TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d51bec701bd85a77a6e5cd972d9c152db2befb18 / . / tests / ssl-opt.sh
blob: 5c441bc92b420b432f7fd52fddc269afeafa259b [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]9# Assumes a build with default options.
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]16: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]17: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]18: ${GNUTLS_CLI:=gnutls-cli}
19: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]20: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]22O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]23O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]24G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]25G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]26TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]27
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]28TESTS=0
29FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]30SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]33
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]35FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]36EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]37
38print_usage() {
39 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]40 printf " -h|--help\tPrint this help.\n"
41 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
42 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
43 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]44}
45
46get_options() {
47 while [ $# -gt 0 ]; do
48 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]49 -f|--filter)
50 shift; FILTER=$1
51 ;;
52 -e|--exclude)
53 shift; EXCLUDE=$1
54 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]55 -m|--memcheck)
56 MEMCHECK=1
57 ;;
58 -h|--help)
59 print_usage
60 exit 0
61 ;;
62 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]63 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]64 print_usage
65 exit 1
66 ;;
67 esac
68 shift
69 done
70}
71
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]72# skip next test if the flag is not enabled in config.h
73requires_config_enabled() {
74 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
75 SKIP_NEXT="YES"
76 fi
77}
78
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]79# skip next test if the flag is enabled in config.h
80requires_config_disabled() {
81 if grep "^#define $1" $CONFIG_H > /dev/null; then
82 SKIP_NEXT="YES"
83 fi
84}
85
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]86# skip next test if OpenSSL doesn't support FALLBACK_SCSV
87requires_openssl_with_fallback_scsv() {
88 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
89 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
90 then
91 OPENSSL_HAS_FBSCSV="YES"
92 else
93 OPENSSL_HAS_FBSCSV="NO"
94 fi
95 fi
96 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
97 SKIP_NEXT="YES"
98 fi
99}
100
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]101# skip next test if GnuTLS isn't available
102requires_gnutls() {
103 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]104 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]105 GNUTLS_AVAILABLE="YES"
106 else
107 GNUTLS_AVAILABLE="NO"
108 fi
109 fi
110 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
111 SKIP_NEXT="YES"
112 fi
113}
114
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]115# skip next test if IPv6 isn't available on this host
116requires_ipv6() {
117 if [ -z "${HAS_IPV6:-}" ]; then
118 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
119 SRV_PID=$!
120 sleep 1
121 kill $SRV_PID >/dev/null 2>&1
122 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
123 HAS_IPV6="NO"
124 else
125 HAS_IPV6="YES"
126 fi
127 rm -r $SRV_OUT
128 fi
129
130 if [ "$HAS_IPV6" = "NO" ]; then
131 SKIP_NEXT="YES"
132 fi
133}
134
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]135# skip the next test if valgrind is in use
136not_with_valgrind() {
137 if [ "$MEMCHECK" -gt 0 ]; then
138 SKIP_NEXT="YES"
139 fi
140}
141
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]142# skip the next test if valgrind is NOT in use
143only_with_valgrind() {
144 if [ "$MEMCHECK" -eq 0 ]; then
145 SKIP_NEXT="YES"
146 fi
147}
148
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]149# multiply the client timeout delay by the given factor for the next test
150needs_more_time() {
151 CLI_DELAY_FACTOR=$1
152}
153
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]154# print_name <name>
155print_name() {
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]156 printf "$1 "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]157 LEN=$(( 72 - `echo "$1" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]158 for i in `seq 1 $LEN`; do printf '.'; done
159 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]160
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]161 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]162}
163
164# fail <message>
165fail() {
166 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]167 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]168
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]169 mv $SRV_OUT o-srv-${TESTS}.log
170 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]171 if [ -n "$PXY_CMD" ]; then
172 mv $PXY_OUT o-pxy-${TESTS}.log
173 fi
174 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]175
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]176 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
177 echo " ! server output:"
178 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]179 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]180 echo " ! client output:"
181 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]182 if [ -n "$PXY_CMD" ]; then
183 echo " ! ========================================================"
184 echo " ! proxy output:"
185 cat o-pxy-${TESTS}.log
186 fi
187 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]188 fi
189
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]190 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]191}
192
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]193# is_polar <cmd_line>
194is_polar() {
195 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
196}
197
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]198# openssl s_server doesn't have -www with DTLS
199check_osrv_dtls() {
200 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
201 NEEDS_INPUT=1
202 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
203 else
204 NEEDS_INPUT=0
205 fi
206}
207
208# provide input to commands that need it
209provide_input() {
210 if [ $NEEDS_INPUT -eq 0 ]; then
211 return
212 fi
213
214 while true; do
215 echo "HTTP/1.0 200 OK"
216 sleep 1
217 done
218}
219
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]220# has_mem_err <log_file_name>
221has_mem_err() {
222 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
223 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
224 then
225 return 1 # false: does not have errors
226 else
227 return 0 # true: has errors
228 fi
229}
230
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]231# wait for server to start: two versions depending on lsof availability
232wait_server_start() {
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]233 if which lsof >/dev/null 2>&1; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]234 START_TIME=$( date +%s )
235 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]236
237 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]238 if [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]239 while [ $DONE -eq 0 ]; do
240 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
241 then
242 DONE=1
243 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
244 echo "SERVERSTART TIMEOUT"
245 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
246 DONE=1
247 fi
248 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]249 else
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]250 while [ $DONE -eq 0 ]; do
251 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
252 then
253 DONE=1
254 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
255 echo "SERVERSTART TIMEOUT"
256 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
257 DONE=1
258 fi
259 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]260 fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]261 else
262 sleep "$START_DELAY"
263 fi
264}
265
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]266# wait for client to terminate and set CLI_EXIT
267# must be called right after starting the client
268wait_client_done() {
269 CLI_PID=$!
270
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]271 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
272 CLI_DELAY_FACTOR=1
273
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]274 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]275 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]276
277 wait $CLI_PID
278 CLI_EXIT=$?
279
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]280 kill $DOG_PID >/dev/null 2>&1
281 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]282
283 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
284}
285
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]286# check if the given command uses dtls and sets global variable DTLS
287detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]288 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]289 DTLS=1
290 else
291 DTLS=0
292 fi
293}
294
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]295# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]296# Options: -s pattern pattern that must be present in server output
297# -c pattern pattern that must be present in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]298# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]299# -S pattern pattern that must be absent in server output
300# -C pattern pattern that must be absent in client output
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]301# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]302run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]303 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]304 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]305
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]306 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
307 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]308 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]309 return
310 fi
311
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]312 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]313
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]314 # should we skip?
315 if [ "X$SKIP_NEXT" = "XYES" ]; then
316 SKIP_NEXT="NO"
317 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]318 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]319 return
320 fi
321
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]322 # does this test use a proxy?
323 if [ "X$1" = "X-p" ]; then
324 PXY_CMD="$2"
325 shift 2
326 else
327 PXY_CMD=""
328 fi
329
330 # get commands and client output
331 SRV_CMD="$1"
332 CLI_CMD="$2"
333 CLI_EXPECT="$3"
334 shift 3
335
336 # fix client port
337 if [ -n "$PXY_CMD" ]; then
338 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
339 else
340 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
341 fi
342
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]343 # update DTLS variable
344 detect_dtls "$SRV_CMD"
345
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]346 # prepend valgrind to our commands if active
347 if [ "$MEMCHECK" -gt 0 ]; then
348 if is_polar "$SRV_CMD"; then
349 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
350 fi
351 if is_polar "$CLI_CMD"; then
352 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
353 fi
354 fi
355
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]356 TIMES_LEFT=2
357 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]358 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]359
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]360 # run the commands
361 if [ -n "$PXY_CMD" ]; then
362 echo "$PXY_CMD" > $PXY_OUT
363 $PXY_CMD >> $PXY_OUT 2>&1 &
364 PXY_PID=$!
365 # assume proxy starts faster than server
366 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]367
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]368 check_osrv_dtls
369 echo "$SRV_CMD" > $SRV_OUT
370 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
371 SRV_PID=$!
372 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]373
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]374 echo "$CLI_CMD" > $CLI_OUT
375 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
376 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]377
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]378 # terminate the server (and the proxy)
379 kill $SRV_PID
380 wait $SRV_PID
381 if [ -n "$PXY_CMD" ]; then
382 kill $PXY_PID >/dev/null 2>&1
383 wait $PXY_PID
384 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]385
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]386 # retry only on timeouts
387 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
388 printf "RETRY "
389 else
390 TIMES_LEFT=0
391 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]392 done
393
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]394 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]395 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]396 # expected client exit to incorrectly succeed in case of catastrophic
397 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]398 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]399 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]400 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]401 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]402 return
403 fi
404 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]405 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]406 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]407 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]408 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]409 return
410 fi
411 fi
412
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]413 # check server exit code
414 if [ $? != 0 ]; then
415 fail "server fail"
416 return
417 fi
418
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]419 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]420 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
421 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]422 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]423 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]424 return
425 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]426
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]427 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]428 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]429 while [ $# -gt 0 ]
430 do
431 case $1 in
432 "-s")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]433 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
434 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]435 return
436 fi
437 ;;
438
439 "-c")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]440 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
441 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]442 return
443 fi
444 ;;
445
446 "-S")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]447 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
448 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]449 return
450 fi
451 ;;
452
453 "-C")
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]454 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
455 fail "pattern '$2' MUST NOT be present in the Client output"
456 return
457 fi
458 ;;
459
460 # The filtering in the following two options (-u and -U) do the following
461 # - ignore valgrind output
462 # - filter out everything but lines right after the pattern occurances
463 # - keep one of each non-unique line
464 # - count how many lines remain
465 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
466 # if there were no duplicates.
467 "-U")
468 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
469 fail "lines following pattern '$2' must be unique in Server output"
470 return
471 fi
472 ;;
473
474 "-u")
475 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
476 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]477 return
478 fi
479 ;;
480
481 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]482 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]483 exit 1
484 esac
485 shift 2
486 done
487
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]488 # check valgrind's results
489 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]490 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]491 fail "Server has memory errors"
492 return
493 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]494 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]495 fail "Client has memory errors"
496 return
497 fi
498 fi
499
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]500 # if we're here, everything is ok
501 echo "PASS"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]502 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]503}
504
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]505cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]506 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]507 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
508 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
509 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
510 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]511 exit 1
512}
513
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]514#
515# MAIN
516#
517
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]518if cd $( dirname $0 ); then :; else
519 echo "cd $( dirname $0 ) failed" >&2
520 exit 1
521fi
522
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]523get_options "$@"
524
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]525# sanity checks, avoid an avalanche of errors
526if [ ! -x "$P_SRV" ]; then
527 echo "Command '$P_SRV' is not an executable file"
528 exit 1
529fi
530if [ ! -x "$P_CLI" ]; then
531 echo "Command '$P_CLI' is not an executable file"
532 exit 1
533fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]534if [ ! -x "$P_PXY" ]; then
535 echo "Command '$P_PXY' is not an executable file"
536 exit 1
537fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]538if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
539 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]540 exit 1
541fi
542
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]543# used by watchdog
544MAIN_PID="$$"
545
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]546# be more patient with valgrind
547if [ "$MEMCHECK" -gt 0 ]; then
548 START_DELAY=3
549 DOG_DELAY=30
550else
551 START_DELAY=1
552 DOG_DELAY=10
553fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]554CLI_DELAY_FACTOR=1
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]555
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]556# Pick a "unique" server port in the range 10000-19999, and a proxy port
557PORT_BASE="0000$$"
Manuel Pégourié-Gonnard3a173f42015-01-22 13:30:33 +0000[diff] [blame]558PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]559SRV_PORT="1$PORT_BASE"
560PXY_PORT="2$PORT_BASE"
561unset PORT_BASE
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]562
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]563# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]564# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]565P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
566P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
567P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]568O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]569O_CLI="$O_CLI -connect localhost:+SRV_PORT"
570G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]571G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]572
Gilles Peskine35db5ba2017-05-10 10:13:59 +0200[diff] [blame]573# Allow SHA-1, because many of our test certificates use it
574P_SRV="$P_SRV allow_sha1=1"
575P_CLI="$P_CLI allow_sha1=1"
576
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]577# Also pick a unique name for intermediate files
578SRV_OUT="srv_out.$$"
579CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]580PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]581SESSION="session.$$"
582
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]583SKIP_NEXT="NO"
584
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]585trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]586
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]587# Basic test
588
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]589# Checks that:
590# - things work with all ciphersuites active (used with config-full in all.sh)
591# - the expected (highest security) parameters are selected
592# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]593run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]594 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]595 "$P_CLI" \
596 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]597 -s "Protocol is TLSv1.2" \
598 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
599 -s "client hello v3, signature_algorithm ext: 6" \
600 -s "ECDHE curve: secp521r1" \
601 -S "error" \
602 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]603
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]604run_test "Default, DTLS" \
605 "$P_SRV dtls=1" \
606 "$P_CLI dtls=1" \
607 0 \
608 -s "Protocol is DTLSv1.2" \
609 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
610
Janos Follath6d3e3382016-09-07 15:48:48 +0100[diff] [blame]611# Test for uniqueness of IVs in AEAD ciphersuites
612run_test "Unique IV in GCM" \
613 "$P_SRV exchanges=20 debug_level=4" \
614 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
615 0 \
616 -u "IV used" \
617 -U "IV used"
618
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]619# Tests for rc4 option
620
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]621requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]622run_test "RC4: server disabled, client enabled" \
623 "$P_SRV" \
624 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
625 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]626 -s "SSL - The server has no ciphersuites in common"
627
Simon Butcher6eb066e2016-05-19 22:12:18 +0100[diff] [blame]628requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]629run_test "RC4: server half, client enabled" \
630 "$P_SRV arc4=1" \
631 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
632 1 \
633 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]634
635run_test "RC4: server enabled, client disabled" \
636 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
637 "$P_CLI" \
638 1 \
639 -s "SSL - The server has no ciphersuites in common"
640
641run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]642 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]643 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
644 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]645 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]646 -S "SSL - The server has no ciphersuites in common"
647
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]648# Tests for SHA-1 support
649
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]650requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]651run_test "SHA-1 forbidden by default in server certificate" \
652 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
653 "$P_CLI debug_level=2 allow_sha1=0" \
654 1 \
655 -c "The certificate is signed with an unacceptable hash"
656
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]657requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
658run_test "SHA-1 forbidden by default in server certificate" \
659 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
660 "$P_CLI debug_level=2 allow_sha1=0" \
661 0
662
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]663run_test "SHA-1 explicitly allowed in server certificate" \
664 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
665 "$P_CLI allow_sha1=1" \
666 0
667
668run_test "SHA-256 allowed by default in server certificate" \
669 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
670 "$P_CLI allow_sha1=0" \
671 0
672
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]673requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]674run_test "SHA-1 forbidden by default in client certificate" \
675 "$P_SRV auth_mode=required allow_sha1=0" \
676 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
677 1 \
678 -s "The certificate is signed with an unacceptable hash"
679
Manuel Pégourié-Gonnard55393662017-06-08 17:51:08 +0200[diff] [blame]680requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
681run_test "SHA-1 forbidden by default in client certificate" \
682 "$P_SRV auth_mode=required allow_sha1=0" \
683 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
684 0
685
Gilles Peskineae765992017-05-09 15:59:24 +0200[diff] [blame]686run_test "SHA-1 explicitly allowed in client certificate" \
687 "$P_SRV auth_mode=required allow_sha1=1" \
688 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
689 0
690
691run_test "SHA-256 allowed by default in client certificate" \
692 "$P_SRV auth_mode=required allow_sha1=0" \
693 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
694 0
695
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]696# Tests for Truncated HMAC extension
697
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]698run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]699 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]700 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]701 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]702 -s "dumping 'expected mac' (20 bytes)" \
703 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]704
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]705requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]706run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]707 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]708 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
709 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]710 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]711 -s "dumping 'expected mac' (20 bytes)" \
712 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]713
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]714requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]715run_test "Truncated HMAC: client enabled, server default" \
716 "$P_SRV debug_level=4" \
717 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
718 trunc_hmac=1" \
719 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]720 -s "dumping 'expected mac' (20 bytes)" \
721 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]722
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]723requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]724run_test "Truncated HMAC: client enabled, server disabled" \
725 "$P_SRV debug_level=4 trunc_hmac=0" \
726 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
727 trunc_hmac=1" \
728 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]729 -s "dumping 'expected mac' (20 bytes)" \
730 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]731
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]732requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Beckerd51bec72017-11-17 15:46:24 +0000[diff] [blame^]733run_test "Truncated HMAC: client disabled, server enabled" \
734 "$P_SRV debug_level=4 trunc_hmac=1" \
735 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
736 trunc_hmac=0" \
737 0 \
738 -s "dumping 'expected mac' (20 bytes)" \
739 -S "dumping 'expected mac' (10 bytes)"
740
741requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]742run_test "Truncated HMAC: client enabled, server enabled" \
743 "$P_SRV debug_level=4 trunc_hmac=1" \
744 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
745 trunc_hmac=1" \
746 0 \
Hanno Beckerce516ff2017-11-09 18:57:39 +0000[diff] [blame]747 -S "dumping 'expected mac' (20 bytes)" \
748 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]749
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]750# Tests for Encrypt-then-MAC extension
751
752run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]753 "$P_SRV debug_level=3 \
754 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]755 "$P_CLI debug_level=3" \
756 0 \
757 -c "client hello, adding encrypt_then_mac extension" \
758 -s "found encrypt then mac extension" \
759 -s "server hello, adding encrypt then mac extension" \
760 -c "found encrypt_then_mac extension" \
761 -c "using encrypt then mac" \
762 -s "using encrypt then mac"
763
764run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]765 "$P_SRV debug_level=3 etm=0 \
766 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]767 "$P_CLI debug_level=3 etm=1" \
768 0 \
769 -c "client hello, adding encrypt_then_mac extension" \
770 -s "found encrypt then mac extension" \
771 -S "server hello, adding encrypt then mac extension" \
772 -C "found encrypt_then_mac extension" \
773 -C "using encrypt then mac" \
774 -S "using encrypt then mac"
775
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]776run_test "Encrypt then MAC: client enabled, aead cipher" \
777 "$P_SRV debug_level=3 etm=1 \
778 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
779 "$P_CLI debug_level=3 etm=1" \
780 0 \
781 -c "client hello, adding encrypt_then_mac extension" \
782 -s "found encrypt then mac extension" \
783 -S "server hello, adding encrypt then mac extension" \
784 -C "found encrypt_then_mac extension" \
785 -C "using encrypt then mac" \
786 -S "using encrypt then mac"
787
788run_test "Encrypt then MAC: client enabled, stream cipher" \
789 "$P_SRV debug_level=3 etm=1 \
790 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]791 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]792 0 \
793 -c "client hello, adding encrypt_then_mac extension" \
794 -s "found encrypt then mac extension" \
795 -S "server hello, adding encrypt then mac extension" \
796 -C "found encrypt_then_mac extension" \
797 -C "using encrypt then mac" \
798 -S "using encrypt then mac"
799
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]800run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]801 "$P_SRV debug_level=3 etm=1 \
802 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]803 "$P_CLI debug_level=3 etm=0" \
804 0 \
805 -C "client hello, adding encrypt_then_mac extension" \
806 -S "found encrypt then mac extension" \
807 -S "server hello, adding encrypt then mac extension" \
808 -C "found encrypt_then_mac extension" \
809 -C "using encrypt then mac" \
810 -S "using encrypt then mac"
811
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]812requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]813run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]814 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]815 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]816 "$P_CLI debug_level=3 force_version=ssl3" \
817 0 \
818 -C "client hello, adding encrypt_then_mac extension" \
819 -S "found encrypt then mac extension" \
820 -S "server hello, adding encrypt then mac extension" \
821 -C "found encrypt_then_mac extension" \
822 -C "using encrypt then mac" \
823 -S "using encrypt then mac"
824
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]825requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]826run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]827 "$P_SRV debug_level=3 force_version=ssl3 \
828 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]829 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]830 0 \
831 -c "client hello, adding encrypt_then_mac extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]832 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]833 -S "server hello, adding encrypt then mac extension" \
834 -C "found encrypt_then_mac extension" \
835 -C "using encrypt then mac" \
836 -S "using encrypt then mac"
837
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]838# Tests for Extended Master Secret extension
839
840run_test "Extended Master Secret: default" \
841 "$P_SRV debug_level=3" \
842 "$P_CLI debug_level=3" \
843 0 \
844 -c "client hello, adding extended_master_secret extension" \
845 -s "found extended master secret extension" \
846 -s "server hello, adding extended master secret extension" \
847 -c "found extended_master_secret extension" \
848 -c "using extended master secret" \
849 -s "using extended master secret"
850
851run_test "Extended Master Secret: client enabled, server disabled" \
852 "$P_SRV debug_level=3 extended_ms=0" \
853 "$P_CLI debug_level=3 extended_ms=1" \
854 0 \
855 -c "client hello, adding extended_master_secret extension" \
856 -s "found extended master secret extension" \
857 -S "server hello, adding extended master secret extension" \
858 -C "found extended_master_secret extension" \
859 -C "using extended master secret" \
860 -S "using extended master secret"
861
862run_test "Extended Master Secret: client disabled, server enabled" \
863 "$P_SRV debug_level=3 extended_ms=1" \
864 "$P_CLI debug_level=3 extended_ms=0" \
865 0 \
866 -C "client hello, adding extended_master_secret extension" \
867 -S "found extended master secret extension" \
868 -S "server hello, adding extended master secret extension" \
869 -C "found extended_master_secret extension" \
870 -C "using extended master secret" \
871 -S "using extended master secret"
872
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]873requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]874run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]875 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]876 "$P_CLI debug_level=3 force_version=ssl3" \
877 0 \
878 -C "client hello, adding extended_master_secret extension" \
879 -S "found extended master secret extension" \
880 -S "server hello, adding extended master secret extension" \
881 -C "found extended_master_secret extension" \
882 -C "using extended master secret" \
883 -S "using extended master secret"
884
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]885requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]886run_test "Extended Master Secret: client enabled, server SSLv3" \
887 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]888 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]889 0 \
890 -c "client hello, adding extended_master_secret extension" \
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]891 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]892 -S "server hello, adding extended master secret extension" \
893 -C "found extended_master_secret extension" \
894 -C "using extended master secret" \
895 -S "using extended master secret"
896
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]897# Tests for FALLBACK_SCSV
898
899run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]900 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]901 "$P_CLI debug_level=3 force_version=tls1_1" \
902 0 \
903 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]904 -S "received FALLBACK_SCSV" \
905 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]906 -C "is a fatal alert message (msg 86)"
907
908run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]909 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]910 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
911 0 \
912 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]913 -S "received FALLBACK_SCSV" \
914 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]915 -C "is a fatal alert message (msg 86)"
916
917run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]918 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]919 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]920 1 \
921 -c "adding FALLBACK_SCSV" \
922 -s "received FALLBACK_SCSV" \
923 -s "inapropriate fallback" \
924 -c "is a fatal alert message (msg 86)"
925
926run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]927 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]928 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]929 0 \
930 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]931 -s "received FALLBACK_SCSV" \
932 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]933 -C "is a fatal alert message (msg 86)"
934
935requires_openssl_with_fallback_scsv
936run_test "Fallback SCSV: default, openssl server" \
937 "$O_SRV" \
938 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
939 0 \
940 -C "adding FALLBACK_SCSV" \
941 -C "is a fatal alert message (msg 86)"
942
943requires_openssl_with_fallback_scsv
944run_test "Fallback SCSV: enabled, openssl server" \
945 "$O_SRV" \
946 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
947 1 \
948 -c "adding FALLBACK_SCSV" \
949 -c "is a fatal alert message (msg 86)"
950
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]951requires_openssl_with_fallback_scsv
952run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]953 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]954 "$O_CLI -tls1_1" \
955 0 \
956 -S "received FALLBACK_SCSV" \
957 -S "inapropriate fallback"
958
959requires_openssl_with_fallback_scsv
960run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]961 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]962 "$O_CLI -tls1_1 -fallback_scsv" \
963 1 \
964 -s "received FALLBACK_SCSV" \
965 -s "inapropriate fallback"
966
967requires_openssl_with_fallback_scsv
968run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]969 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]970 "$O_CLI -fallback_scsv" \
971 0 \
972 -s "received FALLBACK_SCSV" \
973 -S "inapropriate fallback"
974
Gilles Peskine39e29812017-05-16 17:53:03 +0200[diff] [blame]975## ClientHello generated with
976## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
977## then manually twiddling the ciphersuite list.
978## The ClientHello content is spelled out below as a hex string as
979## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
980## The expected response is an inappropriate_fallback alert.
981requires_openssl_with_fallback_scsv
982run_test "Fallback SCSV: beginning of list" \
983 "$P_SRV debug_level=2" \
984 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
985 0 \
986 -s "received FALLBACK_SCSV" \
987 -s "inapropriate fallback"
988
989requires_openssl_with_fallback_scsv
990run_test "Fallback SCSV: end of list" \
991 "$P_SRV debug_level=2" \
992 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
993 0 \
994 -s "received FALLBACK_SCSV" \
995 -s "inapropriate fallback"
996
997## Here the expected response is a valid ServerHello prefix, up to the random.
998requires_openssl_with_fallback_scsv
999run_test "Fallback SCSV: not in list" \
1000 "$P_SRV debug_level=2" \
1001 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1002 0 \
1003 -S "received FALLBACK_SCSV" \
1004 -S "inapropriate fallback"
1005
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1006# Tests for CBC 1/n-1 record splitting
1007
1008run_test "CBC Record splitting: TLS 1.2, no splitting" \
1009 "$P_SRV" \
1010 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1011 request_size=123 force_version=tls1_2" \
1012 0 \
1013 -s "Read from client: 123 bytes read" \
1014 -S "Read from client: 1 bytes read" \
1015 -S "122 bytes read"
1016
1017run_test "CBC Record splitting: TLS 1.1, no splitting" \
1018 "$P_SRV" \
1019 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1020 request_size=123 force_version=tls1_1" \
1021 0 \
1022 -s "Read from client: 123 bytes read" \
1023 -S "Read from client: 1 bytes read" \
1024 -S "122 bytes read"
1025
1026run_test "CBC Record splitting: TLS 1.0, splitting" \
1027 "$P_SRV" \
1028 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1029 request_size=123 force_version=tls1" \
1030 0 \
1031 -S "Read from client: 123 bytes read" \
1032 -s "Read from client: 1 bytes read" \
1033 -s "122 bytes read"
1034
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]1035requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1036run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1037 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1038 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1039 request_size=123 force_version=ssl3" \
1040 0 \
1041 -S "Read from client: 123 bytes read" \
1042 -s "Read from client: 1 bytes read" \
1043 -s "122 bytes read"
1044
1045run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1046 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1047 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1048 request_size=123 force_version=tls1" \
1049 0 \
1050 -s "Read from client: 123 bytes read" \
1051 -S "Read from client: 1 bytes read" \
1052 -S "122 bytes read"
1053
1054run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1055 "$P_SRV" \
1056 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1057 request_size=123 force_version=tls1 recsplit=0" \
1058 0 \
1059 -s "Read from client: 123 bytes read" \
1060 -S "Read from client: 1 bytes read" \
1061 -S "122 bytes read"
1062
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1063run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1064 "$P_SRV nbio=2" \
1065 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1066 request_size=123 force_version=tls1" \
1067 0 \
1068 -S "Read from client: 123 bytes read" \
1069 -s "Read from client: 1 bytes read" \
1070 -s "122 bytes read"
1071
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1072# Tests for Session Tickets
1073
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1074run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1075 "$P_SRV debug_level=3 tickets=1" \
1076 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1077 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1078 -c "client hello, adding session ticket extension" \
1079 -s "found session ticket extension" \
1080 -s "server hello, adding session ticket extension" \
1081 -c "found session_ticket extension" \
1082 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1083 -S "session successfully restored from cache" \
1084 -s "session successfully restored from ticket" \
1085 -s "a session has been resumed" \
1086 -c "a session has been resumed"
1087
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1088run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1089 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1090 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1091 0 \
1092 -c "client hello, adding session ticket extension" \
1093 -s "found session ticket extension" \
1094 -s "server hello, adding session ticket extension" \
1095 -c "found session_ticket extension" \
1096 -c "parse new session ticket" \
1097 -S "session successfully restored from cache" \
1098 -s "session successfully restored from ticket" \
1099 -s "a session has been resumed" \
1100 -c "a session has been resumed"
1101
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1102run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1103 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1104 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1105 0 \
1106 -c "client hello, adding session ticket extension" \
1107 -s "found session ticket extension" \
1108 -s "server hello, adding session ticket extension" \
1109 -c "found session_ticket extension" \
1110 -c "parse new session ticket" \
1111 -S "session successfully restored from cache" \
1112 -S "session successfully restored from ticket" \
1113 -S "a session has been resumed" \
1114 -C "a session has been resumed"
1115
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1116run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1117 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1118 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1119 0 \
1120 -c "client hello, adding session ticket extension" \
1121 -c "found session_ticket extension" \
1122 -c "parse new session ticket" \
1123 -c "a session has been resumed"
1124
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1125run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1126 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1127 "( $O_CLI -sess_out $SESSION; \
1128 $O_CLI -sess_in $SESSION; \
1129 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1130 0 \
1131 -s "found session ticket extension" \
1132 -s "server hello, adding session ticket extension" \
1133 -S "session successfully restored from cache" \
1134 -s "session successfully restored from ticket" \
1135 -s "a session has been resumed"
1136
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1137# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1138
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1139run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1140 "$P_SRV debug_level=3 tickets=0" \
1141 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1142 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1143 -c "client hello, adding session ticket extension" \
1144 -s "found session ticket extension" \
1145 -S "server hello, adding session ticket extension" \
1146 -C "found session_ticket extension" \
1147 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1148 -s "session successfully restored from cache" \
1149 -S "session successfully restored from ticket" \
1150 -s "a session has been resumed" \
1151 -c "a session has been resumed"
1152
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1153run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1154 "$P_SRV debug_level=3 tickets=1" \
1155 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1156 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1157 -C "client hello, adding session ticket extension" \
1158 -S "found session ticket extension" \
1159 -S "server hello, adding session ticket extension" \
1160 -C "found session_ticket extension" \
1161 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1162 -s "session successfully restored from cache" \
1163 -S "session successfully restored from ticket" \
1164 -s "a session has been resumed" \
1165 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1166
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1167run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1168 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1169 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1170 0 \
1171 -S "session successfully restored from cache" \
1172 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1173 -S "a session has been resumed" \
1174 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1175
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1176run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1177 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1178 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1179 0 \
1180 -s "session successfully restored from cache" \
1181 -S "session successfully restored from ticket" \
1182 -s "a session has been resumed" \
1183 -c "a session has been resumed"
1184
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1185run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1186 "$P_SRV debug_level=3 tickets=0" \
1187 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1188 0 \
1189 -s "session successfully restored from cache" \
1190 -S "session successfully restored from ticket" \
1191 -s "a session has been resumed" \
1192 -c "a session has been resumed"
1193
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1194run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1195 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1196 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1197 0 \
1198 -S "session successfully restored from cache" \
1199 -S "session successfully restored from ticket" \
1200 -S "a session has been resumed" \
1201 -C "a session has been resumed"
1202
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1203run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1204 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1205 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1206 0 \
1207 -s "session successfully restored from cache" \
1208 -S "session successfully restored from ticket" \
1209 -s "a session has been resumed" \
1210 -c "a session has been resumed"
1211
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1212run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1213 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1214 "( $O_CLI -sess_out $SESSION; \
1215 $O_CLI -sess_in $SESSION; \
1216 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1217 0 \
1218 -s "found session ticket extension" \
1219 -S "server hello, adding session ticket extension" \
1220 -s "session successfully restored from cache" \
1221 -S "session successfully restored from ticket" \
1222 -s "a session has been resumed"
1223
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1224run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1225 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1226 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1227 0 \
1228 -C "found session_ticket extension" \
1229 -C "parse new session ticket" \
1230 -c "a session has been resumed"
1231
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1232# Tests for Max Fragment Length extension
1233
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1234run_test "Max fragment length: not used, reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1235 "$P_SRV debug_level=3" \
1236 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1237 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1238 -c "Maximum fragment length is 16384" \
1239 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1240 -C "client hello, adding max_fragment_length extension" \
1241 -S "found max fragment length extension" \
1242 -S "server hello, max_fragment_length extension" \
1243 -C "found max_fragment_length extension"
1244
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1245run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1246 "$P_SRV debug_level=3" \
1247 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1248 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1249 -c "Maximum fragment length is 4096" \
1250 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1251 -c "client hello, adding max_fragment_length extension" \
1252 -s "found max fragment length extension" \
1253 -s "server hello, max_fragment_length extension" \
1254 -c "found max_fragment_length extension"
1255
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1256run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1257 "$P_SRV debug_level=3 max_frag_len=4096" \
1258 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1259 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1260 -c "Maximum fragment length is 16384" \
1261 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1262 -C "client hello, adding max_fragment_length extension" \
1263 -S "found max fragment length extension" \
1264 -S "server hello, max_fragment_length extension" \
1265 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1266
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1267requires_gnutls
1268run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1269 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1270 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1271 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1272 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1273 -c "client hello, adding max_fragment_length extension" \
1274 -c "found max_fragment_length extension"
1275
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1276run_test "Max fragment length: client, message just fits" \
1277 "$P_SRV debug_level=3" \
1278 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1279 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1280 -c "Maximum fragment length is 2048" \
1281 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1282 -c "client hello, adding max_fragment_length extension" \
1283 -s "found max fragment length extension" \
1284 -s "server hello, max_fragment_length extension" \
1285 -c "found max_fragment_length extension" \
1286 -c "2048 bytes written in 1 fragments" \
1287 -s "2048 bytes read"
1288
1289run_test "Max fragment length: client, larger message" \
1290 "$P_SRV debug_level=3" \
1291 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1292 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1293 -c "Maximum fragment length is 2048" \
1294 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1295 -c "client hello, adding max_fragment_length extension" \
1296 -s "found max fragment length extension" \
1297 -s "server hello, max_fragment_length extension" \
1298 -c "found max_fragment_length extension" \
1299 -c "2345 bytes written in 2 fragments" \
1300 -s "2048 bytes read" \
1301 -s "297 bytes read"
1302
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1303run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1304 "$P_SRV debug_level=3 dtls=1" \
1305 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1306 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1307 -c "Maximum fragment length is 2048" \
1308 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1309 -c "client hello, adding max_fragment_length extension" \
1310 -s "found max fragment length extension" \
1311 -s "server hello, max_fragment_length extension" \
1312 -c "found max_fragment_length extension" \
1313 -c "fragment larger than.*maximum"
1314
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1315# Tests for renegotiation
1316
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1317run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1318 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1319 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1320 0 \
1321 -C "client hello, adding renegotiation extension" \
1322 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1323 -S "found renegotiation extension" \
1324 -s "server hello, secure renegotiation extension" \
1325 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1326 -C "=> renegotiate" \
1327 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1328 -S "write hello request"
1329
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1330run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1331 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1332 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1333 0 \
1334 -c "client hello, adding renegotiation extension" \
1335 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1336 -s "found renegotiation extension" \
1337 -s "server hello, secure renegotiation extension" \
1338 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1339 -c "=> renegotiate" \
1340 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1341 -S "write hello request"
1342
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1343run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1344 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1345 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1346 0 \
1347 -c "client hello, adding renegotiation extension" \
1348 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1349 -s "found renegotiation extension" \
1350 -s "server hello, secure renegotiation extension" \
1351 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1352 -c "=> renegotiate" \
1353 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1354 -s "write hello request"
1355
Janos Follath5f1dd802017-10-05 12:29:42 +0100[diff] [blame]1356# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1357# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1358# algorithm stronger than SHA-1 is enabled in config.h
1359run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1360 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1361 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1362 0 \
1363 -c "client hello, adding renegotiation extension" \
1364 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1365 -s "found renegotiation extension" \
1366 -s "server hello, secure renegotiation extension" \
1367 -c "found renegotiation extension" \
1368 -c "=> renegotiate" \
1369 -s "=> renegotiate" \
1370 -S "write hello request" \
1371 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1372
1373# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1374# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1375# algorithm stronger than SHA-1 is enabled in config.h
1376run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1377 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1378 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1379 0 \
1380 -c "client hello, adding renegotiation extension" \
1381 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1382 -s "found renegotiation extension" \
1383 -s "server hello, secure renegotiation extension" \
1384 -c "found renegotiation extension" \
1385 -c "=> renegotiate" \
1386 -s "=> renegotiate" \
1387 -s "write hello request" \
1388 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1389
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1390run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1391 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1392 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1393 0 \
1394 -c "client hello, adding renegotiation extension" \
1395 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1396 -s "found renegotiation extension" \
1397 -s "server hello, secure renegotiation extension" \
1398 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1399 -c "=> renegotiate" \
1400 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1401 -s "write hello request"
1402
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1403run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1404 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1405 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1406 1 \
1407 -c "client hello, adding renegotiation extension" \
1408 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1409 -S "found renegotiation extension" \
1410 -s "server hello, secure renegotiation extension" \
1411 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1412 -c "=> renegotiate" \
1413 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1414 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1415 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1416 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1417
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1418run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1419 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1420 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1421 0 \
1422 -C "client hello, adding renegotiation extension" \
1423 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1424 -S "found renegotiation extension" \
1425 -s "server hello, secure renegotiation extension" \
1426 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1427 -C "=> renegotiate" \
1428 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1429 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1430 -S "SSL - An unexpected message was received from our peer" \
1431 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1432
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1433run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1434 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1435 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1436 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1437 0 \
1438 -C "client hello, adding renegotiation extension" \
1439 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1440 -S "found renegotiation extension" \
1441 -s "server hello, secure renegotiation extension" \
1442 -c "found renegotiation extension" \
1443 -C "=> renegotiate" \
1444 -S "=> renegotiate" \
1445 -s "write hello request" \
1446 -S "SSL - An unexpected message was received from our peer" \
1447 -S "failed"
1448
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1449# delay 2 for 1 alert record + 1 application data record
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1450run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1451 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1452 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1453 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1454 0 \
1455 -C "client hello, adding renegotiation extension" \
1456 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1457 -S "found renegotiation extension" \
1458 -s "server hello, secure renegotiation extension" \
1459 -c "found renegotiation extension" \
1460 -C "=> renegotiate" \
1461 -S "=> renegotiate" \
1462 -s "write hello request" \
1463 -S "SSL - An unexpected message was received from our peer" \
1464 -S "failed"
1465
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1466run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1467 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1468 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1469 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1470 0 \
1471 -C "client hello, adding renegotiation extension" \
1472 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1473 -S "found renegotiation extension" \
1474 -s "server hello, secure renegotiation extension" \
1475 -c "found renegotiation extension" \
1476 -C "=> renegotiate" \
1477 -S "=> renegotiate" \
1478 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1479 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1480
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1481run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1482 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1483 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1484 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1485 0 \
1486 -c "client hello, adding renegotiation extension" \
1487 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1488 -s "found renegotiation extension" \
1489 -s "server hello, secure renegotiation extension" \
1490 -c "found renegotiation extension" \
1491 -c "=> renegotiate" \
1492 -s "=> renegotiate" \
1493 -s "write hello request" \
1494 -S "SSL - An unexpected message was received from our peer" \
1495 -S "failed"
1496
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1497run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1498 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1499 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1500 0 \
1501 -C "client hello, adding renegotiation extension" \
1502 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1503 -S "found renegotiation extension" \
1504 -s "server hello, secure renegotiation extension" \
1505 -c "found renegotiation extension" \
1506 -S "record counter limit reached: renegotiate" \
1507 -C "=> renegotiate" \
1508 -S "=> renegotiate" \
1509 -S "write hello request" \
1510 -S "SSL - An unexpected message was received from our peer" \
1511 -S "failed"
1512
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1513# one extra exchange to be able to complete renego
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1514run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1515 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1516 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1517 0 \
1518 -c "client hello, adding renegotiation extension" \
1519 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1520 -s "found renegotiation extension" \
1521 -s "server hello, secure renegotiation extension" \
1522 -c "found renegotiation extension" \
1523 -s "record counter limit reached: renegotiate" \
1524 -c "=> renegotiate" \
1525 -s "=> renegotiate" \
1526 -s "write hello request" \
1527 -S "SSL - An unexpected message was received from our peer" \
1528 -S "failed"
1529
1530run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1531 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1532 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1533 0 \
1534 -c "client hello, adding renegotiation extension" \
1535 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1536 -s "found renegotiation extension" \
1537 -s "server hello, secure renegotiation extension" \
1538 -c "found renegotiation extension" \
1539 -s "record counter limit reached: renegotiate" \
1540 -c "=> renegotiate" \
1541 -s "=> renegotiate" \
1542 -s "write hello request" \
1543 -S "SSL - An unexpected message was received from our peer" \
1544 -S "failed"
1545
1546run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1547 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1548 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1549 0 \
1550 -C "client hello, adding renegotiation extension" \
1551 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1552 -S "found renegotiation extension" \
1553 -s "server hello, secure renegotiation extension" \
1554 -c "found renegotiation extension" \
1555 -S "record counter limit reached: renegotiate" \
1556 -C "=> renegotiate" \
1557 -S "=> renegotiate" \
1558 -S "write hello request" \
1559 -S "SSL - An unexpected message was received from our peer" \
1560 -S "failed"
1561
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1562run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1563 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1564 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1565 0 \
1566 -c "client hello, adding renegotiation extension" \
1567 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1568 -s "found renegotiation extension" \
1569 -s "server hello, secure renegotiation extension" \
1570 -c "found renegotiation extension" \
1571 -c "=> renegotiate" \
1572 -s "=> renegotiate" \
1573 -S "write hello request"
1574
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1575run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1576 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1577 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1578 0 \
1579 -c "client hello, adding renegotiation extension" \
1580 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1581 -s "found renegotiation extension" \
1582 -s "server hello, secure renegotiation extension" \
1583 -c "found renegotiation extension" \
1584 -c "=> renegotiate" \
1585 -s "=> renegotiate" \
1586 -s "write hello request"
1587
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1588run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1589 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1590 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1591 0 \
1592 -c "client hello, adding renegotiation extension" \
1593 -c "found renegotiation extension" \
1594 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1595 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1596 -C "error" \
1597 -c "HTTP/1.0 200 [Oo][Kk]"
1598
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1599requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1600run_test "Renegotiation: gnutls server strict, client-initiated" \
1601 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1602 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1603 0 \
1604 -c "client hello, adding renegotiation extension" \
1605 -c "found renegotiation extension" \
1606 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1607 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1608 -C "error" \
1609 -c "HTTP/1.0 200 [Oo][Kk]"
1610
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1611requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1612run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1613 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1614 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1615 1 \
1616 -c "client hello, adding renegotiation extension" \
1617 -C "found renegotiation extension" \
1618 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1619 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1620 -c "error" \
1621 -C "HTTP/1.0 200 [Oo][Kk]"
1622
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1623requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1624run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1625 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1626 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1627 allow_legacy=0" \
1628 1 \
1629 -c "client hello, adding renegotiation extension" \
1630 -C "found renegotiation extension" \
1631 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1632 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1633 -c "error" \
1634 -C "HTTP/1.0 200 [Oo][Kk]"
1635
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1636requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1637run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1638 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1639 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1640 allow_legacy=1" \
1641 0 \
1642 -c "client hello, adding renegotiation extension" \
1643 -C "found renegotiation extension" \
1644 -c "=> renegotiate" \
1645 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1646 -C "error" \
1647 -c "HTTP/1.0 200 [Oo][Kk]"
1648
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1649run_test "Renegotiation: DTLS, client-initiated" \
1650 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1651 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1652 0 \
1653 -c "client hello, adding renegotiation extension" \
1654 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1655 -s "found renegotiation extension" \
1656 -s "server hello, secure renegotiation extension" \
1657 -c "found renegotiation extension" \
1658 -c "=> renegotiate" \
1659 -s "=> renegotiate" \
1660 -S "write hello request"
1661
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1662run_test "Renegotiation: DTLS, server-initiated" \
1663 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1664 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1665 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1666 0 \
1667 -c "client hello, adding renegotiation extension" \
1668 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1669 -s "found renegotiation extension" \
1670 -s "server hello, secure renegotiation extension" \
1671 -c "found renegotiation extension" \
1672 -c "=> renegotiate" \
1673 -s "=> renegotiate" \
1674 -s "write hello request"
1675
Andres AG9b1927b2017-01-19 16:30:57 +0000[diff] [blame]1676run_test "Renegotiation: DTLS, renego_period overflow" \
1677 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1678 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1679 0 \
1680 -c "client hello, adding renegotiation extension" \
1681 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1682 -s "found renegotiation extension" \
1683 -s "server hello, secure renegotiation extension" \
1684 -s "record counter limit reached: renegotiate" \
1685 -c "=> renegotiate" \
1686 -s "=> renegotiate" \
1687 -s "write hello request" \
1688
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1689requires_gnutls
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1690run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1691 "$G_SRV -u --mtu 4096" \
1692 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1693 0 \
1694 -c "client hello, adding renegotiation extension" \
1695 -c "found renegotiation extension" \
1696 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1697 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1698 -C "error" \
1699 -s "Extra-header:"
1700
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1701# Test for the "secure renegotation" extension only (no actual renegotiation)
1702
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1703requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1704run_test "Renego ext: gnutls server strict, client default" \
1705 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1706 "$P_CLI debug_level=3" \
1707 0 \
1708 -c "found renegotiation extension" \
1709 -C "error" \
1710 -c "HTTP/1.0 200 [Oo][Kk]"
1711
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1712requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1713run_test "Renego ext: gnutls server unsafe, client default" \
1714 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1715 "$P_CLI debug_level=3" \
1716 0 \
1717 -C "found renegotiation extension" \
1718 -C "error" \
1719 -c "HTTP/1.0 200 [Oo][Kk]"
1720
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1721requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1722run_test "Renego ext: gnutls server unsafe, client break legacy" \
1723 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1724 "$P_CLI debug_level=3 allow_legacy=-1" \
1725 1 \
1726 -C "found renegotiation extension" \
1727 -c "error" \
1728 -C "HTTP/1.0 200 [Oo][Kk]"
1729
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1730requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1731run_test "Renego ext: gnutls client strict, server default" \
1732 "$P_SRV debug_level=3" \
1733 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1734 0 \
1735 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1736 -s "server hello, secure renegotiation extension"
1737
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1738requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1739run_test "Renego ext: gnutls client unsafe, server default" \
1740 "$P_SRV debug_level=3" \
1741 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1742 0 \
1743 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1744 -S "server hello, secure renegotiation extension"
1745
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1746requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1747run_test "Renego ext: gnutls client unsafe, server break legacy" \
1748 "$P_SRV debug_level=3 allow_legacy=-1" \
1749 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1750 1 \
1751 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1752 -S "server hello, secure renegotiation extension"
1753
Janos Follath365b2262016-02-17 10:11:21 +0000[diff] [blame]1754# Tests for silently dropping trailing extra bytes in .der certificates
1755
1756requires_gnutls
1757run_test "DER format: no trailing bytes" \
1758 "$P_SRV crt_file=data_files/server5-der0.crt \
1759 key_file=data_files/server5.key" \
1760 "$G_CLI " \
1761 0 \
1762 -c "Handshake was completed" \
1763
1764requires_gnutls
1765run_test "DER format: with a trailing zero byte" \
1766 "$P_SRV crt_file=data_files/server5-der1a.crt \
1767 key_file=data_files/server5.key" \
1768 "$G_CLI " \
1769 0 \
1770 -c "Handshake was completed" \
1771
1772requires_gnutls
1773run_test "DER format: with a trailing random byte" \
1774 "$P_SRV crt_file=data_files/server5-der1b.crt \
1775 key_file=data_files/server5.key" \
1776 "$G_CLI " \
1777 0 \
1778 -c "Handshake was completed" \
1779
1780requires_gnutls
1781run_test "DER format: with 2 trailing random bytes" \
1782 "$P_SRV crt_file=data_files/server5-der2.crt \
1783 key_file=data_files/server5.key" \
1784 "$G_CLI " \
1785 0 \
1786 -c "Handshake was completed" \
1787
1788requires_gnutls
1789run_test "DER format: with 4 trailing random bytes" \
1790 "$P_SRV crt_file=data_files/server5-der4.crt \
1791 key_file=data_files/server5.key" \
1792 "$G_CLI " \
1793 0 \
1794 -c "Handshake was completed" \
1795
1796requires_gnutls
1797run_test "DER format: with 8 trailing random bytes" \
1798 "$P_SRV crt_file=data_files/server5-der8.crt \
1799 key_file=data_files/server5.key" \
1800 "$G_CLI " \
1801 0 \
1802 -c "Handshake was completed" \
1803
1804requires_gnutls
1805run_test "DER format: with 9 trailing random bytes" \
1806 "$P_SRV crt_file=data_files/server5-der9.crt \
1807 key_file=data_files/server5.key" \
1808 "$G_CLI " \
1809 0 \
1810 -c "Handshake was completed" \
1811
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1812# Tests for auth_mode
1813
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1814run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1815 "$P_SRV crt_file=data_files/server5-badsign.crt \
1816 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1817 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1818 1 \
1819 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1820 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1821 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1822 -c "X509 - Certificate verification failed"
1823
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1824run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1825 "$P_SRV crt_file=data_files/server5-badsign.crt \
1826 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1827 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1828 0 \
1829 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1830 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1832 -C "X509 - Certificate verification failed"
1833
Hanno Becker61c0c702017-05-15 16:05:15 +0100[diff] [blame]1834run_test "Authentication: server goodcert, client optional, no trusted CA" \
1835 "$P_SRV" \
1836 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1837 0 \
1838 -c "x509_verify_cert() returned" \
1839 -c "! The certificate is not correctly signed by the trusted CA" \
1840 -c "! Certificate verification flags"\
1841 -C "! mbedtls_ssl_handshake returned" \
1842 -C "X509 - Certificate verification failed" \
1843 -C "SSL - No CA Chain is set, but required to operate"
1844
1845run_test "Authentication: server goodcert, client required, no trusted CA" \
1846 "$P_SRV" \
1847 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1848 1 \
1849 -c "x509_verify_cert() returned" \
1850 -c "! The certificate is not correctly signed by the trusted CA" \
1851 -c "! Certificate verification flags"\
1852 -c "! mbedtls_ssl_handshake returned" \
1853 -c "SSL - No CA Chain is set, but required to operate"
1854
1855# The purpose of the next two tests is to test the client's behaviour when receiving a server
1856# certificate with an unsupported elliptic curve. This should usually not happen because
1857# the client informs the server about the supported curves - it does, though, in the
1858# corner case of a static ECDH suite, because the server doesn't check the curve on that
1859# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1860# different means to have the server ignoring the client's supported curve list.
1861
1862requires_config_enabled MBEDTLS_ECP_C
1863run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1864 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1865 crt_file=data_files/server5.ku-ka.crt" \
1866 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1867 1 \
1868 -c "bad certificate (EC key curve)"\
1869 -c "! Certificate verification flags"\
1870 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1871
1872requires_config_enabled MBEDTLS_ECP_C
1873run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1874 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1875 crt_file=data_files/server5.ku-ka.crt" \
1876 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1877 1 \
1878 -c "bad certificate (EC key curve)"\
1879 -c "! Certificate verification flags"\
1880 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1881
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1882run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1883 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1884 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1885 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1886 0 \
1887 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1888 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1889 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1890 -C "X509 - Certificate verification failed"
1891
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1892run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1893 "$P_SRV debug_level=3 auth_mode=required" \
1894 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1895 key_file=data_files/server5.key" \
1896 1 \
1897 -S "skip write certificate request" \
1898 -C "skip parse certificate request" \
1899 -c "got a certificate request" \
1900 -C "skip write certificate" \
1901 -C "skip write certificate verify" \
1902 -S "skip parse certificate verify" \
1903 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]1904 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1905 -s "! mbedtls_ssl_handshake returned" \
1906 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1907 -s "X509 - Certificate verification failed"
1908
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1909run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1910 "$P_SRV debug_level=3 auth_mode=optional" \
1911 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1912 key_file=data_files/server5.key" \
1913 0 \
1914 -S "skip write certificate request" \
1915 -C "skip parse certificate request" \
1916 -c "got a certificate request" \
1917 -C "skip write certificate" \
1918 -C "skip write certificate verify" \
1919 -S "skip parse certificate verify" \
1920 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1921 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1922 -S "! mbedtls_ssl_handshake returned" \
1923 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1924 -S "X509 - Certificate verification failed"
1925
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1926run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1927 "$P_SRV debug_level=3 auth_mode=none" \
1928 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1929 key_file=data_files/server5.key" \
1930 0 \
1931 -s "skip write certificate request" \
1932 -C "skip parse certificate request" \
1933 -c "got no certificate request" \
1934 -c "skip write certificate" \
1935 -c "skip write certificate verify" \
1936 -s "skip parse certificate verify" \
1937 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1938 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1939 -S "! mbedtls_ssl_handshake returned" \
1940 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1941 -S "X509 - Certificate verification failed"
1942
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1943run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1944 "$P_SRV debug_level=3 auth_mode=optional" \
1945 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1946 0 \
1947 -S "skip write certificate request" \
1948 -C "skip parse certificate request" \
1949 -c "got a certificate request" \
1950 -C "skip write certificate$" \
1951 -C "got no certificate to send" \
1952 -S "SSLv3 client has no certificate" \
1953 -c "skip write certificate verify" \
1954 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1955 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1956 -S "! mbedtls_ssl_handshake returned" \
1957 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1958 -S "X509 - Certificate verification failed"
1959
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1960run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1961 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1962 "$O_CLI" \
1963 0 \
1964 -S "skip write certificate request" \
1965 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1966 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1967 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1968 -S "X509 - Certificate verification failed"
1969
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1970run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1971 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1972 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1973 0 \
1974 -C "skip parse certificate request" \
1975 -c "got a certificate request" \
1976 -C "skip write certificate$" \
1977 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1978 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1979
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]1980requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1981run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1982 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]1983 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1984 0 \
1985 -S "skip write certificate request" \
1986 -C "skip parse certificate request" \
1987 -c "got a certificate request" \
1988 -C "skip write certificate$" \
1989 -c "skip write certificate verify" \
1990 -c "got no certificate to send" \
1991 -s "SSLv3 client has no certificate" \
1992 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1993 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1994 -S "! mbedtls_ssl_handshake returned" \
1995 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1996 -S "X509 - Certificate verification failed"
1997
Manuel Pégourié-Gonnard591035d2017-06-26 10:45:33 +0200[diff] [blame]1998run_test "Authentication: server max_int chain, client default" \
1999 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2000 key_file=data_files/dir-maxpath/09.key" \
2001 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2002 0 \
2003 -C "X509 - A fatal error occured"
2004
2005run_test "Authentication: server max_int+1 chain, client default" \
2006 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2007 key_file=data_files/dir-maxpath/10.key" \
2008 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2009 1 \
2010 -c "X509 - A fatal error occured"
2011
2012run_test "Authentication: server max_int+1 chain, client optional" \
2013 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2014 key_file=data_files/dir-maxpath/10.key" \
2015 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2016 auth_mode=optional" \
2017 1 \
2018 -c "X509 - A fatal error occured"
2019
2020run_test "Authentication: server max_int+1 chain, client none" \
2021 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2022 key_file=data_files/dir-maxpath/10.key" \
2023 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2024 auth_mode=none" \
2025 0 \
2026 -C "X509 - A fatal error occured"
2027
2028run_test "Authentication: client max_int+1 chain, server default" \
2029 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2030 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2031 key_file=data_files/dir-maxpath/10.key" \
2032 0 \
2033 -S "X509 - A fatal error occured"
2034
2035run_test "Authentication: client max_int+1 chain, server optional" \
2036 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2037 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2038 key_file=data_files/dir-maxpath/10.key" \
2039 1 \
2040 -s "X509 - A fatal error occured"
2041
2042run_test "Authentication: client max_int+1 chain, server required" \
2043 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2044 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2045 key_file=data_files/dir-maxpath/10.key" \
2046 1 \
2047 -s "X509 - A fatal error occured"
2048
2049run_test "Authentication: client max_int chain, server required" \
2050 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2051 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2052 key_file=data_files/dir-maxpath/09.key" \
2053 0 \
2054 -S "X509 - A fatal error occured"
2055
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2056# Tests for certificate selection based on SHA verson
2057
2058run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2059 "$P_SRV crt_file=data_files/server5.crt \
2060 key_file=data_files/server5.key \
2061 crt_file2=data_files/server5-sha1.crt \
2062 key_file2=data_files/server5.key" \
2063 "$P_CLI force_version=tls1_2" \
2064 0 \
2065 -c "signed using.*ECDSA with SHA256" \
2066 -C "signed using.*ECDSA with SHA1"
2067
2068run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2069 "$P_SRV crt_file=data_files/server5.crt \
2070 key_file=data_files/server5.key \
2071 crt_file2=data_files/server5-sha1.crt \
2072 key_file2=data_files/server5.key" \
2073 "$P_CLI force_version=tls1_1" \
2074 0 \
2075 -C "signed using.*ECDSA with SHA256" \
2076 -c "signed using.*ECDSA with SHA1"
2077
2078run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2079 "$P_SRV crt_file=data_files/server5.crt \
2080 key_file=data_files/server5.key \
2081 crt_file2=data_files/server5-sha1.crt \
2082 key_file2=data_files/server5.key" \
2083 "$P_CLI force_version=tls1" \
2084 0 \
2085 -C "signed using.*ECDSA with SHA256" \
2086 -c "signed using.*ECDSA with SHA1"
2087
2088run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2089 "$P_SRV crt_file=data_files/server5.crt \
2090 key_file=data_files/server5.key \
2091 crt_file2=data_files/server6.crt \
2092 key_file2=data_files/server6.key" \
2093 "$P_CLI force_version=tls1_1" \
2094 0 \
2095 -c "serial number.*09" \
2096 -c "signed using.*ECDSA with SHA256" \
2097 -C "signed using.*ECDSA with SHA1"
2098
2099run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2100 "$P_SRV crt_file=data_files/server6.crt \
2101 key_file=data_files/server6.key \
2102 crt_file2=data_files/server5.crt \
2103 key_file2=data_files/server5.key" \
2104 "$P_CLI force_version=tls1_1" \
2105 0 \
2106 -c "serial number.*0A" \
2107 -c "signed using.*ECDSA with SHA256" \
2108 -C "signed using.*ECDSA with SHA1"
2109
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2110# tests for SNI
2111
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2112run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2113 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2114 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2115 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2116 0 \
2117 -S "parse ServerName extension" \
2118 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2119 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2120
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2121run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2122 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2123 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2124 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2125 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2126 0 \
2127 -s "parse ServerName extension" \
2128 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2129 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2130
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2131run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2132 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2133 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2134 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2135 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2136 0 \
2137 -s "parse ServerName extension" \
2138 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2139 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2140
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2141run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2142 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2143 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2144 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2145 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2146 1 \
2147 -s "parse ServerName extension" \
2148 -s "ssl_sni_wrapper() returned" \
2149 -s "mbedtls_ssl_handshake returned" \
2150 -c "mbedtls_ssl_handshake returned" \
2151 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2152
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2153run_test "SNI: client auth no override: optional" \
2154 "$P_SRV debug_level=3 auth_mode=optional \
2155 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2156 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2157 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2158 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2159 -S "skip write certificate request" \
2160 -C "skip parse certificate request" \
2161 -c "got a certificate request" \
2162 -C "skip write certificate" \
2163 -C "skip write certificate verify" \
2164 -S "skip parse certificate verify"
2165
2166run_test "SNI: client auth override: none -> optional" \
2167 "$P_SRV debug_level=3 auth_mode=none \
2168 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2169 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2170 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2171 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2172 -S "skip write certificate request" \
2173 -C "skip parse certificate request" \
2174 -c "got a certificate request" \
2175 -C "skip write certificate" \
2176 -C "skip write certificate verify" \
2177 -S "skip parse certificate verify"
2178
2179run_test "SNI: client auth override: optional -> none" \
2180 "$P_SRV debug_level=3 auth_mode=optional \
2181 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2182 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2183 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2184 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2185 -s "skip write certificate request" \
2186 -C "skip parse certificate request" \
2187 -c "got no certificate request" \
2188 -c "skip write certificate" \
2189 -c "skip write certificate verify" \
2190 -s "skip parse certificate verify"
2191
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2192run_test "SNI: CA no override" \
2193 "$P_SRV debug_level=3 auth_mode=optional \
2194 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2195 ca_file=data_files/test-ca.crt \
2196 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2197 "$P_CLI debug_level=3 server_name=localhost \
2198 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2199 1 \
2200 -S "skip write certificate request" \
2201 -C "skip parse certificate request" \
2202 -c "got a certificate request" \
2203 -C "skip write certificate" \
2204 -C "skip write certificate verify" \
2205 -S "skip parse certificate verify" \
2206 -s "x509_verify_cert() returned" \
2207 -s "! The certificate is not correctly signed by the trusted CA" \
2208 -S "The certificate has been revoked (is on a CRL)"
2209
2210run_test "SNI: CA override" \
2211 "$P_SRV debug_level=3 auth_mode=optional \
2212 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2213 ca_file=data_files/test-ca.crt \
2214 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2215 "$P_CLI debug_level=3 server_name=localhost \
2216 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2217 0 \
2218 -S "skip write certificate request" \
2219 -C "skip parse certificate request" \
2220 -c "got a certificate request" \
2221 -C "skip write certificate" \
2222 -C "skip write certificate verify" \
2223 -S "skip parse certificate verify" \
2224 -S "x509_verify_cert() returned" \
2225 -S "! The certificate is not correctly signed by the trusted CA" \
2226 -S "The certificate has been revoked (is on a CRL)"
2227
2228run_test "SNI: CA override with CRL" \
2229 "$P_SRV debug_level=3 auth_mode=optional \
2230 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2231 ca_file=data_files/test-ca.crt \
2232 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2233 "$P_CLI debug_level=3 server_name=localhost \
2234 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2235 1 \
2236 -S "skip write certificate request" \
2237 -C "skip parse certificate request" \
2238 -c "got a certificate request" \
2239 -C "skip write certificate" \
2240 -C "skip write certificate verify" \
2241 -S "skip parse certificate verify" \
2242 -s "x509_verify_cert() returned" \
2243 -S "! The certificate is not correctly signed by the trusted CA" \
2244 -s "The certificate has been revoked (is on a CRL)"
2245
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2246# Tests for non-blocking I/O: exercise a variety of handshake flows
2247
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2248run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2249 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2250 "$P_CLI nbio=2 tickets=0" \
2251 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2252 -S "mbedtls_ssl_handshake returned" \
2253 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2254 -c "Read from server: .* bytes read"
2255
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2256run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2257 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2258 "$P_CLI nbio=2 tickets=0" \
2259 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2260 -S "mbedtls_ssl_handshake returned" \
2261 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2262 -c "Read from server: .* bytes read"
2263
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2264run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2265 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2266 "$P_CLI nbio=2 tickets=1" \
2267 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2268 -S "mbedtls_ssl_handshake returned" \
2269 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2270 -c "Read from server: .* bytes read"
2271
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2272run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2273 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2274 "$P_CLI nbio=2 tickets=1" \
2275 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2276 -S "mbedtls_ssl_handshake returned" \
2277 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2278 -c "Read from server: .* bytes read"
2279
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2280run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2281 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2282 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2283 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2284 -S "mbedtls_ssl_handshake returned" \
2285 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2286 -c "Read from server: .* bytes read"
2287
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2288run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2289 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2290 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2291 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2292 -S "mbedtls_ssl_handshake returned" \
2293 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2294 -c "Read from server: .* bytes read"
2295
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2296run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2297 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2298 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2299 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2300 -S "mbedtls_ssl_handshake returned" \
2301 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2302 -c "Read from server: .* bytes read"
2303
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2304# Tests for version negotiation
2305
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2306run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2307 "$P_SRV" \
2308 "$P_CLI" \
2309 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2310 -S "mbedtls_ssl_handshake returned" \
2311 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2312 -s "Protocol is TLSv1.2" \
2313 -c "Protocol is TLSv1.2"
2314
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2315run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2316 "$P_SRV" \
2317 "$P_CLI max_version=tls1_1" \
2318 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2319 -S "mbedtls_ssl_handshake returned" \
2320 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2321 -s "Protocol is TLSv1.1" \
2322 -c "Protocol is TLSv1.1"
2323
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2324run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2325 "$P_SRV max_version=tls1_1" \
2326 "$P_CLI" \
2327 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2328 -S "mbedtls_ssl_handshake returned" \
2329 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2330 -s "Protocol is TLSv1.1" \
2331 -c "Protocol is TLSv1.1"
2332
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2333run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2334 "$P_SRV max_version=tls1_1" \
2335 "$P_CLI max_version=tls1_1" \
2336 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2337 -S "mbedtls_ssl_handshake returned" \
2338 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2339 -s "Protocol is TLSv1.1" \
2340 -c "Protocol is TLSv1.1"
2341
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2342run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2343 "$P_SRV min_version=tls1_1" \
2344 "$P_CLI max_version=tls1_1" \
2345 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2346 -S "mbedtls_ssl_handshake returned" \
2347 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2348 -s "Protocol is TLSv1.1" \
2349 -c "Protocol is TLSv1.1"
2350
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2351run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2352 "$P_SRV max_version=tls1_1" \
2353 "$P_CLI min_version=tls1_1" \
2354 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2355 -S "mbedtls_ssl_handshake returned" \
2356 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2357 -s "Protocol is TLSv1.1" \
2358 -c "Protocol is TLSv1.1"
2359
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2360run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2361 "$P_SRV max_version=tls1_1" \
2362 "$P_CLI min_version=tls1_2" \
2363 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2364 -s "mbedtls_ssl_handshake returned" \
2365 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2366 -c "SSL - Handshake protocol not within min/max boundaries"
2367
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2368run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2369 "$P_SRV min_version=tls1_2" \
2370 "$P_CLI max_version=tls1_1" \
2371 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2372 -s "mbedtls_ssl_handshake returned" \
2373 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2374 -s "SSL - Handshake protocol not within min/max boundaries"
2375
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2376# Tests for ALPN extension
2377
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2378run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2379 "$P_SRV debug_level=3" \
2380 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2381 0 \
2382 -C "client hello, adding alpn extension" \
2383 -S "found alpn extension" \
2384 -C "got an alert message, type: \\[2:120]" \
2385 -S "server hello, adding alpn extension" \
2386 -C "found alpn extension " \
2387 -C "Application Layer Protocol is" \
2388 -S "Application Layer Protocol is"
2389
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2390run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2391 "$P_SRV debug_level=3" \
2392 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2393 0 \
2394 -c "client hello, adding alpn extension" \
2395 -s "found alpn extension" \
2396 -C "got an alert message, type: \\[2:120]" \
2397 -S "server hello, adding alpn extension" \
2398 -C "found alpn extension " \
2399 -c "Application Layer Protocol is (none)" \
2400 -S "Application Layer Protocol is"
2401
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2402run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2403 "$P_SRV debug_level=3 alpn=abc,1234" \
2404 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2405 0 \
2406 -C "client hello, adding alpn extension" \
2407 -S "found alpn extension" \
2408 -C "got an alert message, type: \\[2:120]" \
2409 -S "server hello, adding alpn extension" \
2410 -C "found alpn extension " \
2411 -C "Application Layer Protocol is" \
2412 -s "Application Layer Protocol is (none)"
2413
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2414run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2415 "$P_SRV debug_level=3 alpn=abc,1234" \
2416 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2417 0 \
2418 -c "client hello, adding alpn extension" \
2419 -s "found alpn extension" \
2420 -C "got an alert message, type: \\[2:120]" \
2421 -s "server hello, adding alpn extension" \
2422 -c "found alpn extension" \
2423 -c "Application Layer Protocol is abc" \
2424 -s "Application Layer Protocol is abc"
2425
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2426run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2427 "$P_SRV debug_level=3 alpn=abc,1234" \
2428 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2429 0 \
2430 -c "client hello, adding alpn extension" \
2431 -s "found alpn extension" \
2432 -C "got an alert message, type: \\[2:120]" \
2433 -s "server hello, adding alpn extension" \
2434 -c "found alpn extension" \
2435 -c "Application Layer Protocol is abc" \
2436 -s "Application Layer Protocol is abc"
2437
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2438run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2439 "$P_SRV debug_level=3 alpn=abc,1234" \
2440 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2441 0 \
2442 -c "client hello, adding alpn extension" \
2443 -s "found alpn extension" \
2444 -C "got an alert message, type: \\[2:120]" \
2445 -s "server hello, adding alpn extension" \
2446 -c "found alpn extension" \
2447 -c "Application Layer Protocol is 1234" \
2448 -s "Application Layer Protocol is 1234"
2449
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2450run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2451 "$P_SRV debug_level=3 alpn=abc,123" \
2452 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2453 1 \
2454 -c "client hello, adding alpn extension" \
2455 -s "found alpn extension" \
2456 -c "got an alert message, type: \\[2:120]" \
2457 -S "server hello, adding alpn extension" \
2458 -C "found alpn extension" \
2459 -C "Application Layer Protocol is 1234" \
2460 -S "Application Layer Protocol is 1234"
2461
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2462
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2463# Tests for keyUsage in leaf certificates, part 1:
2464# server-side certificate/suite selection
2465
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2466run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2467 "$P_SRV key_file=data_files/server2.key \
2468 crt_file=data_files/server2.ku-ds.crt" \
2469 "$P_CLI" \
2470 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2471 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2472
2473
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2474run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2475 "$P_SRV key_file=data_files/server2.key \
2476 crt_file=data_files/server2.ku-ke.crt" \
2477 "$P_CLI" \
2478 0 \
2479 -c "Ciphersuite is TLS-RSA-WITH-"
2480
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2481run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2482 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2483 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2484 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2485 1 \
2486 -C "Ciphersuite is "
2487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2488run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2489 "$P_SRV key_file=data_files/server5.key \
2490 crt_file=data_files/server5.ku-ds.crt" \
2491 "$P_CLI" \
2492 0 \
2493 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2494
2495
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2496run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2497 "$P_SRV key_file=data_files/server5.key \
2498 crt_file=data_files/server5.ku-ka.crt" \
2499 "$P_CLI" \
2500 0 \
2501 -c "Ciphersuite is TLS-ECDH-"
2502
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2503run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2504 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2505 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2506 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2507 1 \
2508 -C "Ciphersuite is "
2509
2510# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2511# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2512
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2513run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2514 "$O_SRV -key data_files/server2.key \
2515 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2516 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2517 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2518 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2519 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2520 -C "Processing of the Certificate handshake message failed" \
2521 -c "Ciphersuite is TLS-"
2522
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2523run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2524 "$O_SRV -key data_files/server2.key \
2525 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2526 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2527 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2528 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2529 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2530 -C "Processing of the Certificate handshake message failed" \
2531 -c "Ciphersuite is TLS-"
2532
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2533run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2534 "$O_SRV -key data_files/server2.key \
2535 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2536 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2537 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2538 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2539 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2540 -C "Processing of the Certificate handshake message failed" \
2541 -c "Ciphersuite is TLS-"
2542
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2543run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2544 "$O_SRV -key data_files/server2.key \
2545 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2546 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2547 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2548 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2549 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2550 -c "Processing of the Certificate handshake message failed" \
2551 -C "Ciphersuite is TLS-"
2552
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2553run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2554 "$O_SRV -key data_files/server2.key \
2555 -cert data_files/server2.ku-ke.crt" \
2556 "$P_CLI debug_level=1 auth_mode=optional \
2557 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2558 0 \
2559 -c "bad certificate (usage extensions)" \
2560 -C "Processing of the Certificate handshake message failed" \
2561 -c "Ciphersuite is TLS-" \
2562 -c "! Usage does not match the keyUsage extension"
2563
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2564run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2565 "$O_SRV -key data_files/server2.key \
2566 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2567 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2568 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2569 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2570 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2571 -C "Processing of the Certificate handshake message failed" \
2572 -c "Ciphersuite is TLS-"
2573
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2574run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2575 "$O_SRV -key data_files/server2.key \
2576 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2577 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2578 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2579 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2580 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2581 -c "Processing of the Certificate handshake message failed" \
2582 -C "Ciphersuite is TLS-"
2583
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2584run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2585 "$O_SRV -key data_files/server2.key \
2586 -cert data_files/server2.ku-ds.crt" \
2587 "$P_CLI debug_level=1 auth_mode=optional \
2588 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2589 0 \
2590 -c "bad certificate (usage extensions)" \
2591 -C "Processing of the Certificate handshake message failed" \
2592 -c "Ciphersuite is TLS-" \
2593 -c "! Usage does not match the keyUsage extension"
2594
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2595# Tests for keyUsage in leaf certificates, part 3:
2596# server-side checking of client cert
2597
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2598run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2599 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2600 "$O_CLI -key data_files/server2.key \
2601 -cert data_files/server2.ku-ds.crt" \
2602 0 \
2603 -S "bad certificate (usage extensions)" \
2604 -S "Processing of the Certificate handshake message failed"
2605
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2606run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2607 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2608 "$O_CLI -key data_files/server2.key \
2609 -cert data_files/server2.ku-ke.crt" \
2610 0 \
2611 -s "bad certificate (usage extensions)" \
2612 -S "Processing of the Certificate handshake message failed"
2613
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2614run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2615 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2616 "$O_CLI -key data_files/server2.key \
2617 -cert data_files/server2.ku-ke.crt" \
2618 1 \
2619 -s "bad certificate (usage extensions)" \
2620 -s "Processing of the Certificate handshake message failed"
2621
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2622run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2623 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2624 "$O_CLI -key data_files/server5.key \
2625 -cert data_files/server5.ku-ds.crt" \
2626 0 \
2627 -S "bad certificate (usage extensions)" \
2628 -S "Processing of the Certificate handshake message failed"
2629
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2630run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2631 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2632 "$O_CLI -key data_files/server5.key \
2633 -cert data_files/server5.ku-ka.crt" \
2634 0 \
2635 -s "bad certificate (usage extensions)" \
2636 -S "Processing of the Certificate handshake message failed"
2637
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2638# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2639
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2640run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2641 "$P_SRV key_file=data_files/server5.key \
2642 crt_file=data_files/server5.eku-srv.crt" \
2643 "$P_CLI" \
2644 0
2645
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2646run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2647 "$P_SRV key_file=data_files/server5.key \
2648 crt_file=data_files/server5.eku-srv.crt" \
2649 "$P_CLI" \
2650 0
2651
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2652run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2653 "$P_SRV key_file=data_files/server5.key \
2654 crt_file=data_files/server5.eku-cs_any.crt" \
2655 "$P_CLI" \
2656 0
2657
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2658run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2659 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2660 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2661 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2662 1
2663
2664# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2665
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2666run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2667 "$O_SRV -key data_files/server5.key \
2668 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2669 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2670 0 \
2671 -C "bad certificate (usage extensions)" \
2672 -C "Processing of the Certificate handshake message failed" \
2673 -c "Ciphersuite is TLS-"
2674
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2675run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2676 "$O_SRV -key data_files/server5.key \
2677 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2678 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2679 0 \
2680 -C "bad certificate (usage extensions)" \
2681 -C "Processing of the Certificate handshake message failed" \
2682 -c "Ciphersuite is TLS-"
2683
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2684run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2685 "$O_SRV -key data_files/server5.key \
2686 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2687 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2688 0 \
2689 -C "bad certificate (usage extensions)" \
2690 -C "Processing of the Certificate handshake message failed" \
2691 -c "Ciphersuite is TLS-"
2692
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2693run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2694 "$O_SRV -key data_files/server5.key \
2695 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2696 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2697 1 \
2698 -c "bad certificate (usage extensions)" \
2699 -c "Processing of the Certificate handshake message failed" \
2700 -C "Ciphersuite is TLS-"
2701
2702# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2703
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2704run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2705 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2706 "$O_CLI -key data_files/server5.key \
2707 -cert data_files/server5.eku-cli.crt" \
2708 0 \
2709 -S "bad certificate (usage extensions)" \
2710 -S "Processing of the Certificate handshake message failed"
2711
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2712run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2713 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2714 "$O_CLI -key data_files/server5.key \
2715 -cert data_files/server5.eku-srv_cli.crt" \
2716 0 \
2717 -S "bad certificate (usage extensions)" \
2718 -S "Processing of the Certificate handshake message failed"
2719
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2720run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2721 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2722 "$O_CLI -key data_files/server5.key \
2723 -cert data_files/server5.eku-cs_any.crt" \
2724 0 \
2725 -S "bad certificate (usage extensions)" \
2726 -S "Processing of the Certificate handshake message failed"
2727
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2728run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2729 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2730 "$O_CLI -key data_files/server5.key \
2731 -cert data_files/server5.eku-cs.crt" \
2732 0 \
2733 -s "bad certificate (usage extensions)" \
2734 -S "Processing of the Certificate handshake message failed"
2735
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2736run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2737 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2738 "$O_CLI -key data_files/server5.key \
2739 -cert data_files/server5.eku-cs.crt" \
2740 1 \
2741 -s "bad certificate (usage extensions)" \
2742 -s "Processing of the Certificate handshake message failed"
2743
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2744# Tests for DHM parameters loading
2745
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2746run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2747 "$P_SRV" \
2748 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2749 debug_level=3" \
2750 0 \
2751 -c "value of 'DHM: P ' (2048 bits)" \
2752 -c "value of 'DHM: G ' (2048 bits)"
2753
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2754run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2755 "$P_SRV dhm_file=data_files/dhparams.pem" \
2756 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2757 debug_level=3" \
2758 0 \
2759 -c "value of 'DHM: P ' (1024 bits)" \
2760 -c "value of 'DHM: G ' (2 bits)"
2761
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2762# Tests for DHM client-side size checking
2763
2764run_test "DHM size: server default, client default, OK" \
2765 "$P_SRV" \
2766 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2767 debug_level=1" \
2768 0 \
2769 -C "DHM prime too short:"
2770
2771run_test "DHM size: server default, client 2048, OK" \
2772 "$P_SRV" \
2773 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2774 debug_level=1 dhmlen=2048" \
2775 0 \
2776 -C "DHM prime too short:"
2777
2778run_test "DHM size: server 1024, client default, OK" \
2779 "$P_SRV dhm_file=data_files/dhparams.pem" \
2780 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2781 debug_level=1" \
2782 0 \
2783 -C "DHM prime too short:"
2784
2785run_test "DHM size: server 1000, client default, rejected" \
2786 "$P_SRV dhm_file=data_files/dh.1000.pem" \
2787 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2788 debug_level=1" \
2789 1 \
2790 -c "DHM prime too short:"
2791
2792run_test "DHM size: server default, client 2049, rejected" \
2793 "$P_SRV" \
2794 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2795 debug_level=1 dhmlen=2049" \
2796 1 \
2797 -c "DHM prime too short:"
2798
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2799# Tests for PSK callback
2800
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2801run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2802 "$P_SRV psk=abc123 psk_identity=foo" \
2803 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2804 psk_identity=foo psk=abc123" \
2805 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2806 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2807 -S "SSL - Unknown identity received" \
2808 -S "SSL - Verification of the message MAC failed"
2809
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2810run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2811 "$P_SRV" \
2812 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2813 psk_identity=foo psk=abc123" \
2814 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2815 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2816 -S "SSL - Unknown identity received" \
2817 -S "SSL - Verification of the message MAC failed"
2818
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2819run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2820 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2821 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2822 psk_identity=foo psk=abc123" \
2823 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2824 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2825 -s "SSL - Unknown identity received" \
2826 -S "SSL - Verification of the message MAC failed"
2827
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2828run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2829 "$P_SRV psk_list=abc,dead,def,beef" \
2830 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2831 psk_identity=abc psk=dead" \
2832 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2833 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2834 -S "SSL - Unknown identity received" \
2835 -S "SSL - Verification of the message MAC failed"
2836
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2837run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2838 "$P_SRV psk_list=abc,dead,def,beef" \
2839 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2840 psk_identity=def psk=beef" \
2841 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2842 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2843 -S "SSL - Unknown identity received" \
2844 -S "SSL - Verification of the message MAC failed"
2845
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2846run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2847 "$P_SRV psk_list=abc,dead,def,beef" \
2848 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2849 psk_identity=ghi psk=beef" \
2850 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2851 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2852 -s "SSL - Unknown identity received" \
2853 -S "SSL - Verification of the message MAC failed"
2854
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2855run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2856 "$P_SRV psk_list=abc,dead,def,beef" \
2857 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2858 psk_identity=abc psk=beef" \
2859 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2860 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2861 -S "SSL - Unknown identity received" \
2862 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2863
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2864# Tests for ciphersuites per version
2865
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2866requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2867run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2868 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2869 "$P_CLI force_version=ssl3" \
2870 0 \
2871 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
2872
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2873run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2874 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2875 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2876 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2877 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2878
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2879run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2880 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2881 "$P_CLI force_version=tls1_1" \
2882 0 \
2883 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
2884
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2885run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2886 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2887 "$P_CLI force_version=tls1_2" \
2888 0 \
2889 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
2890
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2891# Test for ClientHello without extensions
2892
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]2893requires_gnutls
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2894run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]2895 "$P_SRV debug_level=3" \
2896 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2897 0 \
2898 -s "dumping 'client hello extensions' (0 bytes)"
2899
Gilles Peskine7344e1b2017-05-12 13:16:40 +0200[diff] [blame]2900requires_gnutls
2901run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
2902 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
2903 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
2904 0 \
2905 -s "dumping 'client hello extensions' (0 bytes)"
2906
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2907# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2908
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2909run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2910 "$P_SRV" \
2911 "$P_CLI request_size=100" \
2912 0 \
2913 -s "Read from client: 100 bytes read$"
2914
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2915run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2916 "$P_SRV" \
2917 "$P_CLI request_size=500" \
2918 0 \
2919 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2920
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2921# Tests for small packets
2922
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2923requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2924run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2925 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2926 "$P_CLI request_size=1 force_version=ssl3 \
2927 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2928 0 \
2929 -s "Read from client: 1 bytes read"
2930
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]2931requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2932run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2933 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2934 "$P_CLI request_size=1 force_version=ssl3 \
2935 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2936 0 \
2937 -s "Read from client: 1 bytes read"
2938
2939run_test "Small packet TLS 1.0 BlockCipher" \
2940 "$P_SRV" \
2941 "$P_CLI request_size=1 force_version=tls1 \
2942 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2943 0 \
2944 -s "Read from client: 1 bytes read"
2945
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]2946run_test "Small packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]2947 "$P_SRV" \
2948 "$P_CLI request_size=1 force_version=tls1 etm=0 \
2949 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2950 0 \
2951 -s "Read from client: 1 bytes read"
2952
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]2953requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]2954run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2955 "$P_SRV" \
2956 "$P_CLI request_size=1 force_version=tls1 \
2957 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2958 trunc_hmac=1" \
2959 0 \
2960 -s "Read from client: 1 bytes read"
2961
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]2962requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]2963run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
2964 "$P_SRV" \
2965 "$P_CLI request_size=1 force_version=tls1 \
2966 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2967 trunc_hmac=1 \
2968 etm=0" \
2969 0 \
2970 -s "Read from client: 1 bytes read"
2971
2972run_test "Small packet TLS 1.0 StreamCipher" \
2973 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2974 "$P_CLI request_size=1 force_version=tls1 \
2975 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2976 0 \
2977 -s "Read from client: 1 bytes read"
2978
2979run_test "Small packet TLS 1.0 StreamCipher, without EtM" \
2980 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2981 "$P_CLI request_size=1 force_version=tls1 \
2982 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2983 etm=0" \
2984 0 \
2985 -s "Read from client: 1 bytes read"
2986
2987requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
2988run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2989 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2990 "$P_CLI request_size=1 force_version=tls1 \
2991 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2992 trunc_hmac=1" \
2993 0 \
2994 -s "Read from client: 1 bytes read"
2995
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]2996requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
2997run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
2998 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2999 "$P_CLI request_size=1 force_version=tls1 \
3000 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3001 trunc_hmac=1 \
3002 etm=0" \
3003 0 \
3004 -s "Read from client: 1 bytes read"
3005
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3006run_test "Small packet TLS 1.1 BlockCipher" \
3007 "$P_SRV" \
3008 "$P_CLI request_size=1 force_version=tls1_1 \
3009 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3010 0 \
3011 -s "Read from client: 1 bytes read"
3012
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3013run_test "Small packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3014 "$P_SRV" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3015 "$P_CLI request_size=1 force_version=tls1_1 \
3016 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA
3017 etm=0" \
3018 0 \
3019 -s "Read from client: 1 bytes read"
3020
3021requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3022run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \
3023 "$P_SRV" \
3024 "$P_CLI request_size=1 force_version=tls1_1 \
3025 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3026 trunc_hmac=1" \
3027 0 \
3028 -s "Read from client: 1 bytes read"
3029
3030requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3031run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
3032 "$P_SRV" \
3033 "$P_CLI request_size=1 force_version=tls1_1 \
3034 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3035 trunc_hmac=1 \
3036 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3037 0 \
3038 -s "Read from client: 1 bytes read"
3039
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3040run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3041 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3042 "$P_CLI request_size=1 force_version=tls1_1 \
3043 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3044 0 \
3045 -s "Read from client: 1 bytes read"
3046
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3047run_test "Small packet TLS 1.1 StreamCipher, without EtM" \
3048 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3049 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3050 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3051 etm=0" \
3052 0 \
3053 -s "Read from client: 1 bytes read"
3054
3055requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3056run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \
3057 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3058 "$P_CLI request_size=1 force_version=tls1_1 \
3059 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3060 trunc_hmac=1" \
3061 0 \
3062 -s "Read from client: 1 bytes read"
3063
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3064requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3065run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3066 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3067 "$P_CLI request_size=1 force_version=tls1_1 \
3068 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3069 trunc_hmac=1 \
3070 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3071 0 \
3072 -s "Read from client: 1 bytes read"
3073
3074run_test "Small packet TLS 1.2 BlockCipher" \
3075 "$P_SRV" \
3076 "$P_CLI request_size=1 force_version=tls1_2 \
3077 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3078 0 \
3079 -s "Read from client: 1 bytes read"
3080
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3081run_test "Small packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3082 "$P_SRV" \
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3083 "$P_CLI request_size=1 force_version=tls1_2 \
3084 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3085 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3086 0 \
3087 -s "Read from client: 1 bytes read"
3088
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3089run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3090 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3091 "$P_CLI request_size=1 force_version=tls1_2 \
3092 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3093 0 \
3094 -s "Read from client: 1 bytes read"
3095
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3096requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3097run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3098 "$P_SRV" \
3099 "$P_CLI request_size=1 force_version=tls1_2 \
3100 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3101 trunc_hmac=1" \
3102 0 \
3103 -s "Read from client: 1 bytes read"
3104
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3105requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3106run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
3107 "$P_SRV" \
3108 "$P_CLI request_size=1 force_version=tls1_2 \
3109 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3110 trunc_hmac=1 \
3111 etm=0" \
3112 0 \
3113 -s "Read from client: 1 bytes read"
3114
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3115run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3116 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3117 "$P_CLI request_size=1 force_version=tls1_2 \
3118 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3119 0 \
3120 -s "Read from client: 1 bytes read"
3121
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3122run_test "Small packet TLS 1.2 StreamCipher, without EtM" \
3123 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3124 "$P_CLI request_size=1 force_version=tls1_2 \
3125 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3126 etm=0" \
3127 0 \
3128 -s "Read from client: 1 bytes read"
3129
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3130requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3131run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3132 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3133 "$P_CLI request_size=1 force_version=tls1_2 \
3134 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3135 trunc_hmac=1" \
3136 0 \
3137 -s "Read from client: 1 bytes read"
3138
Hanno Becker7aae46c2017-11-10 08:59:04 +0000[diff] [blame]3139requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3140run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
3141 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3142 "$P_CLI request_size=1 force_version=tls1_2 \
3143 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3144 trunc_hmac=1 \
3145 etm=0" \
3146 0 \
3147 -s "Read from client: 1 bytes read"
3148
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3149run_test "Small packet TLS 1.2 AEAD" \
3150 "$P_SRV" \
3151 "$P_CLI request_size=1 force_version=tls1_2 \
3152 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3153 0 \
3154 -s "Read from client: 1 bytes read"
3155
3156run_test "Small packet TLS 1.2 AEAD shorter tag" \
3157 "$P_SRV" \
3158 "$P_CLI request_size=1 force_version=tls1_2 \
3159 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3160 0 \
3161 -s "Read from client: 1 bytes read"
3162
Hanno Becker461cb812017-11-10 08:59:18 +0000[diff] [blame]3163# Tests for small packets in DTLS
3164
3165requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3166run_test "Small packet DTLS 1.0" \
3167 "$P_SRV dtls=1 force_version=dtls1" \
3168 "$P_CLI dtls=1 request_size=1 \
3169 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3170 0 \
3171 -s "Read from client: 1 bytes read"
3172
3173requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3174run_test "Small packet DTLS 1.0, without EtM" \
3175 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
3176 "$P_CLI dtls=1 request_size=1 \
3177 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3178 0 \
3179 -s "Read from client: 1 bytes read"
3180
3181requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3182requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3183run_test "Small packet DTLS 1.0, truncated hmac" \
3184 "$P_SRV dtls=1 force_version=dtls1" \
3185 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
3186 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3187 0 \
3188 -s "Read from client: 1 bytes read"
3189
3190requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3191requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3192run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \
3193 "$P_SRV dtls=1 force_version=dtls1 \
3194 etm=0" \
3195 "$P_CLI dtls=1 request_size=1 \
3196 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3197 trunc_hmac=1"\
3198 0 \
3199 -s "Read from client: 1 bytes read"
3200
3201requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3202run_test "Small packet DTLS 1.2" \
3203 "$P_SRV dtls=1 force_version=dtls1_2" \
3204 "$P_CLI dtls=1 request_size=1 \
3205 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3206 0 \
3207 -s "Read from client: 1 bytes read"
3208
3209requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3210run_test "Small packet DTLS 1.2, without EtM" \
3211 "$P_SRV dtls=1 force_version=dtls1_2 \
3212 etm=0" \
3213 "$P_CLI dtls=1 request_size=1 \
3214 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3215 0 \
3216 -s "Read from client: 1 bytes read"
3217
3218requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3219requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3220run_test "Small packet DTLS 1.2, truncated hmac" \
3221 "$P_SRV dtls=1 force_version=dtls1_2" \
3222 "$P_CLI dtls=1 request_size=1 \
3223 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3224 trunc_hmac=1" \
3225 0 \
3226 -s "Read from client: 1 bytes read"
3227
3228requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3229requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3230run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \
3231 "$P_SRV dtls=1 force_version=dtls1_2 \
3232 etm=0" \
3233 "$P_CLI dtls=1 request_size=1 \
3234 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3235 trunc_hmac=1"\
3236 0 \
3237 -s "Read from client: 1 bytes read"
3238
Janos Follathb700c462016-05-06 13:48:23 +0100[diff] [blame]3239# A test for extensions in SSLv3
3240
3241requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3242run_test "SSLv3 with extensions, server side" \
3243 "$P_SRV min_version=ssl3 debug_level=3" \
3244 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3245 0 \
3246 -S "dumping 'client hello extensions'" \
3247 -S "server hello, total extension length:"
3248
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3249# Test for large packets
3250
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3251requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3252run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3253 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3254 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3255 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3256 0 \
3257 -s "Read from client: 16384 bytes read"
3258
Janos Follath542ee5d2016-03-07 15:57:05 +0000[diff] [blame]3259requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3260run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3261 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3262 "$P_CLI request_size=16384 force_version=ssl3 \
3263 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3264 0 \
3265 -s "Read from client: 16384 bytes read"
3266
3267run_test "Large packet TLS 1.0 BlockCipher" \
3268 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3269 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3270 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3271 0 \
3272 -s "Read from client: 16384 bytes read"
3273
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3274run_test "Large packet TLS 1.0 BlockCipher, without EtM" \
3275 "$P_SRV" \
3276 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
3277 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3278 0 \
3279 -s "Read from client: 16384 bytes read"
3280
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3281requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3282run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3283 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3284 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3285 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3286 trunc_hmac=1" \
3287 0 \
3288 -s "Read from client: 16384 bytes read"
3289
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3290requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3291run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
3292 "$P_SRV" \
3293 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
3294 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3295 trunc_hmac=1" \
3296 0 \
3297 -s "Read from client: 16384 bytes read"
3298
3299run_test "Large packet TLS 1.0 StreamCipher" \
3300 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3301 "$P_CLI request_size=16384 force_version=tls1 \
3302 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3303 0 \
3304 -s "Read from client: 16384 bytes read"
3305
3306run_test "Large packet TLS 1.0 StreamCipher, without EtM" \
3307 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3308 "$P_CLI request_size=16384 force_version=tls1 \
3309 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3310 etm=0" \
3311 0 \
3312 -s "Read from client: 16384 bytes read"
3313
3314requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3315run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3316 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3317 "$P_CLI request_size=16384 force_version=tls1 \
3318 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3319 trunc_hmac=1" \
3320 0 \
3321 -s "Read from client: 16384 bytes read"
3322
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3323requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3324run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
3325 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3326 "$P_CLI request_size=16384 force_version=tls1 \
3327 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3328 trunc_hmac=1 etm=0" \
3329 0 \
3330 -s "Read from client: 16384 bytes read"
3331
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3332run_test "Large packet TLS 1.1 BlockCipher" \
3333 "$P_SRV" \
3334 "$P_CLI request_size=16384 force_version=tls1_1 \
3335 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3336 0 \
3337 -s "Read from client: 16384 bytes read"
3338
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3339run_test "Large packet TLS 1.1 BlockCipher, without EtM" \
3340 "$P_SRV" \
3341 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
3342 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3343 0 \
3344 -s "Read from client: 16384 bytes read"
3345
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3346requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3347run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3348 "$P_SRV" \
3349 "$P_CLI request_size=16384 force_version=tls1_1 \
3350 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3351 trunc_hmac=1" \
3352 0 \
3353 -s "Read from client: 16384 bytes read"
3354
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3355requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3356run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
3357 "$P_SRV" \
3358 "$P_CLI request_size=16384 force_version=tls1_1 \
3359 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3360 trunc_hmac=1 etm=0" \
3361 0 \
3362 -s "Read from client: 16384 bytes read"
3363
3364run_test "Large packet TLS 1.1 StreamCipher" \
3365 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3366 "$P_CLI request_size=16384 force_version=tls1_1 \
3367 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3368 0 \
3369 -s "Read from client: 16384 bytes read"
3370
3371run_test "Large packet TLS 1.1 StreamCipher, without EtM" \
3372 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3373 "$P_CLI request_size=16384 force_version=tls1_1 \
3374 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3375 etm=0" \
3376 0 \
3377 -s "Read from client: 16384 bytes read"
3378
3379requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3380run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3381 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3382 "$P_CLI request_size=16384 force_version=tls1_1 \
3383 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3384 trunc_hmac=1" \
3385 0 \
3386 -s "Read from client: 16384 bytes read"
3387
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3388requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3389run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
3390 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3391 "$P_CLI request_size=16384 force_version=tls1_1 \
3392 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3393 trunc_hmac=1 etm=0" \
3394 0 \
3395 -s "Read from client: 16384 bytes read"
3396
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3397run_test "Large packet TLS 1.2 BlockCipher" \
3398 "$P_SRV" \
3399 "$P_CLI request_size=16384 force_version=tls1_2 \
3400 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3401 0 \
3402 -s "Read from client: 16384 bytes read"
3403
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3404run_test "Large packet TLS 1.2 BlockCipher, without EtM" \
3405 "$P_SRV" \
3406 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
3407 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3408 0 \
3409 -s "Read from client: 16384 bytes read"
3410
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3411run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3412 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3413 "$P_CLI request_size=16384 force_version=tls1_2 \
3414 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3415 0 \
3416 -s "Read from client: 16384 bytes read"
3417
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3418requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3419run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3420 "$P_SRV" \
3421 "$P_CLI request_size=16384 force_version=tls1_2 \
3422 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3423 trunc_hmac=1" \
3424 0 \
3425 -s "Read from client: 16384 bytes read"
3426
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3427requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3428run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
3429 "$P_SRV" \
3430 "$P_CLI request_size=16384 force_version=tls1_2 \
3431 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3432 trunc_hmac=1 etm=0" \
3433 0 \
3434 -s "Read from client: 16384 bytes read"
3435
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3436run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3437 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3438 "$P_CLI request_size=16384 force_version=tls1_2 \
3439 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3440 0 \
3441 -s "Read from client: 16384 bytes read"
3442
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3443run_test "Large packet TLS 1.2 StreamCipher, without EtM" \
3444 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3445 "$P_CLI request_size=16384 force_version=tls1_2 \
3446 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
3447 0 \
3448 -s "Read from client: 16384 bytes read"
3449
Hanno Beckera83fafa2017-11-10 08:42:54 +0000[diff] [blame]3450requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3451run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3452 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3453 "$P_CLI request_size=16384 force_version=tls1_2 \
3454 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3455 trunc_hmac=1" \
3456 0 \
3457 -s "Read from client: 16384 bytes read"
3458
Hanno Becker0b9d9132017-11-10 09:16:28 +0000[diff] [blame]3459requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3460run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
3461 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3462 "$P_CLI request_size=16384 force_version=tls1_2 \
3463 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3464 trunc_hmac=1 etm=0" \
3465 0 \
3466 -s "Read from client: 16384 bytes read"
3467
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3468run_test "Large packet TLS 1.2 AEAD" \
3469 "$P_SRV" \
3470 "$P_CLI request_size=16384 force_version=tls1_2 \
3471 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3472 0 \
3473 -s "Read from client: 16384 bytes read"
3474
3475run_test "Large packet TLS 1.2 AEAD shorter tag" \
3476 "$P_SRV" \
3477 "$P_CLI request_size=16384 force_version=tls1_2 \
3478 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3479 0 \
3480 -s "Read from client: 16384 bytes read"
3481
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3482# Tests for DTLS HelloVerifyRequest
3483
3484run_test "DTLS cookie: enabled" \
3485 "$P_SRV dtls=1 debug_level=2" \
3486 "$P_CLI dtls=1 debug_level=2" \
3487 0 \
3488 -s "cookie verification failed" \
3489 -s "cookie verification passed" \
3490 -S "cookie verification skipped" \
3491 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3492 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3493 -S "SSL - The requested feature is not available"
3494
3495run_test "DTLS cookie: disabled" \
3496 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3497 "$P_CLI dtls=1 debug_level=2" \
3498 0 \
3499 -S "cookie verification failed" \
3500 -S "cookie verification passed" \
3501 -s "cookie verification skipped" \
3502 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3503 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3504 -S "SSL - The requested feature is not available"
3505
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3506run_test "DTLS cookie: default (failing)" \
3507 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3508 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3509 1 \
3510 -s "cookie verification failed" \
3511 -S "cookie verification passed" \
3512 -S "cookie verification skipped" \
3513 -C "received hello verify request" \
3514 -S "hello verification requested" \
3515 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3516
3517requires_ipv6
3518run_test "DTLS cookie: enabled, IPv6" \
3519 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3520 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3521 0 \
3522 -s "cookie verification failed" \
3523 -s "cookie verification passed" \
3524 -S "cookie verification skipped" \
3525 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3526 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3527 -S "SSL - The requested feature is not available"
3528
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3529run_test "DTLS cookie: enabled, nbio" \
3530 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3531 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3532 0 \
3533 -s "cookie verification failed" \
3534 -s "cookie verification passed" \
3535 -S "cookie verification skipped" \
3536 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3537 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3538 -S "SSL - The requested feature is not available"
3539
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3540# Tests for client reconnecting from the same port with DTLS
3541
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3542not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3543run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3544 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3545 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3546 0 \
3547 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3548 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3549 -S "Client initiated reconnection from same port"
3550
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3551not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3552run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3553 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3554 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3555 0 \
3556 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3557 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3558 -s "Client initiated reconnection from same port"
3559
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3560not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3561run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3562 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3563 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3564 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3565 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3566 -s "Client initiated reconnection from same port"
3567
Paul Bakker3b224ff2016-05-13 10:33:25 +0100[diff] [blame]3568only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3569run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3570 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3571 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3572 0 \
3573 -S "The operation timed out" \
3574 -s "Client initiated reconnection from same port"
3575
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3576run_test "DTLS client reconnect from same port: no cookies" \
3577 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3578 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3579 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3580 -s "The operation timed out" \
3581 -S "Client initiated reconnection from same port"
3582
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3583# Tests for various cases of client authentication with DTLS
3584# (focused on handshake flows and message parsing)
3585
3586run_test "DTLS client auth: required" \
3587 "$P_SRV dtls=1 auth_mode=required" \
3588 "$P_CLI dtls=1" \
3589 0 \
3590 -s "Verifying peer X.509 certificate... ok"
3591
3592run_test "DTLS client auth: optional, client has no cert" \
3593 "$P_SRV dtls=1 auth_mode=optional" \
3594 "$P_CLI dtls=1 crt_file=none key_file=none" \
3595 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3596 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3597
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3598run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3599 "$P_SRV dtls=1 auth_mode=none" \
3600 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3601 0 \
3602 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3603 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3604
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3605run_test "DTLS wrong PSK: badmac alert" \
3606 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3607 "$P_CLI dtls=1 psk=abc124" \
3608 1 \
3609 -s "SSL - Verification of the message MAC failed" \
3610 -c "SSL - A fatal alert message was received from our peer"
3611
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3612# Tests for receiving fragmented handshake messages with DTLS
3613
3614requires_gnutls
3615run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3616 "$G_SRV -u --mtu 2048 -a" \
3617 "$P_CLI dtls=1 debug_level=2" \
3618 0 \
3619 -C "found fragmented DTLS handshake message" \
3620 -C "error"
3621
3622requires_gnutls
3623run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3624 "$G_SRV -u --mtu 512" \
3625 "$P_CLI dtls=1 debug_level=2" \
3626 0 \
3627 -c "found fragmented DTLS handshake message" \
3628 -C "error"
3629
3630requires_gnutls
3631run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3632 "$G_SRV -u --mtu 128" \
3633 "$P_CLI dtls=1 debug_level=2" \
3634 0 \
3635 -c "found fragmented DTLS handshake message" \
3636 -C "error"
3637
3638requires_gnutls
3639run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3640 "$G_SRV -u --mtu 128" \
3641 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3642 0 \
3643 -c "found fragmented DTLS handshake message" \
3644 -C "error"
3645
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3646requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3647run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3648 "$G_SRV -u --mtu 256" \
3649 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3650 0 \
3651 -c "found fragmented DTLS handshake message" \
3652 -c "client hello, adding renegotiation extension" \
3653 -c "found renegotiation extension" \
3654 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3655 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3656 -C "error" \
3657 -s "Extra-header:"
3658
3659requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3660run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3661 "$G_SRV -u --mtu 256" \
3662 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3663 0 \
3664 -c "found fragmented DTLS handshake message" \
3665 -c "client hello, adding renegotiation extension" \
3666 -c "found renegotiation extension" \
3667 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3668 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3669 -C "error" \
3670 -s "Extra-header:"
3671
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3672run_test "DTLS reassembly: no fragmentation (openssl server)" \
3673 "$O_SRV -dtls1 -mtu 2048" \
3674 "$P_CLI dtls=1 debug_level=2" \
3675 0 \
3676 -C "found fragmented DTLS handshake message" \
3677 -C "error"
3678
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3679run_test "DTLS reassembly: some fragmentation (openssl server)" \
3680 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3681 "$P_CLI dtls=1 debug_level=2" \
3682 0 \
3683 -c "found fragmented DTLS handshake message" \
3684 -C "error"
3685
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3686run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3687 "$O_SRV -dtls1 -mtu 256" \
3688 "$P_CLI dtls=1 debug_level=2" \
3689 0 \
3690 -c "found fragmented DTLS handshake message" \
3691 -C "error"
3692
3693run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3694 "$O_SRV -dtls1 -mtu 256" \
3695 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3696 0 \
3697 -c "found fragmented DTLS handshake message" \
3698 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3699
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3700# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3701
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3702not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3703run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3704 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3705 "$P_SRV dtls=1 debug_level=2" \
3706 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3707 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3708 -C "replayed record" \
3709 -S "replayed record" \
3710 -C "record from another epoch" \
3711 -S "record from another epoch" \
3712 -C "discarding invalid record" \
3713 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3714 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3715 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3716 -c "HTTP/1.0 200 OK"
3717
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3718not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3719run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3720 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3721 "$P_SRV dtls=1 debug_level=2" \
3722 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3723 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3724 -c "replayed record" \
3725 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3726 -c "discarding invalid record" \
3727 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3728 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3729 -s "Extra-header:" \
3730 -c "HTTP/1.0 200 OK"
3731
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3732run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3733 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3734 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3735 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3736 0 \
3737 -c "replayed record" \
3738 -S "replayed record" \
3739 -c "discarding invalid record" \
3740 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3741 -c "resend" \
3742 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3743 -s "Extra-header:" \
3744 -c "HTTP/1.0 200 OK"
3745
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3746run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3747 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3748 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3749 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3750 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3751 -c "discarding invalid record (mac)" \
3752 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3753 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3754 -c "HTTP/1.0 200 OK" \
3755 -S "too many records with bad MAC" \
3756 -S "Verification of the message MAC failed"
3757
3758run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3759 -p "$P_PXY bad_ad=1" \
3760 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3761 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3762 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3763 -C "discarding invalid record (mac)" \
3764 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3765 -S "Extra-header:" \
3766 -C "HTTP/1.0 200 OK" \
3767 -s "too many records with bad MAC" \
3768 -s "Verification of the message MAC failed"
3769
3770run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3771 -p "$P_PXY bad_ad=1" \
3772 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3773 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3774 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3775 -c "discarding invalid record (mac)" \
3776 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3777 -s "Extra-header:" \
3778 -c "HTTP/1.0 200 OK" \
3779 -S "too many records with bad MAC" \
3780 -S "Verification of the message MAC failed"
3781
3782run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3783 -p "$P_PXY bad_ad=1" \
3784 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3785 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3786 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3787 -c "discarding invalid record (mac)" \
3788 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3789 -s "Extra-header:" \
3790 -c "HTTP/1.0 200 OK" \
3791 -s "too many records with bad MAC" \
3792 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3793
3794run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3795 -p "$P_PXY delay_ccs=1" \
3796 "$P_SRV dtls=1 debug_level=1" \
3797 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3798 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3799 -c "record from another epoch" \
3800 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3801 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3802 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3803 -s "Extra-header:" \
3804 -c "HTTP/1.0 200 OK"
3805
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3806# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3807
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3808needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3809run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3810 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3811 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3812 psk=abc123" \
3813 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3814 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3815 0 \
3816 -s "Extra-header:" \
3817 -c "HTTP/1.0 200 OK"
3818
3819needs_more_time 2
3820run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3821 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3822 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3823 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3824 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3825 0 \
3826 -s "Extra-header:" \
3827 -c "HTTP/1.0 200 OK"
3828
3829needs_more_time 2
3830run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3831 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3832 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3833 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3834 0 \
3835 -s "Extra-header:" \
3836 -c "HTTP/1.0 200 OK"
3837
3838needs_more_time 2
3839run_test "DTLS proxy: 3d, FS, client auth" \
3840 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3841 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3842 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3843 0 \
3844 -s "Extra-header:" \
3845 -c "HTTP/1.0 200 OK"
3846
3847needs_more_time 2
3848run_test "DTLS proxy: 3d, FS, ticket" \
3849 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3850 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3851 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3852 0 \
3853 -s "Extra-header:" \
3854 -c "HTTP/1.0 200 OK"
3855
3856needs_more_time 2
3857run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3858 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3859 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3860 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3861 0 \
3862 -s "Extra-header:" \
3863 -c "HTTP/1.0 200 OK"
3864
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3865needs_more_time 2
3866run_test "DTLS proxy: 3d, max handshake, nbio" \
3867 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3868 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3869 auth_mode=required" \
3870 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3871 0 \
3872 -s "Extra-header:" \
3873 -c "HTTP/1.0 200 OK"
3874
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3875needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3876run_test "DTLS proxy: 3d, min handshake, resumption" \
3877 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3878 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3879 psk=abc123 debug_level=3" \
3880 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3881 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3882 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3883 0 \
3884 -s "a session has been resumed" \
3885 -c "a session has been resumed" \
3886 -s "Extra-header:" \
3887 -c "HTTP/1.0 200 OK"
3888
3889needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3890run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3891 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3892 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3893 psk=abc123 debug_level=3 nbio=2" \
3894 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3895 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3896 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3897 0 \
3898 -s "a session has been resumed" \
3899 -c "a session has been resumed" \
3900 -s "Extra-header:" \
3901 -c "HTTP/1.0 200 OK"
3902
3903needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3904run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3905 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3906 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3907 psk=abc123 renegotiation=1 debug_level=2" \
3908 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3909 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3910 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3911 0 \
3912 -c "=> renegotiate" \
3913 -s "=> renegotiate" \
3914 -s "Extra-header:" \
3915 -c "HTTP/1.0 200 OK"
3916
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3917needs_more_time 4
3918run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3919 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3920 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3921 psk=abc123 renegotiation=1 debug_level=2" \
3922 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3923 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3924 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3925 0 \
3926 -c "=> renegotiate" \
3927 -s "=> renegotiate" \
3928 -s "Extra-header:" \
3929 -c "HTTP/1.0 200 OK"
3930
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3931needs_more_time 4
3932run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3933 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3934 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3935 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3936 debug_level=2" \
3937 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3938 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3939 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3940 0 \
3941 -c "=> renegotiate" \
3942 -s "=> renegotiate" \
3943 -s "Extra-header:" \
3944 -c "HTTP/1.0 200 OK"
3945
3946needs_more_time 4
3947run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3948 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3949 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3950 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3951 debug_level=2 nbio=2" \
3952 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3953 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3954 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3955 0 \
3956 -c "=> renegotiate" \
3957 -s "=> renegotiate" \
3958 -s "Extra-header:" \
3959 -c "HTTP/1.0 200 OK"
3960
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3961needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3962not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3963run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3964 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3965 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3966 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3967 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3968 -c "HTTP/1.0 200 OK"
3969
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3970needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3971not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3972run_test "DTLS proxy: 3d, openssl server, fragmentation" \
3973 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3974 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3975 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3976 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3977 -c "HTTP/1.0 200 OK"
3978
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]3979needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3980not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3981run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
3982 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3983 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3984 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3985 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3986 -c "HTTP/1.0 200 OK"
3987
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3988requires_gnutls
Manuel Pégourié-Gonnard127ab882014-10-09 17:59:32 +0200[diff] [blame]3989needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3990not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3991run_test "DTLS proxy: 3d, gnutls server" \
3992 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3993 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3994 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3995 0 \
3996 -s "Extra-header:" \
3997 -c "Extra-header:"
3998
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3999requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]4000needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4001not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4002run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
4003 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4004 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4005 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4006 0 \
4007 -s "Extra-header:" \
4008 -c "Extra-header:"
4009
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4010requires_gnutls
Manuel Pégourié-Gonnard22404862015-05-14 12:11:45 +0200[diff] [blame]4011needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4012not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4013run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
4014 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4015 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4016 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4017 0 \
4018 -s "Extra-header:" \
4019 -c "Extra-header:"
4020
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4021# Final report
4022
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4023echo "------------------------------------------------------------------------"
4024
4025if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4026 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4027else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4028 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4029fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]4030PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]4031echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4032
4033exit $FAILS