "Protocol is TLSv1.2"
3352
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3353run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3354 "$P_SRV" \
3355 "$P_CLI max_version=tls1_1" \
3356 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3357 -S "mbedtls_ssl_handshake returned" \
3358 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3359 -s "Protocol is TLSv1.1" \
3360 -c "Protocol is TLSv1.1"
3361
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3362run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3363 "$P_SRV max_version=tls1_1" \
3364 "$P_CLI" \
3365 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3366 -S "mbedtls_ssl_handshake returned" \
3367 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3368 -s "Protocol is TLSv1.1" \
3369 -c "Protocol is TLSv1.1"
3370
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3371run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3372 "$P_SRV max_version=tls1_1" \
3373 "$P_CLI max_version=tls1_1" \
3374 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3375 -S "mbedtls_ssl_handshake returned" \
3376 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3377 -s "Protocol is TLSv1.1" \
3378 -c "Protocol is TLSv1.1"
3379
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3380run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3381 "$P_SRV min_version=tls1_1" \
3382 "$P_CLI max_version=tls1_1" \
3383 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3384 -S "mbedtls_ssl_handshake returned" \
3385 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3386 -s "Protocol is TLSv1.1" \
3387 -c "Protocol is TLSv1.1"
3388
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3389run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3390 "$P_SRV max_version=tls1_1" \
3391 "$P_CLI min_version=tls1_1" \
3392 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3393 -S "mbedtls_ssl_handshake returned" \
3394 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3395 -s "Protocol is TLSv1.1" \
3396 -c "Protocol is TLSv1.1"
3397
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3398run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3399 "$P_SRV max_version=tls1_1" \
3400 "$P_CLI min_version=tls1_2" \
3401 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3402 -s "mbedtls_ssl_handshake returned" \
3403 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3404 -c "SSL - Handshake protocol not within min/max boundaries"
3405
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3406run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3407 "$P_SRV min_version=tls1_2" \
3408 "$P_CLI max_version=tls1_1" \
3409 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3410 -s "mbedtls_ssl_handshake returned" \
3411 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3412 -s "SSL - Handshake protocol not within min/max boundaries"
3413
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3414# Tests for ALPN extension
3415
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3416run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3417 "$P_SRV debug_level=3" \
3418 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3419 0 \
3420 -C "client hello, adding alpn extension" \
3421 -S "found alpn extension" \
3422 -C "got an alert message, type: \\[2:120]" \
3423 -S "server hello, adding alpn extension" \
3424 -C "found alpn extension " \
3425 -C "Application Layer Protocol is" \
3426 -S "Application Layer Protocol is"
3427
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3428run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3429 "$P_SRV debug_level=3" \
3430 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3431 0 \
3432 -c "client hello, adding alpn extension" \
3433 -s "found alpn extension" \
3434 -C "got an alert message, type: \\[2:120]" \
3435 -S "server hello, adding alpn extension" \
3436 -C "found alpn extension " \
3437 -c "Application Layer Protocol is (none)" \
3438 -S "Application Layer Protocol is"
3439
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3440run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3441 "$P_SRV debug_level=3 alpn=abc,1234" \
3442 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3443 0 \
3444 -C "client hello, adding alpn extension" \
3445 -S "found alpn extension" \
3446 -C "got an alert message, type: \\[2:120]" \
3447 -S "server hello, adding alpn extension" \
3448 -C "found alpn extension " \
3449 -C "Application Layer Protocol is" \
3450 -s "Application Layer Protocol is (none)"
3451
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3452run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3453 "$P_SRV debug_level=3 alpn=abc,1234" \
3454 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3455 0 \
3456 -c "client hello, adding alpn extension" \
3457 -s "found alpn extension" \
3458 -C "got an alert message, type: \\[2:120]" \
3459 -s "server hello, adding alpn extension" \
3460 -c "found alpn extension" \
3461 -c "Application Layer Protocol is abc" \
3462 -s "Application Layer Protocol is abc"
3463
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3464run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3465 "$P_SRV debug_level=3 alpn=abc,1234" \
3466 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3467 0 \
3468 -c "client hello, adding alpn extension" \
3469 -s "found alpn extension" \
3470 -C "got an alert message, type: \\[2:120]" \
3471 -s "server hello, adding alpn extension" \
3472 -c "found alpn extension" \
3473 -c "Application Layer Protocol is abc" \
3474 -s "Application Layer Protocol is abc"
3475
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3476run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3477 "$P_SRV debug_level=3 alpn=abc,1234" \
3478 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3479 0 \
3480 -c "client hello, adding alpn extension" \
3481 -s "found alpn extension" \
3482 -C "got an alert message, type: \\[2:120]" \
3483 -s "server hello, adding alpn extension" \
3484 -c "found alpn extension" \
3485 -c "Application Layer Protocol is 1234" \
3486 -s "Application Layer Protocol is 1234"
3487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3488run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3489 "$P_SRV debug_level=3 alpn=abc,123" \
3490 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3491 1 \
3492 -c "client hello, adding alpn extension" \
3493 -s "found alpn extension" \
3494 -c "got an alert message, type: \\[2:120]" \
3495 -S "server hello, adding alpn extension" \
3496 -C "found alpn extension" \
3497 -C "Application Layer Protocol is 1234" \
3498 -S "Application Layer Protocol is 1234"
3499
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3500
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3501# Tests for keyUsage in leaf certificates, part 1:
3502# server-side certificate/suite selection
3503
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3504run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3505 "$P_SRV key_file=data_files/server2.key \
3506 crt_file=data_files/server2.ku-ds.crt" \
3507 "$P_CLI" \
3508 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3509 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3510
3511
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3512run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3513 "$P_SRV key_file=data_files/server2.key \
3514 crt_file=data_files/server2.ku-ke.crt" \
3515 "$P_CLI" \
3516 0 \
3517 -c "Ciphersuite is TLS-RSA-WITH-"
3518
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3519run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3520 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3521 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3522 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3523 1 \
3524 -C "Ciphersuite is "
3525
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3526run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3527 "$P_SRV key_file=data_files/server5.key \
3528 crt_file=data_files/server5.ku-ds.crt" \
3529 "$P_CLI" \
3530 0 \
3531 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3532
3533
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3534run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3535 "$P_SRV key_file=data_files/server5.key \
3536 crt_file=data_files/server5.ku-ka.crt" \
3537 "$P_CLI" \
3538 0 \
3539 -c "Ciphersuite is TLS-ECDH-"
3540
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3541run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3542 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3543 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3544 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3545 1 \
3546 -C "Ciphersuite is "
3547
3548# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3549# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3550
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3551run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3552 "$O_SRV -key data_files/server2.key \
3553 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3554 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3555 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3556 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3557 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3558 -C "Processing of the Certificate handshake message failed" \
3559 -c "Ciphersuite is TLS-"
3560
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3561run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3562 "$O_SRV -key data_files/server2.key \
3563 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3564 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3565 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3566 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3567 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3568 -C "Processing of the Certificate handshake message failed" \
3569 -c "Ciphersuite is TLS-"
3570
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3571run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3572 "$O_SRV -key data_files/server2.key \
3573 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3574 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3575 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3576 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3577 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3578 -C "Processing of the Certificate handshake message failed" \
3579 -c "Ciphersuite is TLS-"
3580
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3581run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3582 "$O_SRV -key data_files/server2.key \
3583 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3584 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3585 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3586 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3587 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3588 -c "Processing of the Certificate handshake message failed" \
3589 -C "Ciphersuite is TLS-"
3590
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3591run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3592 "$O_SRV -key data_files/server2.key \
3593 -cert data_files/server2.ku-ke.crt" \
3594 "$P_CLI debug_level=1 auth_mode=optional \
3595 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3596 0 \
3597 -c "bad certificate (usage extensions)" \
3598 -C "Processing of the Certificate handshake message failed" \
3599 -c "Ciphersuite is TLS-" \
3600 -c "! Usage does not match the keyUsage extension"
3601
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3602run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3603 "$O_SRV -key data_files/server2.key \
3604 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3605 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3606 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3607 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3608 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3609 -C "Processing of the Certificate handshake message failed" \
3610 -c "Ciphersuite is TLS-"
3611
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3612run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3613 "$O_SRV -key data_files/server2.key \
3614 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3615 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3616 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3617 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3618 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3619 -c "Processing of the Certificate handshake message failed" \
3620 -C "Ciphersuite is TLS-"
3621
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3622run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3623 "$O_SRV -key data_files/server2.key \
3624 -cert data_files/server2.ku-ds.crt" \
3625 "$P_CLI debug_level=1 auth_mode=optional \
3626 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3627 0 \
3628 -c "bad certificate (usage extensions)" \
3629 -C "Processing of the Certificate handshake message failed" \
3630 -c "Ciphersuite is TLS-" \
3631 -c "! Usage does not match the keyUsage extension"
3632
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3633# Tests for keyUsage in leaf certificates, part 3:
3634# server-side checking of client cert
3635
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3636run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3637 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3638 "$O_CLI -key data_files/server2.key \
3639 -cert data_files/server2.ku-ds.crt" \
3640 0 \
3641 -S "bad certificate (usage extensions)" \
3642 -S "Processing of the Certificate handshake message failed"
3643
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3644run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3645 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3646 "$O_CLI -key data_files/server2.key \
3647 -cert data_files/server2.ku-ke.crt" \
3648 0 \
3649 -s "bad certificate (usage extensions)" \
3650 -S "Processing of the Certificate handshake message failed"
3651
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3652run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3653 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3654 "$O_CLI -key data_files/server2.key \
3655 -cert data_files/server2.ku-ke.crt" \
3656 1 \
3657 -s "bad certificate (usage extensions)" \
3658 -s "Processing of the Certificate handshake message failed"
3659
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3660run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3661 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3662 "$O_CLI -key data_files/server5.key \
3663 -cert data_files/server5.ku-ds.crt" \
3664 0 \
3665 -S "bad certificate (usage extensions)" \
3666 -S "Processing of the Certificate handshake message failed"
3667
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3668run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3669 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3670 "$O_CLI -key data_files/server5.key \
3671 -cert data_files/server5.ku-ka.crt" \
3672 0 \
3673 -s "bad certificate (usage extensions)" \
3674 -S "Processing of the Certificate handshake message failed"
3675
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3676# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3677
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3678run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3679 "$P_SRV key_file=data_files/server5.key \
3680 crt_file=data_files/server5.eku-srv.crt" \
3681 "$P_CLI" \
3682 0
3683
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3684run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3685 "$P_SRV key_file=data_files/server5.key \
3686 crt_file=data_files/server5.eku-srv.crt" \
3687 "$P_CLI" \
3688 0
3689
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3690run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3691 "$P_SRV key_file=data_files/server5.key \
3692 crt_file=data_files/server5.eku-cs_any.crt" \
3693 "$P_CLI" \
3694 0
3695
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3696run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3697 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3698 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3699 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3700 1
3701
3702# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3703
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3704run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3705 "$O_SRV -key data_files/server5.key \
3706 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3707 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3708 0 \
3709 -C "bad certificate (usage extensions)" \
3710 -C "Processing of the Certificate handshake message failed" \
3711 -c "Ciphersuite is TLS-"
3712
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3713run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3714 "$O_SRV -key data_files/server5.key \
3715 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3716 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3717 0 \
3718 -C "bad certificate (usage extensions)" \
3719 -C "Processing of the Certificate handshake message failed" \
3720 -c "Ciphersuite is TLS-"
3721
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3722run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3723 "$O_SRV -key data_files/server5.key \
3724 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3725 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3726 0 \
3727 -C "bad certificate (usage extensions)" \
3728 -C "Processing of the Certificate handshake message failed" \
3729 -c "Ciphersuite is TLS-"
3730
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3731run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3732 "$O_SRV -key data_files/server5.key \
3733 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3734 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3735 1 \
3736 -c "bad certificate (usage extensions)" \
3737 -c "Processing of the Certificate handshake message failed" \
3738 -C "Ciphersuite is TLS-"
3739
3740# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3741
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3742run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3743 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3744 "$O_CLI -key data_files/server5.key \
3745 -cert data_files/server5.eku-cli.crt" \
3746 0 \
3747 -S "bad certificate (usage extensions)" \
3748 -S "Processing of the Certificate handshake message failed"
3749
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3750run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3751 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3752 "$O_CLI -key data_files/server5.key \
3753 -cert data_files/server5.eku-srv_cli.crt" \
3754 0 \
3755 -S "bad certificate (usage extensions)" \
3756 -S "Processing of the Certificate handshake message failed"
3757
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3758run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3759 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3760 "$O_CLI -key data_files/server5.key \
3761 -cert data_files/server5.eku-cs_any.crt" \
3762 0 \
3763 -S "bad certificate (usage extensions)" \
3764 -S "Processing of the Certificate handshake message failed"
3765
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3766run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3767 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3768 "$O_CLI -key data_files/server5.key \
3769 -cert data_files/server5.eku-cs.crt" \
3770 0 \
3771 -s "bad certificate (usage extensions)" \
3772 -S "Processing of the Certificate handshake message failed"
3773
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3774run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3775 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3776 "$O_CLI -key data_files/server5.key \
3777 -cert data_files/server5.eku-cs.crt" \
3778 1 \
3779 -s "bad certificate (usage extensions)" \
3780 -s "Processing of the Certificate handshake message failed"
3781
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3782# Tests for DHM parameters loading
3783
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3784run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3785 "$P_SRV" \
3786 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3787 debug_level=3" \
3788 0 \
3789 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3790 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3791
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3792run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3793 "$P_SRV dhm_file=data_files/dhparams.pem" \
3794 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3795 debug_level=3" \
3796 0 \
3797 -c "value of 'DHM: P ' (1024 bits)" \
3798 -c "value of 'DHM: G ' (2 bits)"
3799
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3800# Tests for DHM client-side size checking
3801
3802run_test "DHM size: server default, client default, OK" \
3803 "$P_SRV" \
3804 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3805 debug_level=1" \
3806 0 \
3807 -C "DHM prime too short:"
3808
3809run_test "DHM size: server default, client 2048, OK" \
3810 "$P_SRV" \
3811 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3812 debug_level=1 dhmlen=2048" \
3813 0 \
3814 -C "DHM prime too short:"
3815
3816run_test "DHM size: server 1024, client default, OK" \
3817 "$P_SRV dhm_file=data_files/dhparams.pem" \
3818 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3819 debug_level=1" \
3820 0 \
3821 -C "DHM prime too short:"
3822
3823run_test "DHM size: server 1000, client default, rejected" \
3824 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3825 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3826 debug_level=1" \
3827 1 \
3828 -c "DHM prime too short:"
3829
3830run_test "DHM size: server default, client 2049, rejected" \
3831 "$P_SRV" \
3832 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3833 debug_level=1 dhmlen=2049" \
3834 1 \
3835 -c "DHM prime too short:"
3836
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3837# Tests for PSK callback
3838
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3839run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3840 "$P_SRV psk=abc123 psk_identity=foo" \
3841 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3842 psk_identity=foo psk=abc123" \
3843 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3844 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3845 -S "SSL - Unknown identity received" \
3846 -S "SSL - Verification of the message MAC failed"
3847
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3848run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3849 "$P_SRV" \
3850 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3851 psk_identity=foo psk=abc123" \
3852 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3853 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3854 -S "SSL - Unknown identity received" \
3855 -S "SSL - Verification of the message MAC failed"
3856
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3857run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3858 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3859 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3860 psk_identity=foo psk=abc123" \
3861 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3862 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3863 -s "SSL - Unknown identity received" \
3864 -S "SSL - Verification of the message MAC failed"
3865
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3866run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3867 "$P_SRV psk_list=abc,dead,def,beef" \
3868 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3869 psk_identity=abc psk=dead" \
3870 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3871 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3872 -S "SSL - Unknown identity received" \
3873 -S "SSL - Verification of the message MAC failed"
3874
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3875run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3876 "$P_SRV psk_list=abc,dead,def,beef" \
3877 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3878 psk_identity=def psk=beef" \
3879 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3880 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3881 -S "SSL - Unknown identity received" \
3882 -S "SSL - Verification of the message MAC failed"
3883
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3884run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3885 "$P_SRV psk_list=abc,dead,def,beef" \
3886 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3887 psk_identity=ghi psk=beef" \
3888 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3889 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3890 -s "SSL - Unknown identity received" \
3891 -S "SSL - Verification of the message MAC failed"
3892
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3893run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3894 "$P_SRV psk_list=abc,dead,def,beef" \
3895 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3896 psk_identity=abc psk=beef" \
3897 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3898 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3899 -S "SSL - Unknown identity received" \
3900 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3901
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3902# Tests for EC J-PAKE
3903
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3904requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3905run_test "ECJPAKE: client not configured" \
3906 "$P_SRV debug_level=3" \
3907 "$P_CLI debug_level=3" \
3908 0 \
3909 -C "add ciphersuite: c0ff" \
3910 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3911 -S "found ecjpake kkpp extension" \
3912 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3913 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3914 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3915 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3916 -S "None of the common ciphersuites is usable"
3917
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3918requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3919run_test "ECJPAKE: server not configured" \
3920 "$P_SRV debug_level=3" \
3921 "$P_CLI debug_level=3 ecjpake_pw=bla \
3922 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3923 1 \
3924 -c "add ciphersuite: c0ff" \
3925 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3926 -s "found ecjpake kkpp extension" \
3927 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3928 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3929 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3930 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3931 -s "None of the common ciphersuites is usable"
3932
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3933requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3934run_test "ECJPAKE: working, TLS" \
3935 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3936 "$P_CLI debug_level=3 ecjpake_pw=bla \
3937 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3938 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3939 -c "add ciphersuite: c0ff" \
3940 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3941 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3942 -s "found ecjpake kkpp extension" \
3943 -S "skip ecjpake kkpp extension" \
3944 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3945 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3946 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3947 -S "None of the common ciphersuites is usable" \
3948 -S "SSL - Verification of the message MAC failed"
3949
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3950server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3951requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3952run_test "ECJPAKE: password mismatch, TLS" \
3953 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3954 "$P_CLI debug_level=3 ecjpake_pw=bad \
3955 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3956 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3957 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3958 -s "SSL - Verification of the message MAC failed"
3959
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3960requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3961run_test "ECJPAKE: working, DTLS" \
3962 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3963 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3964 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3965 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3966 -c "re-using cached ecjpake parameters" \
3967 -S "SSL - Verification of the message MAC failed"
3968
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3969requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3970run_test "ECJPAKE: working, DTLS, no cookie" \
3971 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3972 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3973 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3974 0 \
3975 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3976 -S "SSL - Verification of the message MAC failed"
3977
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3978server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3979requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3980run_test "ECJPAKE: password mismatch, DTLS" \
3981 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3982 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3983 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3984 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3985 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3986 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3987
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3988# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3989requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3990run_test "ECJPAKE: working, DTLS, nolog" \
3991 "$P_SRV dtls=1 ecjpake_pw=bla" \
3992 "$P_CLI dtls=1 ecjpake_pw=bla \
3993 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3994 0
3995
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3996# Tests for ciphersuites per version
3997
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3998requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3999run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4000 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]4001 "$P_CLI force_version=ssl3" \
4002 0 \
4003 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
4004
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4005run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4006 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]4007 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]4008 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4009 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]4010
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4011run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4012 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]4013 "$P_CLI force_version=tls1_1" \
4014 0 \
4015 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
4016
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4017run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4018 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]4019 "$P_CLI force_version=tls1_2" \
4020 0 \
4021 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
4022
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]4023# Test for ClientHello without extensions
4024
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]4025requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]4026run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]4027 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4028 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]4029 0 \
4030 -s "dumping 'client hello extensions' (0 bytes)"
4031
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]4032requires_gnutls
4033run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
4034 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4035 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]4036 0 \
4037 -s "dumping 'client hello extensions' (0 bytes)"
4038
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4039# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]4040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4041run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]4042 "$P_SRV" \
4043 "$P_CLI request_size=100" \
4044 0 \
4045 -s "Read from client: 100 bytes read$"
4046
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4047run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]4048 "$P_SRV" \
4049 "$P_CLI request_size=500" \
4050 0 \
4051 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]4052
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4053# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4054
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4055requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4056run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4057 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4058 "$P_CLI request_size=1 force_version=ssl3 \
4059 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4060 0 \
4061 -s "Read from client: 1 bytes read"
4062
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4063requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4064run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4065 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4066 "$P_CLI request_size=1 force_version=ssl3 \
4067 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4068 0 \
4069 -s "Read from client: 1 bytes read"
4070
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4071run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4072 "$P_SRV" \
4073 "$P_CLI request_size=1 force_version=tls1 \
4074 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4075 0 \
4076 -s "Read from client: 1 bytes read"
4077
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4078run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]4079 "$P_SRV" \
4080 "$P_CLI request_size=1 force_version=tls1 etm=0 \
4081 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4082 0 \
4083 -s "Read from client: 1 bytes read"
4084
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4085requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4086run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4087 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4088 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4089 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4090 0 \
4091 -s "Read from client: 1 bytes read"
4092
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4093requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4094run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4095 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4096 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4097 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4098 0 \
4099 -s "Read from client: 1 bytes read"
4100
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4101run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4102 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4103 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4104 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4105 0 \
4106 -s "Read from client: 1 bytes read"
4107
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4108run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4109 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4110 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4111 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4112 0 \
4113 -s "Read from client: 1 bytes read"
4114
4115requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4116run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4117 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4118 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4119 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4120 0 \
4121 -s "Read from client: 1 bytes read"
4122
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4123requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4124run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4125 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4126 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4127 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4128 0 \
4129 -s "Read from client: 1 bytes read"
4130
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4131run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4132 "$P_SRV" \
4133 "$P_CLI request_size=1 force_version=tls1_1 \
4134 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4135 0 \
4136 -s "Read from client: 1 bytes read"
4137
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4138run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]4139 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4140 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4141 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4142 0 \
4143 -s "Read from client: 1 bytes read"
4144
4145requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4146run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4147 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4148 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4149 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4150 0 \
4151 -s "Read from client: 1 bytes read"
4152
4153requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4154run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4155 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4156 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4157 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]4158 0 \
4159 -s "Read from client: 1 bytes read"
4160
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4161run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4162 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4163 "$P_CLI request_size=1 force_version=tls1_1 \
4164 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4165 0 \
4166 -s "Read from client: 1 bytes read"
4167
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4168run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4169 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4170 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4171 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4172 0 \
4173 -s "Read from client: 1 bytes read"
4174
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4175requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4176run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4177 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4178 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4179 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4180 0 \
4181 -s "Read from client: 1 bytes read"
4182
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4183requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4184run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4185 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4186 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4187 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4188 0 \
4189 -s "Read from client: 1 bytes read"
4190
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4191run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4192 "$P_SRV" \
4193 "$P_CLI request_size=1 force_version=tls1_2 \
4194 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4195 0 \
4196 -s "Read from client: 1 bytes read"
4197
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4198run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]4199 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4200 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4201 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]4202 0 \
4203 -s "Read from client: 1 bytes read"
4204
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4205run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4206 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4207 "$P_CLI request_size=1 force_version=tls1_2 \
4208 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4209 0 \
4210 -s "Read from client: 1 bytes read"
4211
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4212requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4213run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4214 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4215 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4216 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4217 0 \
4218 -s "Read from client: 1 bytes read"
4219
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4220requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4221run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4222 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4223 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4224 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4225 0 \
4226 -s "Read from client: 1 bytes read"
4227
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4228run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4229 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4230 "$P_CLI request_size=1 force_version=tls1_2 \
4231 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4232 0 \
4233 -s "Read from client: 1 bytes read"
4234
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4235run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4236 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4237 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4238 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4239 0 \
4240 -s "Read from client: 1 bytes read"
4241
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4242requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4243run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4244 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4245 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4246 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4247 0 \
4248 -s "Read from client: 1 bytes read"
4249
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4250requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4251run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4252 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4253 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4254 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4255 0 \
4256 -s "Read from client: 1 bytes read"
4257
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4258run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4259 "$P_SRV" \
4260 "$P_CLI request_size=1 force_version=tls1_2 \
4261 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4262 0 \
4263 -s "Read from client: 1 bytes read"
4264
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4265run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4266 "$P_SRV" \
4267 "$P_CLI request_size=1 force_version=tls1_2 \
4268 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4269 0 \
4270 -s "Read from client: 1 bytes read"
4271
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4272# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4273
4274requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4275run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4276 "$P_SRV dtls=1 force_version=dtls1" \
4277 "$P_CLI dtls=1 request_size=1 \
4278 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4279 0 \
4280 -s "Read from client: 1 bytes read"
4281
4282requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4283run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4284 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
4285 "$P_CLI dtls=1 request_size=1 \
4286 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4287 0 \
4288 -s "Read from client: 1 bytes read"
4289
4290requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4291requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4292run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4293 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
4294 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4295 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4296 0 \
4297 -s "Read from client: 1 bytes read"
4298
4299requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4300requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4301run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4302 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4303 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4304 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4305 0 \
4306 -s "Read from client: 1 bytes read"
4307
4308requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4309run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4310 "$P_SRV dtls=1 force_version=dtls1_2" \
4311 "$P_CLI dtls=1 request_size=1 \
4312 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4313 0 \
4314 -s "Read from client: 1 bytes read"
4315
4316requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4317run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4318 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4319 "$P_CLI dtls=1 request_size=1 \
4320 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4321 0 \
4322 -s "Read from client: 1 bytes read"
4323
4324requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4325requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4326run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4327 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4328 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4329 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4330 0 \
4331 -s "Read from client: 1 bytes read"
4332
4333requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4334requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4335run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4336 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4337 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4338 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4339 0 \
4340 -s "Read from client: 1 bytes read"
4341
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4342# Tests for small server packets
4343
4344requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4345run_test "Small server packet SSLv3 BlockCipher" \
4346 "$P_SRV response_size=1 min_version=ssl3" \
4347 "$P_CLI force_version=ssl3 \
4348 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4349 0 \
4350 -c "Read from server: 1 bytes read"
4351
4352requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4353run_test "Small server packet SSLv3 StreamCipher" \
4354 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4355 "$P_CLI force_version=ssl3 \
4356 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4357 0 \
4358 -c "Read from server: 1 bytes read"
4359
4360run_test "Small server packet TLS 1.0 BlockCipher" \
4361 "$P_SRV response_size=1" \
4362 "$P_CLI force_version=tls1 \
4363 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4364 0 \
4365 -c "Read from server: 1 bytes read"
4366
4367run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
4368 "$P_SRV response_size=1" \
4369 "$P_CLI force_version=tls1 etm=0 \
4370 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4371 0 \
4372 -c "Read from server: 1 bytes read"
4373
4374requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4375run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
4376 "$P_SRV response_size=1 trunc_hmac=1" \
4377 "$P_CLI force_version=tls1 \
4378 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4379 0 \
4380 -c "Read from server: 1 bytes read"
4381
4382requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4383run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
4384 "$P_SRV response_size=1 trunc_hmac=1" \
4385 "$P_CLI force_version=tls1 \
4386 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4387 0 \
4388 -c "Read from server: 1 bytes read"
4389
4390run_test "Small server packet TLS 1.0 StreamCipher" \
4391 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4392 "$P_CLI force_version=tls1 \
4393 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4394 0 \
4395 -c "Read from server: 1 bytes read"
4396
4397run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
4398 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4399 "$P_CLI force_version=tls1 \
4400 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4401 0 \
4402 -c "Read from server: 1 bytes read"
4403
4404requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4405run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
4406 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4407 "$P_CLI force_version=tls1 \
4408 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4409 0 \
4410 -c "Read from server: 1 bytes read"
4411
4412requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4413run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4414 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4415 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4416 trunc_hmac=1 etm=0" \
4417 0 \
4418 -c "Read from server: 1 bytes read"
4419
4420run_test "Small server packet TLS 1.1 BlockCipher" \
4421 "$P_SRV response_size=1" \
4422 "$P_CLI force_version=tls1_1 \
4423 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4424 0 \
4425 -c "Read from server: 1 bytes read"
4426
4427run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
4428 "$P_SRV response_size=1" \
4429 "$P_CLI force_version=tls1_1 \
4430 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4431 0 \
4432 -c "Read from server: 1 bytes read"
4433
4434requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4435run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
4436 "$P_SRV response_size=1 trunc_hmac=1" \
4437 "$P_CLI force_version=tls1_1 \
4438 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4439 0 \
4440 -c "Read from server: 1 bytes read"
4441
4442requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4443run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4444 "$P_SRV response_size=1 trunc_hmac=1" \
4445 "$P_CLI force_version=tls1_1 \
4446 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4447 0 \
4448 -c "Read from server: 1 bytes read"
4449
4450run_test "Small server packet TLS 1.1 StreamCipher" \
4451 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4452 "$P_CLI force_version=tls1_1 \
4453 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4454 0 \
4455 -c "Read from server: 1 bytes read"
4456
4457run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
4458 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4459 "$P_CLI force_version=tls1_1 \
4460 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4461 0 \
4462 -c "Read from server: 1 bytes read"
4463
4464requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4465run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
4466 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4467 "$P_CLI force_version=tls1_1 \
4468 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4469 0 \
4470 -c "Read from server: 1 bytes read"
4471
4472requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4473run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4474 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4475 "$P_CLI force_version=tls1_1 \
4476 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4477 0 \
4478 -c "Read from server: 1 bytes read"
4479
4480run_test "Small server packet TLS 1.2 BlockCipher" \
4481 "$P_SRV response_size=1" \
4482 "$P_CLI force_version=tls1_2 \
4483 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4484 0 \
4485 -c "Read from server: 1 bytes read"
4486
4487run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
4488 "$P_SRV response_size=1" \
4489 "$P_CLI force_version=tls1_2 \
4490 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4491 0 \
4492 -c "Read from server: 1 bytes read"
4493
4494run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
4495 "$P_SRV response_size=1" \
4496 "$P_CLI force_version=tls1_2 \
4497 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4498 0 \
4499 -c "Read from server: 1 bytes read"
4500
4501requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4502run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
4503 "$P_SRV response_size=1 trunc_hmac=1" \
4504 "$P_CLI force_version=tls1_2 \
4505 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4506 0 \
4507 -c "Read from server: 1 bytes read"
4508
4509requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4510run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4511 "$P_SRV response_size=1 trunc_hmac=1" \
4512 "$P_CLI force_version=tls1_2 \
4513 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4514 0 \
4515 -c "Read from server: 1 bytes read"
4516
4517run_test "Small server packet TLS 1.2 StreamCipher" \
4518 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4519 "$P_CLI force_version=tls1_2 \
4520 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4521 0 \
4522 -c "Read from server: 1 bytes read"
4523
4524run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
4525 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4526 "$P_CLI force_version=tls1_2 \
4527 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4528 0 \
4529 -c "Read from server: 1 bytes read"
4530
4531requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4532run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
4533 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4534 "$P_CLI force_version=tls1_2 \
4535 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4536 0 \
4537 -c "Read from server: 1 bytes read"
4538
4539requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4540run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4541 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4542 "$P_CLI force_version=tls1_2 \
4543 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4544 0 \
4545 -c "Read from server: 1 bytes read"
4546
4547run_test "Small server packet TLS 1.2 AEAD" \
4548 "$P_SRV response_size=1" \
4549 "$P_CLI force_version=tls1_2 \
4550 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4551 0 \
4552 -c "Read from server: 1 bytes read"
4553
4554run_test "Small server packet TLS 1.2 AEAD shorter tag" \
4555 "$P_SRV response_size=1" \
4556 "$P_CLI force_version=tls1_2 \
4557 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4558 0 \
4559 -c "Read from server: 1 bytes read"
4560
4561# Tests for small server packets in DTLS
4562
4563requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4564run_test "Small server packet DTLS 1.0" \
4565 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
4566 "$P_CLI dtls=1 \
4567 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4568 0 \
4569 -c "Read from server: 1 bytes read"
4570
4571requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4572run_test "Small server packet DTLS 1.0, without EtM" \
4573 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
4574 "$P_CLI dtls=1 \
4575 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4576 0 \
4577 -c "Read from server: 1 bytes read"
4578
4579requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4580requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4581run_test "Small server packet DTLS 1.0, truncated hmac" \
4582 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
4583 "$P_CLI dtls=1 trunc_hmac=1 \
4584 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4585 0 \
4586 -c "Read from server: 1 bytes read"
4587
4588requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4589requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4590run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
4591 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
4592 "$P_CLI dtls=1 \
4593 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4594 0 \
4595 -c "Read from server: 1 bytes read"
4596
4597requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4598run_test "Small server packet DTLS 1.2" \
4599 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
4600 "$P_CLI dtls=1 \
4601 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4602 0 \
4603 -c "Read from server: 1 bytes read"
4604
4605requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4606run_test "Small server packet DTLS 1.2, without EtM" \
4607 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
4608 "$P_CLI dtls=1 \
4609 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4610 0 \
4611 -c "Read from server: 1 bytes read"
4612
4613requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4614requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4615run_test "Small server packet DTLS 1.2, truncated hmac" \
4616 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
4617 "$P_CLI dtls=1 \
4618 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4619 0 \
4620 -c "Read from server: 1 bytes read"
4621
4622requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4623requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4624run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
4625 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
4626 "$P_CLI dtls=1 \
4627 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4628 0 \
4629 -c "Read from server: 1 bytes read"
4630
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]4631# A test for extensions in SSLv3
4632
4633requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4634run_test "SSLv3 with extensions, server side" \
4635 "$P_SRV min_version=ssl3 debug_level=3" \
4636 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
4637 0 \
4638 -S "dumping 'client hello extensions'" \
4639 -S "server hello, total extension length:"
4640
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4641# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4642
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4643# How many fragments do we expect to write $1 bytes?
4644fragments_for_write() {
4645 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
4646}
4647
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4648requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4649run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4650 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4651 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4652 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4653 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4654 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4655 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4656
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4657requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4658run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4659 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4660 "$P_CLI request_size=16384 force_version=ssl3 \
4661 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4662 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4663 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4664 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4665
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4666run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4667 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4668 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4669 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4670 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4671 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4672 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4673
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4674run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4675 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4676 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
4677 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4678 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4679 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4680
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4681requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4682run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4683 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4684 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4685 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4686 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4687 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4688 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4689
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4690requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4691run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4692 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4693 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4694 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4695 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4696 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4697
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4698run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4699 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4700 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4701 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4702 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4703 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4704
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4705run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4706 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4707 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4708 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4709 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4710 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4711
4712requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4713run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4714 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4715 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4716 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4717 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4718 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4719
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4720requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4721run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4722 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4723 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4724 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4725 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4726 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4727 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4728
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4729run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4730 "$P_SRV" \
4731 "$P_CLI request_size=16384 force_version=tls1_1 \
4732 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4733 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4734 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4735 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4736
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4737run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4738 "$P_SRV" \
4739 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4740 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4741 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4742 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4743
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4744requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4745run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4746 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4747 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4748 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4749 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4750 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4751
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4752requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4753run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4754 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4755 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4756 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4757 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4758 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4759
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4760run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4761 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4762 "$P_CLI request_size=16384 force_version=tls1_1 \
4763 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4764 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4765 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4766 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4767
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4768run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4769 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4770 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4771 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4772 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4773 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4774 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4775
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4776requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4777run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4778 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4779 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4780 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4781 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4782 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4783
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4784requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4785run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4786 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4787 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4788 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4789 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4790 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4791 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4792
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4793run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4794 "$P_SRV" \
4795 "$P_CLI request_size=16384 force_version=tls1_2 \
4796 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4797 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4798 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4799 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4800
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4801run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4802 "$P_SRV" \
4803 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4804 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4805 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4806 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4807
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4808run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4809 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4810 "$P_CLI request_size=16384 force_version=tls1_2 \
4811 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4812 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4813 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4814 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4815
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4816requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4817run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4818 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4819 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4820 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4821 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4822 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4823
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4824requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4825run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4826 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4827 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4828 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4829 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4830 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4831 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4832
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4833run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4834 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4835 "$P_CLI request_size=16384 force_version=tls1_2 \
4836 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4837 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4838 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4839 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4840
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4841run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4842 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4843 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4844 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4845 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4846 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4847
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4848requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4849run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4850 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4851 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4852 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4853 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4854 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4855
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4856requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4857run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4858 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4859 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4860 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4861 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4862 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4863 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4864
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4865run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4866 "$P_SRV" \
4867 "$P_CLI request_size=16384 force_version=tls1_2 \
4868 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4869 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4870 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4871 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4872
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4873run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4874 "$P_SRV" \
4875 "$P_CLI request_size=16384 force_version=tls1_2 \
4876 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4877 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4878 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4879 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4880
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4881# Test for large server packets
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4882requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4883run_test "Large server packet SSLv3 StreamCipher" \
4884 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4885 "$P_CLI force_version=ssl3 \
4886 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4887 0 \
4888 -c "Read from server: 16384 bytes read"
4889
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]4890# Checking next 4 tests logs for 1n-1 split against BEAST too
4891requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4892run_test "Large server packet SSLv3 BlockCipher" \
4893 "$P_SRV response_size=16384 min_version=ssl3" \
4894 "$P_CLI force_version=ssl3 recsplit=0 \
4895 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4896 0 \
4897 -c "Read from server: 1 bytes read"\
4898 -c "16383 bytes read"\
4899 -C "Read from server: 16384 bytes read"
4900
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4901run_test "Large server packet TLS 1.0 BlockCipher" \
4902 "$P_SRV response_size=16384" \
4903 "$P_CLI force_version=tls1 recsplit=0 \
4904 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4905 0 \
4906 -c "Read from server: 1 bytes read"\
4907 -c "16383 bytes read"\
4908 -C "Read from server: 16384 bytes read"
4909
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4910run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
4911 "$P_SRV response_size=16384" \
4912 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
4913 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4914 0 \
4915 -c "Read from server: 1 bytes read"\
4916 -c "16383 bytes read"\
4917 -C "Read from server: 16384 bytes read"
4918
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4919requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4920run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
4921 "$P_SRV response_size=16384" \
4922 "$P_CLI force_version=tls1 recsplit=0 \
4923 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4924 trunc_hmac=1" \
4925 0 \
4926 -c "Read from server: 1 bytes read"\
4927 -c "16383 bytes read"\
4928 -C "Read from server: 16384 bytes read"
4929
4930requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4931run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
4932 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4933 "$P_CLI force_version=tls1 \
4934 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4935 trunc_hmac=1" \
4936 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4937 -s "16384 bytes written in 1 fragments" \
4938 -c "Read from server: 16384 bytes read"
4939
4940run_test "Large server packet TLS 1.0 StreamCipher" \
4941 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4942 "$P_CLI force_version=tls1 \
4943 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4944 0 \
4945 -s "16384 bytes written in 1 fragments" \
4946 -c "Read from server: 16384 bytes read"
4947
4948run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
4949 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4950 "$P_CLI force_version=tls1 \
4951 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4952 0 \
4953 -s "16384 bytes written in 1 fragments" \
4954 -c "Read from server: 16384 bytes read"
4955
4956requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4957run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
4958 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4959 "$P_CLI force_version=tls1 \
4960 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4961 0 \
4962 -s "16384 bytes written in 1 fragments" \
4963 -c "Read from server: 16384 bytes read"
4964
4965requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4966run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4967 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4968 "$P_CLI force_version=tls1 \
4969 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4970 0 \
4971 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4972 -c "Read from server: 16384 bytes read"
4973
4974run_test "Large server packet TLS 1.1 BlockCipher" \
4975 "$P_SRV response_size=16384" \
4976 "$P_CLI force_version=tls1_1 \
4977 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4978 0 \
4979 -c "Read from server: 16384 bytes read"
4980
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4981run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
4982 "$P_SRV response_size=16384" \
4983 "$P_CLI force_version=tls1_1 etm=0 \
4984 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4985 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4986 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]4987 -c "Read from server: 16384 bytes read"
4988
4989requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4990run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
4991 "$P_SRV response_size=16384" \
4992 "$P_CLI force_version=tls1_1 \
4993 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4994 trunc_hmac=1" \
4995 0 \
4996 -c "Read from server: 16384 bytes read"
4997
4998requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]4999run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
5000 "$P_SRV response_size=16384 trunc_hmac=1" \
5001 "$P_CLI force_version=tls1_1 \
5002 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5003 0 \
5004 -s "16384 bytes written in 1 fragments" \
5005 -c "Read from server: 16384 bytes read"
5006
5007run_test "Large server packet TLS 1.1 StreamCipher" \
5008 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5009 "$P_CLI force_version=tls1_1 \
5010 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5011 0 \
5012 -c "Read from server: 16384 bytes read"
5013
5014run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
5015 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5016 "$P_CLI force_version=tls1_1 \
5017 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5018 0 \
5019 -s "16384 bytes written in 1 fragments" \
5020 -c "Read from server: 16384 bytes read"
5021
5022requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5023run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
5024 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5025 "$P_CLI force_version=tls1_1 \
5026 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5027 trunc_hmac=1" \
5028 0 \
5029 -c "Read from server: 16384 bytes read"
5030
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5031run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
5032 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5033 "$P_CLI force_version=tls1_1 \
5034 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5035 0 \
5036 -s "16384 bytes written in 1 fragments" \
5037 -c "Read from server: 16384 bytes read"
5038
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5039run_test "Large server packet TLS 1.2 BlockCipher" \
5040 "$P_SRV response_size=16384" \
5041 "$P_CLI force_version=tls1_2 \
5042 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5043 0 \
5044 -c "Read from server: 16384 bytes read"
5045
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5046run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
5047 "$P_SRV response_size=16384" \
5048 "$P_CLI force_version=tls1_2 etm=0 \
5049 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5050 0 \
5051 -s "16384 bytes written in 1 fragments" \
5052 -c "Read from server: 16384 bytes read"
5053
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5054run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
5055 "$P_SRV response_size=16384" \
5056 "$P_CLI force_version=tls1_2 \
5057 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
5058 0 \
5059 -c "Read from server: 16384 bytes read"
5060
5061requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5062run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
5063 "$P_SRV response_size=16384" \
5064 "$P_CLI force_version=tls1_2 \
5065 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
5066 trunc_hmac=1" \
5067 0 \
5068 -c "Read from server: 16384 bytes read"
5069
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5070run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
5071 "$P_SRV response_size=16384 trunc_hmac=1" \
5072 "$P_CLI force_version=tls1_2 \
5073 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5074 0 \
5075 -s "16384 bytes written in 1 fragments" \
5076 -c "Read from server: 16384 bytes read"
5077
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5078run_test "Large server packet TLS 1.2 StreamCipher" \
5079 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5080 "$P_CLI force_version=tls1_2 \
5081 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5082 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5083 -s "16384 bytes written in 1 fragments" \
5084 -c "Read from server: 16384 bytes read"
5085
5086run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
5087 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5088 "$P_CLI force_version=tls1_2 \
5089 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5090 0 \
5091 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5092 -c "Read from server: 16384 bytes read"
5093
5094requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5095run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
5096 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5097 "$P_CLI force_version=tls1_2 \
5098 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5099 trunc_hmac=1" \
5100 0 \
5101 -c "Read from server: 16384 bytes read"
5102
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5103requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5104run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
5105 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5106 "$P_CLI force_version=tls1_2 \
5107 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5108 0 \
5109 -s "16384 bytes written in 1 fragments" \
5110 -c "Read from server: 16384 bytes read"
5111
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5112run_test "Large server packet TLS 1.2 AEAD" \
5113 "$P_SRV response_size=16384" \
5114 "$P_CLI force_version=tls1_2 \
5115 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5116 0 \
5117 -c "Read from server: 16384 bytes read"
5118
5119run_test "Large server packet TLS 1.2 AEAD shorter tag" \
5120 "$P_SRV response_size=16384" \
5121 "$P_CLI force_version=tls1_2 \
5122 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5123 0 \
5124 -c "Read from server: 16384 bytes read"
5125
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5126# Tests for restartable ECC
5127
5128requires_config_enabled MBEDTLS_ECP_RESTARTABLE
5129run_test "EC restart: TLS, default" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5130 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5131 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5132 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5133 debug_level=1" \
5134 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5135 -C "x509_verify_cert.*4b00" \
5136 -C "mbedtls_pk_verify.*4b00" \
5137 -C "mbedtls_ecdh_make_public.*4b00" \
5138 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5139
5140requires_config_enabled MBEDTLS_ECP_RESTARTABLE
5141run_test "EC restart: TLS, max_ops=0" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5142 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5143 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5144 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5145 debug_level=1 ec_max_ops=0" \
5146 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5147 -C "x509_verify_cert.*4b00" \
5148 -C "mbedtls_pk_verify.*4b00" \
5149 -C "mbedtls_ecdh_make_public.*4b00" \
5150 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5151
5152requires_config_enabled MBEDTLS_ECP_RESTARTABLE
5153run_test "EC restart: TLS, max_ops=65535" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5154 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5155 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5156 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5157 debug_level=1 ec_max_ops=65535" \
5158 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5159 -C "x509_verify_cert.*4b00" \
5160 -C "mbedtls_pk_verify.*4b00" \
5161 -C "mbedtls_ecdh_make_public.*4b00" \
5162 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5163
5164requires_config_enabled MBEDTLS_ECP_RESTARTABLE
5165run_test "EC restart: TLS, max_ops=1000" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5166 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5167 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5168 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5169 debug_level=1 ec_max_ops=1000" \
5170 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5171 -c "x509_verify_cert.*4b00" \
5172 -c "mbedtls_pk_verify.*4b00" \
5173 -c "mbedtls_ecdh_make_public.*4b00" \
5174 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5175
5176requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]5177run_test "EC restart: TLS, max_ops=1000, badsign" \
5178 "$P_SRV auth_mode=required \
5179 crt_file=data_files/server5-badsign.crt \
5180 key_file=data_files/server5.key" \
5181 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
5182 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5183 debug_level=1 ec_max_ops=1000" \
5184 1 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5185 -c "x509_verify_cert.*4b00" \
5186 -C "mbedtls_pk_verify.*4b00" \
5187 -C "mbedtls_ecdh_make_public.*4b00" \
5188 -C "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]5189 -c "! The certificate is not correctly signed by the trusted CA" \
5190 -c "! mbedtls_ssl_handshake returned" \
5191 -c "X509 - Certificate verification failed"
5192
5193requires_config_enabled MBEDTLS_ECP_RESTARTABLE
5194run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
5195 "$P_SRV auth_mode=required \
5196 crt_file=data_files/server5-badsign.crt \
5197 key_file=data_files/server5.key" \
5198 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
5199 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5200 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
5201 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5202 -c "x509_verify_cert.*4b00" \
5203 -c "mbedtls_pk_verify.*4b00" \
5204 -c "mbedtls_ecdh_make_public.*4b00" \
5205 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]5206 -c "! The certificate is not correctly signed by the trusted CA" \
5207 -C "! mbedtls_ssl_handshake returned" \
5208 -C "X509 - Certificate verification failed"
5209
5210requires_config_enabled MBEDTLS_ECP_RESTARTABLE
5211run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
5212 "$P_SRV auth_mode=required \
5213 crt_file=data_files/server5-badsign.crt \
5214 key_file=data_files/server5.key" \
5215 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
5216 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5217 debug_level=1 ec_max_ops=1000 auth_mode=none" \
5218 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5219 -C "x509_verify_cert.*4b00" \
5220 -c "mbedtls_pk_verify.*4b00" \
5221 -c "mbedtls_ecdh_make_public.*4b00" \
5222 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]5223 -C "! The certificate is not correctly signed by the trusted CA" \
5224 -C "! mbedtls_ssl_handshake returned" \
5225 -C "X509 - Certificate verification failed"
5226
5227requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5228run_test "EC restart: DTLS, max_ops=1000" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5229 "$P_SRV auth_mode=required dtls=1" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5230 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]5231 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5232 dtls=1 debug_level=1 ec_max_ops=1000" \
5233 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5234 -c "x509_verify_cert.*4b00" \
5235 -c "mbedtls_pk_verify.*4b00" \
5236 -c "mbedtls_ecdh_make_public.*4b00" \
5237 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]5238
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]5239requires_config_enabled MBEDTLS_ECP_RESTARTABLE
5240run_test "EC restart: TLS, max_ops=1000 no client auth" \
5241 "$P_SRV" \
5242 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
5243 debug_level=1 ec_max_ops=1000" \
5244 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5245 -c "x509_verify_cert.*4b00" \
5246 -c "mbedtls_pk_verify.*4b00" \
5247 -c "mbedtls_ecdh_make_public.*4b00" \
5248 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]5249
5250requires_config_enabled MBEDTLS_ECP_RESTARTABLE
5251run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
5252 "$P_SRV psk=abc123" \
5253 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
5254 psk=abc123 debug_level=1 ec_max_ops=1000" \
5255 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]5256 -C "x509_verify_cert.*4b00" \
5257 -C "mbedtls_pk_verify.*4b00" \
5258 -C "mbedtls_ecdh_make_public.*4b00" \
5259 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]5260
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5261# Tests of asynchronous private key support in SSL
5262
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5263requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5264run_test "SSL async private: sign, delay=0" \
5265 "$P_SRV \
5266 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5267 "$P_CLI" \
5268 0 \
5269 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5270 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5271
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5272requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5273run_test "SSL async private: sign, delay=1" \
5274 "$P_SRV \
5275 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5276 "$P_CLI" \
5277 0 \
5278 -s "Async sign callback: using key slot " \
5279 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5280 -s "Async resume (slot [0-9]): sign done, status=0"
5281
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]5282requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
5283run_test "SSL async private: sign, delay=2" \
5284 "$P_SRV \
5285 async_operations=s async_private_delay1=2 async_private_delay2=2" \
5286 "$P_CLI" \
5287 0 \
5288 -s "Async sign callback: using key slot " \
5289 -U "Async sign callback: using key slot " \
5290 -s "Async resume (slot [0-9]): call 1 more times." \
5291 -s "Async resume (slot [0-9]): call 0 more times." \
5292 -s "Async resume (slot [0-9]): sign done, status=0"
5293
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]5294# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
5295# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
5296requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
5297requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
5298run_test "SSL async private: sign, RSA, TLS 1.1" \
5299 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
5300 async_operations=s async_private_delay1=0 async_private_delay2=0" \
5301 "$P_CLI force_version=tls1_1" \
5302 0 \
5303 -s "Async sign callback: using key slot " \
5304 -s "Async resume (slot [0-9]): sign done, status=0"
5305
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5306requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]5307run_test "SSL async private: sign, SNI" \
5308 "$P_SRV debug_level=3 \
5309 async_operations=s async_private_delay1=0 async_private_delay2=0 \
5310 crt_file=data_files/server5.crt key_file=data_files/server5.key \
5311 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
5312 "$P_CLI server_name=polarssl.example" \
5313 0 \
5314 -s "Async sign callback: using key slot " \
5315 -s "Async resume (slot [0-9]): sign done, status=0" \
5316 -s "parse ServerName extension" \
5317 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
5318 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
5319
5320requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5321run_test "SSL async private: decrypt, delay=0" \
5322 "$P_SRV \
5323 async_operations=d async_private_delay1=0 async_private_delay2=0" \
5324 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5325 0 \
5326 -s "Async decrypt callback: using key slot " \
5327 -s "Async resume (slot [0-9]): decrypt done, status=0"
5328
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5329requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5330run_test "SSL async private: decrypt, delay=1" \
5331 "$P_SRV \
5332 async_operations=d async_private_delay1=1 async_private_delay2=1" \
5333 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5334 0 \
5335 -s "Async decrypt callback: using key slot " \
5336 -s "Async resume (slot [0-9]): call 0 more times." \
5337 -s "Async resume (slot [0-9]): decrypt done, status=0"
5338
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5339requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5340run_test "SSL async private: decrypt RSA-PSK, delay=0" \
5341 "$P_SRV psk=abc123 \
5342 async_operations=d async_private_delay1=0 async_private_delay2=0" \
5343 "$P_CLI psk=abc123 \
5344 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
5345 0 \
5346 -s "Async decrypt callback: using key slot " \
5347 -s "Async resume (slot [0-9]): decrypt done, status=0"
5348
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5349requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5350run_test "SSL async private: decrypt RSA-PSK, delay=1" \
5351 "$P_SRV psk=abc123 \
5352 async_operations=d async_private_delay1=1 async_private_delay2=1" \
5353 "$P_CLI psk=abc123 \
5354 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
5355 0 \
5356 -s "Async decrypt callback: using key slot " \
5357 -s "Async resume (slot [0-9]): call 0 more times." \
5358 -s "Async resume (slot [0-9]): decrypt done, status=0"
5359
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5360requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5361run_test "SSL async private: sign callback not present" \
5362 "$P_SRV \
5363 async_operations=d async_private_delay1=1 async_private_delay2=1" \
5364 "$P_CLI; [ \$? -eq 1 ] &&
5365 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5366 0 \
5367 -S "Async sign callback" \
5368 -s "! mbedtls_ssl_handshake returned" \
5369 -s "The own private key or pre-shared key is not set, but needed" \
5370 -s "Async resume (slot [0-9]): decrypt done, status=0" \
5371 -s "Successful connection"
5372
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5373requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5374run_test "SSL async private: decrypt callback not present" \
5375 "$P_SRV debug_level=1 \
5376 async_operations=s async_private_delay1=1 async_private_delay2=1" \
5377 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
5378 [ \$? -eq 1 ] && $P_CLI" \
5379 0 \
5380 -S "Async decrypt callback" \
5381 -s "! mbedtls_ssl_handshake returned" \
5382 -s "got no RSA private key" \
5383 -s "Async resume (slot [0-9]): sign done, status=0" \
5384 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5385
5386# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5387requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5388run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5389 "$P_SRV \
5390 async_operations=s async_private_delay1=1 \
5391 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5392 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5393 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
5394 0 \
5395 -s "Async sign callback: using key slot 0," \
5396 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5397 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5398
5399# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5400requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5401run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5402 "$P_SRV \
5403 async_operations=s async_private_delay2=1 \
5404 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5405 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5406 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
5407 0 \
5408 -s "Async sign callback: using key slot 0," \
5409 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5410 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5411
5412# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5413requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]5414run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5415 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]5416 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5417 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5418 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5419 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
5420 0 \
5421 -s "Async sign callback: using key slot 1," \
5422 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5423 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5424
5425# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5426requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5427run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5428 "$P_SRV \
5429 async_operations=s async_private_delay1=1 \
5430 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5431 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5432 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
5433 0 \
5434 -s "Async sign callback: no key matches this certificate."
5435
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5436requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]5437run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5438 "$P_SRV \
5439 async_operations=s async_private_delay1=1 async_private_delay2=1 \
5440 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5441 "$P_CLI" \
5442 1 \
5443 -s "Async sign callback: injected error" \
5444 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]5445 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5446 -s "! mbedtls_ssl_handshake returned"
5447
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5448requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]5449run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5450 "$P_SRV \
5451 async_operations=s async_private_delay1=1 async_private_delay2=1 \
5452 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5453 "$P_CLI" \
5454 1 \
5455 -s "Async sign callback: using key slot " \
5456 -S "Async resume" \
5457 -s "Async cancel"
5458
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5459requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]5460run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5461 "$P_SRV \
5462 async_operations=s async_private_delay1=1 async_private_delay2=1 \
5463 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5464 "$P_CLI" \
5465 1 \
5466 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5467 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]5468 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5469 -s "! mbedtls_ssl_handshake returned"
5470
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5471requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]5472run_test "SSL async private: decrypt, error in start" \
5473 "$P_SRV \
5474 async_operations=d async_private_delay1=1 async_private_delay2=1 \
5475 async_private_error=1" \
5476 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5477 1 \
5478 -s "Async decrypt callback: injected error" \
5479 -S "Async resume" \
5480 -S "Async cancel" \
5481 -s "! mbedtls_ssl_handshake returned"
5482
5483requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
5484run_test "SSL async private: decrypt, cancel after start" \
5485 "$P_SRV \
5486 async_operations=d async_private_delay1=1 async_private_delay2=1 \
5487 async_private_error=2" \
5488 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5489 1 \
5490 -s "Async decrypt callback: using key slot " \
5491 -S "Async resume" \
5492 -s "Async cancel"
5493
5494requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
5495run_test "SSL async private: decrypt, error in resume" \
5496 "$P_SRV \
5497 async_operations=d async_private_delay1=1 async_private_delay2=1 \
5498 async_private_error=3" \
5499 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5500 1 \
5501 -s "Async decrypt callback: using key slot " \
5502 -s "Async resume callback: decrypt done but injected error" \
5503 -S "Async cancel" \
5504 -s "! mbedtls_ssl_handshake returned"
5505
5506requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]5507run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5508 "$P_SRV \
5509 async_operations=s async_private_delay1=1 async_private_delay2=1 \
5510 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]5511 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
5512 0 \
5513 -s "Async cancel" \
5514 -s "! mbedtls_ssl_handshake returned" \
5515 -s "Async resume" \
5516 -s "Successful connection"
5517
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5518requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]5519run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5520 "$P_SRV \
5521 async_operations=s async_private_delay1=1 async_private_delay2=1 \
5522 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]5523 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
5524 0 \
5525 -s "! mbedtls_ssl_handshake returned" \
5526 -s "Async resume" \
5527 -s "Successful connection"
5528
5529# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5530requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]5531run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5532 "$P_SRV \
5533 async_operations=s async_private_delay1=1 async_private_error=-2 \
5534 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5535 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]5536 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
5537 [ \$? -eq 1 ] &&
5538 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
5539 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]5540 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]5541 -S "Async resume" \
5542 -s "Async cancel" \
5543 -s "! mbedtls_ssl_handshake returned" \
5544 -s "Async sign callback: no key matches this certificate." \
5545 -s "Successful connection"
5546
5547# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5548requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]5549run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5550 "$P_SRV \
5551 async_operations=s async_private_delay1=1 async_private_error=-3 \
5552 key_file=data_files/server5.key crt_file=data_files/server5.crt \
5553 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]5554 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
5555 [ \$? -eq 1 ] &&
5556 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
5557 0 \
5558 -s "Async resume" \
5559 -s "! mbedtls_ssl_handshake returned" \
5560 -s "Async sign callback: no key matches this certificate." \
5561 -s "Successful connection"
5562
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5563requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5564requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5565run_test "SSL async private: renegotiation: client-initiated; sign" \
5566 "$P_SRV \
5567 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5568 exchanges=2 renegotiation=1" \
5569 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
5570 0 \
5571 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5572 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5573
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5574requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5575requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5576run_test "SSL async private: renegotiation: server-initiated; sign" \
5577 "$P_SRV \
5578 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5579 exchanges=2 renegotiation=1 renegotiate=1" \
5580 "$P_CLI exchanges=2 renegotiation=1" \
5581 0 \
5582 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5583 -s "Async resume (slot [0-9]): sign done, status=0"
5584
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5585requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5586requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
5587run_test "SSL async private: renegotiation: client-initiated; decrypt" \
5588 "$P_SRV \
5589 async_operations=d async_private_delay1=1 async_private_delay2=1 \
5590 exchanges=2 renegotiation=1" \
5591 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
5592 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5593 0 \
5594 -s "Async decrypt callback: using key slot " \
5595 -s "Async resume (slot [0-9]): decrypt done, status=0"
5596
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]5597requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]5598requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
5599run_test "SSL async private: renegotiation: server-initiated; decrypt" \
5600 "$P_SRV \
5601 async_operations=d async_private_delay1=1 async_private_delay2=1 \
5602 exchanges=2 renegotiation=1 renegotiate=1" \
5603 "$P_CLI exchanges=2 renegotiation=1 \
5604 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5605 0 \
5606 -s "Async decrypt callback: using key slot " \
5607 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]5608
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]5609# Tests for ECC extensions (rfc 4492)
5610
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]5611requires_config_enabled MBEDTLS_AES_C
5612requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
5613requires_config_enabled MBEDTLS_SHA256_C
5614requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]5615run_test "Force a non ECC ciphersuite in the client side" \
5616 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]5617 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]5618 0 \
5619 -C "client hello, adding supported_elliptic_curves extension" \
5620 -C "client hello, adding supported_point_formats extension" \
5621 -S "found supported elliptic curves extension" \
5622 -S "found supported point formats extension"
5623
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]5624requires_config_enabled MBEDTLS_AES_C
5625requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
5626requires_config_enabled MBEDTLS_SHA256_C
5627requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]5628run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]5629 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]5630 "$P_CLI debug_level=3" \
5631 0 \
5632 -C "found supported_point_formats extension" \
5633 -S "server hello, supported_point_formats extension"
5634
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]5635requires_config_enabled MBEDTLS_AES_C
5636requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
5637requires_config_enabled MBEDTLS_SHA256_C
5638requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]5639run_test "Force an ECC ciphersuite in the client side" \
5640 "$P_SRV debug_level=3" \
5641 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
5642 0 \
5643 -c "client hello, adding supported_elliptic_curves extension" \
5644 -c "client hello, adding supported_point_formats extension" \
5645 -s "found supported elliptic curves extension" \
5646 -s "found supported point formats extension"
5647
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]5648requires_config_enabled MBEDTLS_AES_C
5649requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
5650requires_config_enabled MBEDTLS_SHA256_C
5651requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]5652run_test "Force an ECC ciphersuite in the server side" \
5653 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
5654 "$P_CLI debug_level=3" \
5655 0 \
5656 -c "found supported_point_formats extension" \
5657 -s "server hello, supported_point_formats extension"
5658
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]5659# Tests for DTLS HelloVerifyRequest
5660
5661run_test "DTLS cookie: enabled" \
5662 "$P_SRV dtls=1 debug_level=2" \
5663 "$P_CLI dtls=1 debug_level=2" \
5664 0 \
5665 -s "cookie verification failed" \
5666 -s "cookie verification passed" \
5667 -S "cookie verification skipped" \
5668 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5669 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]5670 -S "SSL - The requested feature is not available"
5671
5672run_test "DTLS cookie: disabled" \
5673 "$P_SRV dtls=1 debug_level=2 cookies=0" \
5674 "$P_CLI dtls=1 debug_level=2" \
5675 0 \
5676 -S "cookie verification failed" \
5677 -S "cookie verification passed" \
5678 -s "cookie verification skipped" \
5679 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5680 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]5681 -S "SSL - The requested feature is not available"
5682
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5683run_test "DTLS cookie: default (failing)" \
5684 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
5685 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
5686 1 \
5687 -s "cookie verification failed" \
5688 -S "cookie verification passed" \
5689 -S "cookie verification skipped" \
5690 -C "received hello verify request" \
5691 -S "hello verification requested" \
5692 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]5693
5694requires_ipv6
5695run_test "DTLS cookie: enabled, IPv6" \
5696 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
5697 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
5698 0 \
5699 -s "cookie verification failed" \
5700 -s "cookie verification passed" \
5701 -S "cookie verification skipped" \
5702 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5703 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]5704 -S "SSL - The requested feature is not available"
5705
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5706run_test "DTLS cookie: enabled, nbio" \
5707 "$P_SRV dtls=1 nbio=2 debug_level=2" \
5708 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5709 0 \
5710 -s "cookie verification failed" \
5711 -s "cookie verification passed" \
5712 -S "cookie verification skipped" \
5713 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5714 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5715 -S "SSL - The requested feature is not available"
5716
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5717# Tests for client reconnecting from the same port with DTLS
5718
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5719not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5720run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5721 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
5722 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5723 0 \
5724 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5725 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5726 -S "Client initiated reconnection from same port"
5727
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5728not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5729run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5730 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
5731 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5732 0 \
5733 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5734 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5735 -s "Client initiated reconnection from same port"
5736
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5737not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
5738run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5739 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
5740 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5741 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5742 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5743 -s "Client initiated reconnection from same port"
5744
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5745only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
5746run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
5747 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
5748 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
5749 0 \
5750 -S "The operation timed out" \
5751 -s "Client initiated reconnection from same port"
5752
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5753run_test "DTLS client reconnect from same port: no cookies" \
5754 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]5755 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
5756 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5757 -s "The operation timed out" \
5758 -S "Client initiated reconnection from same port"
5759
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5760# Tests for various cases of client authentication with DTLS
5761# (focused on handshake flows and message parsing)
5762
5763run_test "DTLS client auth: required" \
5764 "$P_SRV dtls=1 auth_mode=required" \
5765 "$P_CLI dtls=1" \
5766 0 \
5767 -s "Verifying peer X.509 certificate... ok"
5768
5769run_test "DTLS client auth: optional, client has no cert" \
5770 "$P_SRV dtls=1 auth_mode=optional" \
5771 "$P_CLI dtls=1 crt_file=none key_file=none" \
5772 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5773 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5774
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5775run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5776 "$P_SRV dtls=1 auth_mode=none" \
5777 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
5778 0 \
5779 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5780 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5781
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]5782run_test "DTLS wrong PSK: badmac alert" \
5783 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
5784 "$P_CLI dtls=1 psk=abc124" \
5785 1 \
5786 -s "SSL - Verification of the message MAC failed" \
5787 -c "SSL - A fatal alert message was received from our peer"
5788
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]5789# Tests for receiving fragmented handshake messages with DTLS
5790
5791requires_gnutls
5792run_test "DTLS reassembly: no fragmentation (gnutls server)" \
5793 "$G_SRV -u --mtu 2048 -a" \
5794 "$P_CLI dtls=1 debug_level=2" \
5795 0 \
5796 -C "found fragmented DTLS handshake message" \
5797 -C "error"
5798
5799requires_gnutls
5800run_test "DTLS reassembly: some fragmentation (gnutls server)" \
5801 "$G_SRV -u --mtu 512" \
5802 "$P_CLI dtls=1 debug_level=2" \
5803 0 \
5804 -c "found fragmented DTLS handshake message" \
5805 -C "error"
5806
5807requires_gnutls
5808run_test "DTLS reassembly: more fragmentation (gnutls server)" \
5809 "$G_SRV -u --mtu 128" \
5810 "$P_CLI dtls=1 debug_level=2" \
5811 0 \
5812 -c "found fragmented DTLS handshake message" \
5813 -C "error"
5814
5815requires_gnutls
5816run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
5817 "$G_SRV -u --mtu 128" \
5818 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5819 0 \
5820 -c "found fragmented DTLS handshake message" \
5821 -C "error"
5822
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5823requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5824requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5825run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
5826 "$G_SRV -u --mtu 256" \
5827 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
5828 0 \
5829 -c "found fragmented DTLS handshake message" \
5830 -c "client hello, adding renegotiation extension" \
5831 -c "found renegotiation extension" \
5832 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5833 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5834 -C "error" \
5835 -s "Extra-header:"
5836
5837requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5838requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5839run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
5840 "$G_SRV -u --mtu 256" \
5841 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
5842 0 \
5843 -c "found fragmented DTLS handshake message" \
5844 -c "client hello, adding renegotiation extension" \
5845 -c "found renegotiation extension" \
5846 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5847 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5848 -C "error" \
5849 -s "Extra-header:"
5850
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5851run_test "DTLS reassembly: no fragmentation (openssl server)" \
5852 "$O_SRV -dtls1 -mtu 2048" \
5853 "$P_CLI dtls=1 debug_level=2" \
5854 0 \
5855 -C "found fragmented DTLS handshake message" \
5856 -C "error"
5857
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5858run_test "DTLS reassembly: some fragmentation (openssl server)" \
5859 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5860 "$P_CLI dtls=1 debug_level=2" \
5861 0 \
5862 -c "found fragmented DTLS handshake message" \
5863 -C "error"
5864
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5865run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5866 "$O_SRV -dtls1 -mtu 256" \
5867 "$P_CLI dtls=1 debug_level=2" \
5868 0 \
5869 -c "found fragmented DTLS handshake message" \
5870 -C "error"
5871
5872run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
5873 "$O_SRV -dtls1 -mtu 256" \
5874 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5875 0 \
5876 -c "found fragmented DTLS handshake message" \
5877 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5878
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5879# Tests for sending fragmented handshake messages with DTLS
5880#
5881# Use client auth when we need the client to send large messages,
5882# and use large cert chains on both sides too (the long chains we have all use
5883# both RSA and ECDSA, but ideally we should have long chains with either).
5884# Sizes reached (UDP payload):
5885# - 2037B for server certificate
5886# - 1542B for client certificate
5887# - 1013B for newsessionticket
5888# - all others below 512B
5889# All those tests assume MAX_CONTENT_LEN is at least 2048
5890
5891requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5892requires_config_enabled MBEDTLS_RSA_C
5893requires_config_enabled MBEDTLS_ECDSA_C
5894requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
5895run_test "DTLS fragmenting: none (for reference)" \
5896 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
5897 crt_file=data_files/server7_int-ca.crt \
5898 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5899 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]5900 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5901 "$P_CLI dtls=1 debug_level=2 \
5902 crt_file=data_files/server8_int-ca2.crt \
5903 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5904 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]5905 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5906 0 \
5907 -S "found fragmented DTLS handshake message" \
5908 -C "found fragmented DTLS handshake message" \
5909 -C "error"
5910
5911requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5912requires_config_enabled MBEDTLS_RSA_C
5913requires_config_enabled MBEDTLS_ECDSA_C
5914requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]5915run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5916 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
5917 crt_file=data_files/server7_int-ca.crt \
5918 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5919 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5920 max_frag_len=1024" \
5921 "$P_CLI dtls=1 debug_level=2 \
5922 crt_file=data_files/server8_int-ca2.crt \
5923 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5924 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5925 max_frag_len=2048" \
5926 0 \
5927 -S "found fragmented DTLS handshake message" \
5928 -c "found fragmented DTLS handshake message" \
5929 -C "error"
5930
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]5931# With the MFL extension, the server has no way of forcing
5932# the client to not exceed a certain MTU; hence, the following
5933# test can't be replicated with an MTU proxy such as the one
5934# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5935requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5936requires_config_enabled MBEDTLS_RSA_C
5937requires_config_enabled MBEDTLS_ECDSA_C
5938requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]5939run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5940 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
5941 crt_file=data_files/server7_int-ca.crt \
5942 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5943 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5944 max_frag_len=512" \
5945 "$P_CLI dtls=1 debug_level=2 \
5946 crt_file=data_files/server8_int-ca2.crt \
5947 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5948 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]5949 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5950 0 \
5951 -S "found fragmented DTLS handshake message" \
5952 -c "found fragmented DTLS handshake message" \
5953 -C "error"
5954
5955requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5956requires_config_enabled MBEDTLS_RSA_C
5957requires_config_enabled MBEDTLS_ECDSA_C
5958requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]5959run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5960 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
5961 crt_file=data_files/server7_int-ca.crt \
5962 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5963 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5964 max_frag_len=2048" \
5965 "$P_CLI dtls=1 debug_level=2 \
5966 crt_file=data_files/server8_int-ca2.crt \
5967 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5968 hs_timeout=2500-60000 \
5969 max_frag_len=1024" \
5970 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]5971 -S "found fragmented DTLS handshake message" \
5972 -c "found fragmented DTLS handshake message" \
5973 -C "error"
5974
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]5975# While not required by the standard defining the MFL extension
5976# (according to which it only applies to records, not to datagrams),
5977# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
5978# as otherwise there wouldn't be any means to communicate MTU restrictions
5979# to the peer.
5980# The next test checks that no datagrams significantly larger than the
5981# negotiated MFL are sent.
5982requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5983requires_config_enabled MBEDTLS_RSA_C
5984requires_config_enabled MBEDTLS_ECDSA_C
5985requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
5986run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]5987 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]5988 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
5989 crt_file=data_files/server7_int-ca.crt \
5990 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5991 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]5992 max_frag_len=2048" \
5993 "$P_CLI dtls=1 debug_level=2 \
5994 crt_file=data_files/server8_int-ca2.crt \
5995 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]5996 hs_timeout=2500-60000 \
5997 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]5998 0 \
5999 -S "found fragmented DTLS handshake message" \
6000 -c "found fragmented DTLS handshake message" \
6001 -C "error"
6002
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]6003requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6004requires_config_enabled MBEDTLS_RSA_C
6005requires_config_enabled MBEDTLS_ECDSA_C
6006requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6007run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]6008 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6009 crt_file=data_files/server7_int-ca.crt \
6010 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6011 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]6012 max_frag_len=2048" \
6013 "$P_CLI dtls=1 debug_level=2 \
6014 crt_file=data_files/server8_int-ca2.crt \
6015 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6016 hs_timeout=2500-60000 \
6017 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]6018 0 \
6019 -s "found fragmented DTLS handshake message" \
6020 -c "found fragmented DTLS handshake message" \
6021 -C "error"
6022
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]6023# While not required by the standard defining the MFL extension
6024# (according to which it only applies to records, not to datagrams),
6025# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
6026# as otherwise there wouldn't be any means to communicate MTU restrictions
6027# to the peer.
6028# The next test checks that no datagrams significantly larger than the
6029# negotiated MFL are sent.
6030requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6031requires_config_enabled MBEDTLS_RSA_C
6032requires_config_enabled MBEDTLS_ECDSA_C
6033requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
6034run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]6035 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]6036 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6037 crt_file=data_files/server7_int-ca.crt \
6038 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6039 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]6040 max_frag_len=2048" \
6041 "$P_CLI dtls=1 debug_level=2 \
6042 crt_file=data_files/server8_int-ca2.crt \
6043 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6044 hs_timeout=2500-60000 \
6045 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]6046 0 \
6047 -s "found fragmented DTLS handshake message" \
6048 -c "found fragmented DTLS handshake message" \
6049 -C "error"
6050
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6051requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6052requires_config_enabled MBEDTLS_RSA_C
6053requires_config_enabled MBEDTLS_ECDSA_C
6054run_test "DTLS fragmenting: none (for reference) (MTU)" \
6055 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6056 crt_file=data_files/server7_int-ca.crt \
6057 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6058 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]6059 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6060 "$P_CLI dtls=1 debug_level=2 \
6061 crt_file=data_files/server8_int-ca2.crt \
6062 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6063 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]6064 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6065 0 \
6066 -S "found fragmented DTLS handshake message" \
6067 -C "found fragmented DTLS handshake message" \
6068 -C "error"
6069
6070requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6071requires_config_enabled MBEDTLS_RSA_C
6072requires_config_enabled MBEDTLS_ECDSA_C
6073run_test "DTLS fragmenting: client (MTU)" \
6074 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6075 crt_file=data_files/server7_int-ca.crt \
6076 key_file=data_files/server7.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]6077 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]6078 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6079 "$P_CLI dtls=1 debug_level=2 \
6080 crt_file=data_files/server8_int-ca2.crt \
6081 key_file=data_files/server8.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]6082 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6083 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6084 0 \
6085 -s "found fragmented DTLS handshake message" \
6086 -C "found fragmented DTLS handshake message" \
6087 -C "error"
6088
6089requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6090requires_config_enabled MBEDTLS_RSA_C
6091requires_config_enabled MBEDTLS_ECDSA_C
6092run_test "DTLS fragmenting: server (MTU)" \
6093 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6094 crt_file=data_files/server7_int-ca.crt \
6095 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6096 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6097 mtu=512" \
6098 "$P_CLI dtls=1 debug_level=2 \
6099 crt_file=data_files/server8_int-ca2.crt \
6100 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6101 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6102 mtu=2048" \
6103 0 \
6104 -S "found fragmented DTLS handshake message" \
6105 -c "found fragmented DTLS handshake message" \
6106 -C "error"
6107
6108requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6109requires_config_enabled MBEDTLS_RSA_C
6110requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6111run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6112 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6113 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6114 crt_file=data_files/server7_int-ca.crt \
6115 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6116 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]6117 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6118 "$P_CLI dtls=1 debug_level=2 \
6119 crt_file=data_files/server8_int-ca2.crt \
6120 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6121 hs_timeout=2500-60000 \
6122 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]6123 0 \
6124 -s "found fragmented DTLS handshake message" \
6125 -c "found fragmented DTLS handshake message" \
6126 -C "error"
6127
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]6128# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6129requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6130requires_config_enabled MBEDTLS_RSA_C
6131requires_config_enabled MBEDTLS_ECDSA_C
6132requires_config_enabled MBEDTLS_SHA256_C
6133requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6134requires_config_enabled MBEDTLS_AES_C
6135requires_config_enabled MBEDTLS_GCM_C
6136run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]6137 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]6138 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6139 crt_file=data_files/server7_int-ca.crt \
6140 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6141 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]6142 mtu=512" \
6143 "$P_CLI dtls=1 debug_level=2 \
6144 crt_file=data_files/server8_int-ca2.crt \
6145 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6146 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6147 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6148 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]6149 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6150 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6151 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6152 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]6153
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6154# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]6155# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6156# The ratio of max/min timeout should ideally equal 4 to accept two
6157# retransmissions, but in some cases (like both the server and client using
6158# fragmentation and auto-reduction) an extra retransmission might occur,
6159# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]6160not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]6161requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6162requires_config_enabled MBEDTLS_RSA_C
6163requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6164requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6165requires_config_enabled MBEDTLS_AES_C
6166requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]6167run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
6168 -p "$P_PXY mtu=508" \
6169 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6170 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6171 key_file=data_files/server7.key \
6172 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]6173 "$P_CLI dtls=1 debug_level=2 \
6174 crt_file=data_files/server8_int-ca2.crt \
6175 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6176 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6177 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]6178 0 \
6179 -s "found fragmented DTLS handshake message" \
6180 -c "found fragmented DTLS handshake message" \
6181 -C "error"
6182
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]6183# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]6184only_with_valgrind
6185requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6186requires_config_enabled MBEDTLS_RSA_C
6187requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6188requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6189requires_config_enabled MBEDTLS_AES_C
6190requires_config_enabled MBEDTLS_GCM_C
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]6191run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
6192 -p "$P_PXY mtu=508" \
6193 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6194 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6195 key_file=data_files/server7.key \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]6196 hs_timeout=250-10000" \
6197 "$P_CLI dtls=1 debug_level=2 \
6198 crt_file=data_files/server8_int-ca2.crt \
6199 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6200 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]6201 hs_timeout=250-10000" \
6202 0 \
6203 -s "found fragmented DTLS handshake message" \
6204 -c "found fragmented DTLS handshake message" \
6205 -C "error"
6206
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6207# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]6208# OTOH the client might resend if the server is to slow to reset after sending
6209# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6210not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6211requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6212requires_config_enabled MBEDTLS_RSA_C
6213requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6214run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6215 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6216 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6217 crt_file=data_files/server7_int-ca.crt \
6218 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6219 hs_timeout=10000-60000 \
6220 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6221 "$P_CLI dtls=1 debug_level=2 \
6222 crt_file=data_files/server8_int-ca2.crt \
6223 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6224 hs_timeout=10000-60000 \
6225 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6226 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6227 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6228 -s "found fragmented DTLS handshake message" \
6229 -c "found fragmented DTLS handshake message" \
6230 -C "error"
6231
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]6232# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6233# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
6234# OTOH the client might resend if the server is to slow to reset after sending
6235# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6236not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]6237requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6238requires_config_enabled MBEDTLS_RSA_C
6239requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6240requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6241requires_config_enabled MBEDTLS_AES_C
6242requires_config_enabled MBEDTLS_GCM_C
6243run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]6244 -p "$P_PXY mtu=512" \
6245 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6246 crt_file=data_files/server7_int-ca.crt \
6247 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6248 hs_timeout=10000-60000 \
6249 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]6250 "$P_CLI dtls=1 debug_level=2 \
6251 crt_file=data_files/server8_int-ca2.crt \
6252 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6253 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6254 hs_timeout=10000-60000 \
6255 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]6256 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6257 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]6258 -s "found fragmented DTLS handshake message" \
6259 -c "found fragmented DTLS handshake message" \
6260 -C "error"
6261
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6262not_with_valgrind # spurious autoreduction due to timeout
6263requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6264requires_config_enabled MBEDTLS_RSA_C
6265requires_config_enabled MBEDTLS_ECDSA_C
6266run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6267 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6268 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6269 crt_file=data_files/server7_int-ca.crt \
6270 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6271 hs_timeout=10000-60000 \
6272 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6273 "$P_CLI dtls=1 debug_level=2 \
6274 crt_file=data_files/server8_int-ca2.crt \
6275 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6276 hs_timeout=10000-60000 \
6277 mtu=1024 nbio=2" \
6278 0 \
6279 -S "autoreduction" \
6280 -s "found fragmented DTLS handshake message" \
6281 -c "found fragmented DTLS handshake message" \
6282 -C "error"
6283
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]6284# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6285not_with_valgrind # spurious autoreduction due to timeout
6286requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6287requires_config_enabled MBEDTLS_RSA_C
6288requires_config_enabled MBEDTLS_ECDSA_C
6289requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6290requires_config_enabled MBEDTLS_AES_C
6291requires_config_enabled MBEDTLS_GCM_C
6292run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
6293 -p "$P_PXY mtu=512" \
6294 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6295 crt_file=data_files/server7_int-ca.crt \
6296 key_file=data_files/server7.key \
6297 hs_timeout=10000-60000 \
6298 mtu=512 nbio=2" \
6299 "$P_CLI dtls=1 debug_level=2 \
6300 crt_file=data_files/server8_int-ca2.crt \
6301 key_file=data_files/server8.key \
6302 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6303 hs_timeout=10000-60000 \
6304 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6305 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6306 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6307 -s "found fragmented DTLS handshake message" \
6308 -c "found fragmented DTLS handshake message" \
6309 -C "error"
6310
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]6311# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]6312# This ensures things still work after session_reset().
6313# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]6314# Since we don't support reading fragmented ClientHello yet,
6315# up the MTU to 1450 (larger than ClientHello with session ticket,
6316# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6317# An autoreduction on the client-side might happen if the server is
6318# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]6319# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6320# resumed listening, which would result in a spurious autoreduction.
6321not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]6322requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6323requires_config_enabled MBEDTLS_RSA_C
6324requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6325requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6326requires_config_enabled MBEDTLS_AES_C
6327requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]6328run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
6329 -p "$P_PXY mtu=1450" \
6330 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6331 crt_file=data_files/server7_int-ca.crt \
6332 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6333 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]6334 mtu=1450" \
6335 "$P_CLI dtls=1 debug_level=2 \
6336 crt_file=data_files/server8_int-ca2.crt \
6337 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6338 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6339 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]6340 mtu=1450 reconnect=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]6341 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6342 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]6343 -s "found fragmented DTLS handshake message" \
6344 -c "found fragmented DTLS handshake message" \
6345 -C "error"
6346
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6347# An autoreduction on the client-side might happen if the server is
6348# slow to reset, therefore omitting '-C "autoreduction"' below.
6349not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6350requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6351requires_config_enabled MBEDTLS_RSA_C
6352requires_config_enabled MBEDTLS_ECDSA_C
6353requires_config_enabled MBEDTLS_SHA256_C
6354requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6355requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6356requires_config_enabled MBEDTLS_CHACHAPOLY_C
6357run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
6358 -p "$P_PXY mtu=512" \
6359 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6360 crt_file=data_files/server7_int-ca.crt \
6361 key_file=data_files/server7.key \
6362 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6363 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6364 mtu=512" \
6365 "$P_CLI dtls=1 debug_level=2 \
6366 crt_file=data_files/server8_int-ca2.crt \
6367 key_file=data_files/server8.key \
6368 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6369 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6370 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6371 mtu=512" \
6372 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6373 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6374 -s "found fragmented DTLS handshake message" \
6375 -c "found fragmented DTLS handshake message" \
6376 -C "error"
6377
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6378# An autoreduction on the client-side might happen if the server is
6379# slow to reset, therefore omitting '-C "autoreduction"' below.
6380not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6381requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6382requires_config_enabled MBEDTLS_RSA_C
6383requires_config_enabled MBEDTLS_ECDSA_C
6384requires_config_enabled MBEDTLS_SHA256_C
6385requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6386requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6387requires_config_enabled MBEDTLS_AES_C
6388requires_config_enabled MBEDTLS_GCM_C
6389run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
6390 -p "$P_PXY mtu=512" \
6391 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6392 crt_file=data_files/server7_int-ca.crt \
6393 key_file=data_files/server7.key \
6394 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6395 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6396 mtu=512" \
6397 "$P_CLI dtls=1 debug_level=2 \
6398 crt_file=data_files/server8_int-ca2.crt \
6399 key_file=data_files/server8.key \
6400 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6401 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6402 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6403 mtu=512" \
6404 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6405 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6406 -s "found fragmented DTLS handshake message" \
6407 -c "found fragmented DTLS handshake message" \
6408 -C "error"
6409
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6410# An autoreduction on the client-side might happen if the server is
6411# slow to reset, therefore omitting '-C "autoreduction"' below.
6412not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6413requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6414requires_config_enabled MBEDTLS_RSA_C
6415requires_config_enabled MBEDTLS_ECDSA_C
6416requires_config_enabled MBEDTLS_SHA256_C
6417requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6418requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6419requires_config_enabled MBEDTLS_AES_C
6420requires_config_enabled MBEDTLS_CCM_C
6421run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6422 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6423 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6424 crt_file=data_files/server7_int-ca.crt \
6425 key_file=data_files/server7.key \
6426 exchanges=2 renegotiation=1 \
6427 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6428 hs_timeout=10000-60000 \
6429 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6430 "$P_CLI dtls=1 debug_level=2 \
6431 crt_file=data_files/server8_int-ca2.crt \
6432 key_file=data_files/server8.key \
6433 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6434 hs_timeout=10000-60000 \
6435 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6436 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6437 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6438 -s "found fragmented DTLS handshake message" \
6439 -c "found fragmented DTLS handshake message" \
6440 -C "error"
6441
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6442# An autoreduction on the client-side might happen if the server is
6443# slow to reset, therefore omitting '-C "autoreduction"' below.
6444not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6445requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6446requires_config_enabled MBEDTLS_RSA_C
6447requires_config_enabled MBEDTLS_ECDSA_C
6448requires_config_enabled MBEDTLS_SHA256_C
6449requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6450requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6451requires_config_enabled MBEDTLS_AES_C
6452requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6453requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
6454run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6455 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6456 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6457 crt_file=data_files/server7_int-ca.crt \
6458 key_file=data_files/server7.key \
6459 exchanges=2 renegotiation=1 \
6460 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6461 hs_timeout=10000-60000 \
6462 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6463 "$P_CLI dtls=1 debug_level=2 \
6464 crt_file=data_files/server8_int-ca2.crt \
6465 key_file=data_files/server8.key \
6466 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6467 hs_timeout=10000-60000 \
6468 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6469 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6470 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6471 -s "found fragmented DTLS handshake message" \
6472 -c "found fragmented DTLS handshake message" \
6473 -C "error"
6474
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6475# An autoreduction on the client-side might happen if the server is
6476# slow to reset, therefore omitting '-C "autoreduction"' below.
6477not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6478requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6479requires_config_enabled MBEDTLS_RSA_C
6480requires_config_enabled MBEDTLS_ECDSA_C
6481requires_config_enabled MBEDTLS_SHA256_C
6482requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6483requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6484requires_config_enabled MBEDTLS_AES_C
6485requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6486run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6487 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6488 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6489 crt_file=data_files/server7_int-ca.crt \
6490 key_file=data_files/server7.key \
6491 exchanges=2 renegotiation=1 \
6492 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6493 hs_timeout=10000-60000 \
6494 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6495 "$P_CLI dtls=1 debug_level=2 \
6496 crt_file=data_files/server8_int-ca2.crt \
6497 key_file=data_files/server8.key \
6498 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]6499 hs_timeout=10000-60000 \
6500 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6501 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]6502 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]6503 -s "found fragmented DTLS handshake message" \
6504 -c "found fragmented DTLS handshake message" \
6505 -C "error"
6506
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]6507# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]6508requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6509requires_config_enabled MBEDTLS_RSA_C
6510requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6511requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6512requires_config_enabled MBEDTLS_AES_C
6513requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]6514client_needs_more_time 2
6515run_test "DTLS fragmenting: proxy MTU + 3d" \
6516 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6517 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]6518 crt_file=data_files/server7_int-ca.crt \
6519 key_file=data_files/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6520 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6521 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]6522 crt_file=data_files/server8_int-ca2.crt \
6523 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6524 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6525 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]6526 0 \
6527 -s "found fragmented DTLS handshake message" \
6528 -c "found fragmented DTLS handshake message" \
6529 -C "error"
6530
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]6531# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]6532requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6533requires_config_enabled MBEDTLS_RSA_C
6534requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6535requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
6536requires_config_enabled MBEDTLS_AES_C
6537requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]6538client_needs_more_time 2
6539run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
6540 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
6541 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
6542 crt_file=data_files/server7_int-ca.crt \
6543 key_file=data_files/server7.key \
6544 hs_timeout=250-10000 mtu=512 nbio=2" \
6545 "$P_CLI dtls=1 debug_level=2 \
6546 crt_file=data_files/server8_int-ca2.crt \
6547 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]6548 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]6549 hs_timeout=250-10000 mtu=512 nbio=2" \
6550 0 \
6551 -s "found fragmented DTLS handshake message" \
6552 -c "found fragmented DTLS handshake message" \
6553 -C "error"
6554
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6555# interop tests for DTLS fragmentating with reliable connection
6556#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6557# here and below we just want to test that the we fragment in a way that
6558# pleases other implementations, so we don't need the peer to fragment
6559requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6560requires_config_enabled MBEDTLS_RSA_C
6561requires_config_enabled MBEDTLS_ECDSA_C
6562requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]6563requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6564run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
6565 "$G_SRV -u" \
6566 "$P_CLI dtls=1 debug_level=2 \
6567 crt_file=data_files/server8_int-ca2.crt \
6568 key_file=data_files/server8.key \
6569 mtu=512 force_version=dtls1_2" \
6570 0 \
6571 -c "fragmenting handshake message" \
6572 -C "error"
6573
6574requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6575requires_config_enabled MBEDTLS_RSA_C
6576requires_config_enabled MBEDTLS_ECDSA_C
6577requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]6578requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6579run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
6580 "$G_SRV -u" \
6581 "$P_CLI dtls=1 debug_level=2 \
6582 crt_file=data_files/server8_int-ca2.crt \
6583 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6584 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6585 0 \
6586 -c "fragmenting handshake message" \
6587 -C "error"
6588
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]6589# We use --insecure for the GnuTLS client because it expects
6590# the hostname / IP it connects to to be the name used in the
6591# certificate obtained from the server. Here, however, it
6592# connects to 127.0.0.1 while our test certificates use 'localhost'
6593# as the server name in the certificate. This will make the
6594# certifiate validation fail, but passing --insecure makes
6595# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6596requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6597requires_config_enabled MBEDTLS_RSA_C
6598requires_config_enabled MBEDTLS_ECDSA_C
6599requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]6600requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]6601requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6602run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]6603 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6604 crt_file=data_files/server7_int-ca.crt \
6605 key_file=data_files/server7.key \
6606 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]6607 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6608 0 \
6609 -s "fragmenting handshake message"
6610
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]6611# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6612requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6613requires_config_enabled MBEDTLS_RSA_C
6614requires_config_enabled MBEDTLS_ECDSA_C
6615requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]6616requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]6617requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6618run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]6619 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6620 crt_file=data_files/server7_int-ca.crt \
6621 key_file=data_files/server7.key \
6622 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]6623 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]6624 0 \
6625 -s "fragmenting handshake message"
6626
6627requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6628requires_config_enabled MBEDTLS_RSA_C
6629requires_config_enabled MBEDTLS_ECDSA_C
6630requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
6631run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
6632 "$O_SRV -dtls1_2 -verify 10" \
6633 "$P_CLI dtls=1 debug_level=2 \
6634 crt_file=data_files/server8_int-ca2.crt \
6635 key_file=data_files/server8.key \
6636 mtu=512 force_version=dtls1_2" \
6637 0 \
6638 -c "fragmenting handshake message" \
6639 -C "error"
6640
6641requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6642requires_config_enabled MBEDTLS_RSA_C
6643requires_config_enabled MBEDTLS_ECDSA_C
6644requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6645run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
6646 "$O_SRV -dtls1 -verify 10" \
6647 "$P_CLI dtls=1 debug_level=2 \
6648 crt_file=data_files/server8_int-ca2.crt \
6649 key_file=data_files/server8.key \
6650 mtu=512 force_version=dtls1" \
6651 0 \
6652 -c "fragmenting handshake message" \
6653 -C "error"
6654
6655requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6656requires_config_enabled MBEDTLS_RSA_C
6657requires_config_enabled MBEDTLS_ECDSA_C
6658requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
6659run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
6660 "$P_SRV dtls=1 debug_level=2 \
6661 crt_file=data_files/server7_int-ca.crt \
6662 key_file=data_files/server7.key \
6663 mtu=512 force_version=dtls1_2" \
6664 "$O_CLI -dtls1_2" \
6665 0 \
6666 -s "fragmenting handshake message"
6667
6668requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6669requires_config_enabled MBEDTLS_RSA_C
6670requires_config_enabled MBEDTLS_ECDSA_C
6671requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6672run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
6673 "$P_SRV dtls=1 debug_level=2 \
6674 crt_file=data_files/server7_int-ca.crt \
6675 key_file=data_files/server7.key \
6676 mtu=512 force_version=dtls1" \
6677 "$O_CLI -dtls1" \
6678 0 \
6679 -s "fragmenting handshake message"
6680
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6681# interop tests for DTLS fragmentating with unreliable connection
6682#
6683# again we just want to test that the we fragment in a way that
6684# pleases other implementations, so we don't need the peer to fragment
6685requires_gnutls_next
6686requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6687requires_config_enabled MBEDTLS_RSA_C
6688requires_config_enabled MBEDTLS_ECDSA_C
6689requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6690client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6691run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
6692 -p "$P_PXY drop=8 delay=8 duplicate=8" \
6693 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6694 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6695 crt_file=data_files/server8_int-ca2.crt \
6696 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6697 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6698 0 \
6699 -c "fragmenting handshake message" \
6700 -C "error"
6701
6702requires_gnutls_next
6703requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6704requires_config_enabled MBEDTLS_RSA_C
6705requires_config_enabled MBEDTLS_ECDSA_C
6706requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6707client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6708run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
6709 -p "$P_PXY drop=8 delay=8 duplicate=8" \
6710 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6711 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6712 crt_file=data_files/server8_int-ca2.crt \
6713 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6714 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6715 0 \
6716 -c "fragmenting handshake message" \
6717 -C "error"
6718
6719## The two tests below are disabled due to a bug in GnuTLS client that causes
6720## handshake failures when the NewSessionTicket message is lost, see
6721## https://gitlab.com/gnutls/gnutls/issues/543
6722## We can re-enable them when a fixed version fo GnuTLS is available
6723## and installed in our CI system.
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]6724skip_next_test
6725requires_gnutls
6726requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6727requires_config_enabled MBEDTLS_RSA_C
6728requires_config_enabled MBEDTLS_ECDSA_C
6729requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
6730client_needs_more_time 4
6731run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
6732 -p "$P_PXY drop=8 delay=8 duplicate=8" \
6733 "$P_SRV dtls=1 debug_level=2 \
6734 crt_file=data_files/server7_int-ca.crt \
6735 key_file=data_files/server7.key \
6736 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
6737 "$G_CLI -u --insecure 127.0.0.1" \
6738 0 \
6739 -s "fragmenting handshake message"
6740
6741skip_next_test
6742requires_gnutls
6743requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6744requires_config_enabled MBEDTLS_RSA_C
6745requires_config_enabled MBEDTLS_ECDSA_C
6746requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6747client_needs_more_time 4
6748run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
6749 -p "$P_PXY drop=8 delay=8 duplicate=8" \
6750 "$P_SRV dtls=1 debug_level=2 \
6751 crt_file=data_files/server7_int-ca.crt \
6752 key_file=data_files/server7.key \
6753 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
6754 "$G_CLI -u --insecure 127.0.0.1" \
6755 0 \
6756 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6757
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]6758## Interop test with OpenSSL might trigger a bug in recent versions (including
6759## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6760## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]6761## They should be re-enabled once a fixed version of OpenSSL is available
6762## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]6763skip_next_test
6764requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6765requires_config_enabled MBEDTLS_RSA_C
6766requires_config_enabled MBEDTLS_ECDSA_C
6767requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
6768client_needs_more_time 4
6769run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
6770 -p "$P_PXY drop=8 delay=8 duplicate=8" \
6771 "$O_SRV -dtls1_2 -verify 10" \
6772 "$P_CLI dtls=1 debug_level=2 \
6773 crt_file=data_files/server8_int-ca2.crt \
6774 key_file=data_files/server8.key \
6775 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
6776 0 \
6777 -c "fragmenting handshake message" \
6778 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6779
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]6780skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6781requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6782requires_config_enabled MBEDTLS_RSA_C
6783requires_config_enabled MBEDTLS_ECDSA_C
6784requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6785client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6786run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
6787 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]6788 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6789 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6790 crt_file=data_files/server8_int-ca2.crt \
6791 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6792 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6793 0 \
6794 -c "fragmenting handshake message" \
6795 -C "error"
6796
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]6797skip_next_test
6798requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6799requires_config_enabled MBEDTLS_RSA_C
6800requires_config_enabled MBEDTLS_ECDSA_C
6801requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
6802client_needs_more_time 4
6803run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
6804 -p "$P_PXY drop=8 delay=8 duplicate=8" \
6805 "$P_SRV dtls=1 debug_level=2 \
6806 crt_file=data_files/server7_int-ca.crt \
6807 key_file=data_files/server7.key \
6808 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
6809 "$O_CLI -dtls1_2" \
6810 0 \
6811 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6812
6813# -nbio is added to prevent s_client from blocking in case of duplicated
6814# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]6815skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6816requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6817requires_config_enabled MBEDTLS_RSA_C
6818requires_config_enabled MBEDTLS_ECDSA_C
6819requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6820client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6821run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
6822 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6823 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6824 crt_file=data_files/server7_int-ca.crt \
6825 key_file=data_files/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]6826 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]6827 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]6828 0 \
6829 -s "fragmenting handshake message"
6830
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]6831# Tests for specific things with "unreliable" UDP connection
6832
6833not_with_valgrind # spurious resend due to timeout
6834run_test "DTLS proxy: reference" \
6835 -p "$P_PXY" \
6836 "$P_SRV dtls=1 debug_level=2" \
6837 "$P_CLI dtls=1 debug_level=2" \
6838 0 \
6839 -C "replayed record" \
6840 -S "replayed record" \
6841 -C "record from another epoch" \
6842 -S "record from another epoch" \
6843 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]6844 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]6845 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]6846 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]6847 -c "HTTP/1.0 200 OK"
6848
6849not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]6850run_test "DTLS proxy: duplicate every packet" \
6851 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6852 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
6853 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]6854 0 \
6855 -c "replayed record" \
6856 -s "replayed record" \
6857 -c "record from another epoch" \
6858 -s "record from another epoch" \
6859 -S "resend" \
6860 -s "Extra-header:" \
6861 -c "HTTP/1.0 200 OK"
6862
6863run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
6864 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6865 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
6866 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]6867 0 \
6868 -c "replayed record" \
6869 -S "replayed record" \
6870 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6871 -s "record from another epoch" \
6872 -c "resend" \
6873 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6874 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6875 -c "HTTP/1.0 200 OK"
6876
6877run_test "DTLS proxy: multiple records in same datagram" \
6878 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6879 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
6880 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]6881 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6882 -c "next record in same datagram" \
6883 -s "next record in same datagram"
6884
6885run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
6886 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6887 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
6888 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6889 0 \
6890 -c "next record in same datagram" \
6891 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6892
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]6893run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
6894 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6895 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
6896 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]6897 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]6898 -c "discarding invalid record (mac)" \
6899 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6900 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6901 -c "HTTP/1.0 200 OK" \
6902 -S "too many records with bad MAC" \
6903 -S "Verification of the message MAC failed"
6904
6905run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
6906 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6907 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
6908 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6909 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]6910 -C "discarding invalid record (mac)" \
6911 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6912 -S "Extra-header:" \
6913 -C "HTTP/1.0 200 OK" \
6914 -s "too many records with bad MAC" \
6915 -s "Verification of the message MAC failed"
6916
6917run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
6918 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6919 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
6920 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6921 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]6922 -c "discarding invalid record (mac)" \
6923 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6924 -s "Extra-header:" \
6925 -c "HTTP/1.0 200 OK" \
6926 -S "too many records with bad MAC" \
6927 -S "Verification of the message MAC failed"
6928
6929run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
6930 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]6931 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
6932 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6933 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]6934 -c "discarding invalid record (mac)" \
6935 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]6936 -s "Extra-header:" \
6937 -c "HTTP/1.0 200 OK" \
6938 -s "too many records with bad MAC" \
6939 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6940
6941run_test "DTLS proxy: delay ChangeCipherSpec" \
6942 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]6943 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
6944 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6945 0 \
6946 -c "record from another epoch" \
6947 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]6948 -s "Extra-header:" \
6949 -c "HTTP/1.0 200 OK"
6950
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]6951# Tests for reordering support with DTLS
6952
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]6953run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
6954 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]6955 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
6956 hs_timeout=2500-60000" \
6957 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
6958 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]6959 0 \
6960 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]6961 -c "Next handshake message has been buffered - load"\
6962 -S "Buffering HS message" \
6963 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]6964 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]6965 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]6966 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]6967 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]6968
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]6969run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
6970 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]6971 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
6972 hs_timeout=2500-60000" \
6973 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
6974 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]6975 0 \
6976 -c "Buffering HS message" \
6977 -c "found fragmented DTLS handshake message"\
6978 -c "Next handshake message 1 not or only partially bufffered" \
6979 -c "Next handshake message has been buffered - load"\
6980 -S "Buffering HS message" \
6981 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]6982 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]6983 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]6984 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]6985 -S "Remember CCS message"
6986
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]6987# The client buffers the ServerKeyExchange before receiving the fragmented
6988# Certificate message; at the time of writing, together these are aroudn 1200b
6989# in size, so that the bound below ensures that the certificate can be reassembled
6990# while keeping the ServerKeyExchange.
6991requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
6992run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]6993 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]6994 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
6995 hs_timeout=2500-60000" \
6996 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
6997 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]6998 0 \
6999 -c "Buffering HS message" \
7000 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]7001 -C "attempt to make space by freeing buffered messages" \
7002 -S "Buffering HS message" \
7003 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7004 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]7005 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7006 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]7007 -S "Remember CCS message"
7008
7009# The size constraints ensure that the delayed certificate message can't
7010# be reassembled while keeping the ServerKeyExchange message, but it can
7011# when dropping it first.
7012requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
7013requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
7014run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
7015 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7016 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
7017 hs_timeout=2500-60000" \
7018 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
7019 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]7020 0 \
7021 -c "Buffering HS message" \
7022 -c "attempt to make space by freeing buffered future messages" \
7023 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]7024 -S "Buffering HS message" \
7025 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7026 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]7027 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7028 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]7029 -S "Remember CCS message"
7030
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7031run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
7032 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7033 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
7034 hs_timeout=2500-60000" \
7035 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
7036 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7037 0 \
7038 -C "Buffering HS message" \
7039 -C "Next handshake message has been buffered - load"\
7040 -s "Buffering HS message" \
7041 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7042 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7043 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7044 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7045 -S "Remember CCS message"
7046
7047run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
7048 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7049 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
7050 hs_timeout=2500-60000" \
7051 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
7052 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7053 0 \
7054 -C "Buffering HS message" \
7055 -C "Next handshake message has been buffered - load"\
7056 -S "Buffering HS message" \
7057 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7058 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7059 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7060 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7061 -S "Remember CCS message"
7062
7063run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
7064 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7065 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
7066 hs_timeout=2500-60000" \
7067 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
7068 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7069 0 \
7070 -C "Buffering HS message" \
7071 -C "Next handshake message has been buffered - load"\
7072 -S "Buffering HS message" \
7073 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7074 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7075 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]7076 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7077 -s "Remember CCS message"
7078
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]7079run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7080 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7081 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
7082 hs_timeout=2500-60000" \
7083 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
7084 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]7085 0 \
7086 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]7087 -s "Found buffered record from current epoch - load" \
7088 -c "Buffer record from epoch 1" \
7089 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7090
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]7091# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
7092# from the server are delayed, so that the encrypted Finished message
7093# is received and buffered. When the fragmented NewSessionTicket comes
7094# in afterwards, the encrypted Finished message must be freed in order
7095# to make space for the NewSessionTicket to be reassembled.
7096# This works only in very particular circumstances:
7097# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
7098# of the NewSessionTicket, but small enough to also allow buffering of
7099# the encrypted Finished message.
7100# - The MTU setting on the server must be so small that the NewSessionTicket
7101# needs to be fragmented.
7102# - All messages sent by the server must be small enough to be either sent
7103# without fragmentation or be reassembled within the bounds of
7104# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
7105# handshake, omitting CRTs.
7106requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 240
7107requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 280
7108run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
7109 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
7110 "$P_SRV mtu=190 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
7111 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
7112 0 \
7113 -s "Buffer record from epoch 1" \
7114 -s "Found buffered record from current epoch - load" \
7115 -c "Buffer record from epoch 1" \
7116 -C "Found buffered record from current epoch - load" \
7117 -c "Enough space available after freeing future epoch record"
7118
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]7119# Tests for "randomly unreliable connection": try a variety of flows and peers
7120
7121client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7122run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
7123 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7124 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7125 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7126 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7127 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
7128 0 \
7129 -s "Extra-header:" \
7130 -c "HTTP/1.0 200 OK"
7131
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7132client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7133run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
7134 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7135 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
7136 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7137 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7138 0 \
7139 -s "Extra-header:" \
7140 -c "HTTP/1.0 200 OK"
7141
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7142client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7143run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
7144 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7145 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
7146 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7147 0 \
7148 -s "Extra-header:" \
7149 -c "HTTP/1.0 200 OK"
7150
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7151client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7152run_test "DTLS proxy: 3d, FS, client auth" \
7153 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7154 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
7155 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7156 0 \
7157 -s "Extra-header:" \
7158 -c "HTTP/1.0 200 OK"
7159
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7160client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7161run_test "DTLS proxy: 3d, FS, ticket" \
7162 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7163 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
7164 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7165 0 \
7166 -s "Extra-header:" \
7167 -c "HTTP/1.0 200 OK"
7168
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7169client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]7170run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
7171 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7172 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
7173 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7174 0 \
7175 -s "Extra-header:" \
7176 -c "HTTP/1.0 200 OK"
7177
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7178client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7179run_test "DTLS proxy: 3d, max handshake, nbio" \
7180 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7181 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]7182 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7183 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7184 0 \
7185 -s "Extra-header:" \
7186 -c "HTTP/1.0 200 OK"
7187
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7188client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]7189run_test "DTLS proxy: 3d, min handshake, resumption" \
7190 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7191 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]7192 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7193 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]7194 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
7195 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
7196 0 \
7197 -s "a session has been resumed" \
7198 -c "a session has been resumed" \
7199 -s "Extra-header:" \
7200 -c "HTTP/1.0 200 OK"
7201
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7202client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]7203run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
7204 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7205 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]7206 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7207 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]7208 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
7209 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
7210 0 \
7211 -s "a session has been resumed" \
7212 -c "a session has been resumed" \
7213 -s "Extra-header:" \
7214 -c "HTTP/1.0 200 OK"
7215
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7216client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7217requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7218run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]7219 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7220 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]7221 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7222 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]7223 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]7224 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
7225 0 \
7226 -c "=> renegotiate" \
7227 -s "=> renegotiate" \
7228 -s "Extra-header:" \
7229 -c "HTTP/1.0 200 OK"
7230
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7231client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7232requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7233run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
7234 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7235 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]7236 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7237 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]7238 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7239 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
7240 0 \
7241 -c "=> renegotiate" \
7242 -s "=> renegotiate" \
7243 -s "Extra-header:" \
7244 -c "HTTP/1.0 200 OK"
7245
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7246client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7247requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]7248run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]7249 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7250 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]7251 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]7252 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7253 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]7254 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]7255 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
7256 0 \
7257 -c "=> renegotiate" \
7258 -s "=> renegotiate" \
7259 -s "Extra-header:" \
7260 -c "HTTP/1.0 200 OK"
7261
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7262client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7263requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]7264run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]7265 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7266 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]7267 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]7268 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7269 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]7270 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]7271 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
7272 0 \
7273 -c "=> renegotiate" \
7274 -s "=> renegotiate" \
7275 -s "Extra-header:" \
7276 -c "HTTP/1.0 200 OK"
7277
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]7278## Interop tests with OpenSSL might trigger a bug in recent versions (including
7279## all versions installed on the CI machines), reported here:
7280## Bug report: https://github.com/openssl/openssl/issues/6902
7281## They should be re-enabled once a fixed version of OpenSSL is available
7282## (this should happen in some 1.1.1_ release according to the ticket).
7283skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7284client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]7285not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]7286run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]7287 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
7288 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7289 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]7290 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]7291 -c "HTTP/1.0 200 OK"
7292
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]7293skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7294client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]7295not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]7296run_test "DTLS proxy: 3d, openssl server, fragmentation" \
7297 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
7298 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7299 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]7300 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]7301 -c "HTTP/1.0 200 OK"
7302
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]7303skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7304client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]7305not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7306run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
7307 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
7308 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7309 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7310 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7311 -c "HTTP/1.0 200 OK"
7312
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]7313requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7314client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]7315not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]7316run_test "DTLS proxy: 3d, gnutls server" \
7317 -p "$P_PXY drop=5 delay=5 duplicate=5" \
7318 "$G_SRV -u --mtu 2048 -a" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7319 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]7320 0 \
7321 -s "Extra-header:" \
7322 -c "Extra-header:"
7323
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]7324requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7325client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]7326not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]7327run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
7328 -p "$P_PXY drop=5 delay=5 duplicate=5" \
7329 "$G_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7330 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]7331 0 \
7332 -s "Extra-header:" \
7333 -c "Extra-header:"
7334
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]7335requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]7336client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]7337not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7338run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
7339 -p "$P_PXY drop=5 delay=5 duplicate=5" \
7340 "$G_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7341 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]7342 0 \
7343 -s "Extra-header:" \
7344 -c "Extra-header:"
7345
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]7346# Final report
7347
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]7348echo "------------------------------------------------------------------------"
7349
7350if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]7351 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]7352else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]7353 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]7354fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]7355PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]7356echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]7357
7358exit $FAILS