TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/archive/baremetal / . / tests / ssl-opt.sh
blob: ebd570fab05f47e51f4b2fbe3d8b97b98f4835f1 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Jaeden Ameroa258ccd2019-07-03 13:51:04 +0100[diff] [blame]24# Limit the size of each log to 10 GiB, in case of failures with this script
25# where it may output seemingly unlimited length error logs.
26ulimit -f 20971520
27
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]28if cd $( dirname $0 ); then :; else
29 echo "cd $( dirname $0 ) failed" >&2
30 exit 1
31fi
32
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]33# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]34: ${P_SRV:=../programs/ssl/ssl_server2}
35: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]36: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]37: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]38: ${GNUTLS_CLI:=gnutls-cli}
39: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]40: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]41
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]42O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]43O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]44G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]45G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]46TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]47
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]48# alternative versions of OpenSSL and GnuTLS (no default path)
49
50if [ -n "${OPENSSL_LEGACY:-}" ]; then
51 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
52 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
53else
54 O_LEGACY_SRV=false
55 O_LEGACY_CLI=false
56fi
57
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]58if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]59 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
60else
61 G_NEXT_SRV=false
62fi
63
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]64if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]65 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
66else
67 G_NEXT_CLI=false
68fi
69
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]70TESTS=0
71FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]72SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]73
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]74MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]75FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]76EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]77
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]78SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]79RUN_TEST_NUMBER=''
80
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]81PRESERVE_LOGS=0
82
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]83# Pick a "unique" server port in the range 10000-19999, and a proxy
84# port which is this plus 10000. Each port number may be independently
85# overridden by a command line option.
86SRV_PORT=$(($$ % 10000 + 10000))
87PXY_PORT=$((SRV_PORT + 10000))
88
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]89print_usage() {
90 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]91 printf " -h|--help\tPrint this help.\n"
92 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]93 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
94 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]95 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]96 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]97 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]98 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
99 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]100 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]101}
102
103get_options() {
104 while [ $# -gt 0 ]; do
105 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]106 -f|--filter)
107 shift; FILTER=$1
108 ;;
109 -e|--exclude)
110 shift; EXCLUDE=$1
111 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]112 -m|--memcheck)
113 MEMCHECK=1
114 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]115 -n|--number)
116 shift; RUN_TEST_NUMBER=$1
117 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]118 -s|--show-numbers)
119 SHOW_TEST_NUMBER=1
120 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]121 -p|--preserve-logs)
122 PRESERVE_LOGS=1
123 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]124 --port)
125 shift; SRV_PORT=$1
126 ;;
127 --proxy-port)
128 shift; PXY_PORT=$1
129 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]130 --seed)
131 shift; SEED="$1"
132 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]133 -h|--help)
134 print_usage
135 exit 0
136 ;;
137 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]138 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]139 print_usage
140 exit 1
141 ;;
142 esac
143 shift
144 done
145}
146
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]147# Skip next test; use this macro to skip tests which are legitimate
148# in theory and expected to be re-introduced at some point, but
149# aren't expected to succeed at the moment due to problems outside
150# our control (such as bugs in other TLS implementations).
151skip_next_test() {
152 SKIP_NEXT="YES"
153}
154
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]155requires_ciphersuite_enabled() {
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]156 if [ -z "$($P_CLI --help 2>/dev/null | grep $1)" ]; then
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]157 SKIP_NEXT="YES"
158 fi
159}
160
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]161get_config_value_or_default() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]162 # This function uses the query_config command line option to query the
163 # required Mbed TLS compile time configuration from the ssl_server2
164 # program. The command will always return a success value if the
165 # configuration is defined and the value will be printed to stdout.
166 #
167 # Note that if the configuration is not defined or is defined to nothing,
168 # the output of this function will be an empty string.
169 ${P_SRV} "query_config=${1}"
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]170}
171
Hanno Beckerab9a29b2019-09-24 16:14:39 +0100[diff] [blame]172# skip next test if the flag is enabled in config.h
173requires_config_disabled() {
174 if get_config_value_or_default $1; then
175 SKIP_NEXT="YES"
176 fi
177}
178
179requires_config_enabled() {
180 if ! get_config_value_or_default $1; then
181 SKIP_NEXT="YES"
182 fi
183}
184
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]185requires_config_value_at_least() {
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]186 VAL="$( get_config_value_or_default "$1" )"
187 if [ -z "$VAL" ]; then
188 # Should never happen
189 echo "Mbed TLS configuration $1 is not defined"
190 exit 1
191 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]192 SKIP_NEXT="YES"
193 fi
194}
195
196requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]197 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia06446782018-10-16 21:29:07 +0100[diff] [blame]198 if [ -z "$VAL" ]; then
199 # Should never happen
200 echo "Mbed TLS configuration $1 is not defined"
201 exit 1
202 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]203 SKIP_NEXT="YES"
204 fi
205}
206
Arto Kinnunenc457ab12019-09-27 12:00:51 +0300[diff] [blame]207requires_config_value_exactly() {
208 VAL=$( get_config_value_or_default "$1" )
209 if [ -z "$VAL" ]; then
210 # Should never happen
211 echo "Mbed TLS configuration $1 is not defined"
212 exit 1
Arto Kinnunen13db25f2019-09-27 13:06:25 +0300[diff] [blame]213 elif [ "$VAL" -ne "$2" ]; then
Arto Kinnunenc457ab12019-09-27 12:00:51 +0300[diff] [blame]214 SKIP_NEXT="YES"
215 fi
216}
217
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]218# skip next test if OpenSSL doesn't support FALLBACK_SCSV
219requires_openssl_with_fallback_scsv() {
220 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
221 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
222 then
223 OPENSSL_HAS_FBSCSV="YES"
224 else
225 OPENSSL_HAS_FBSCSV="NO"
226 fi
227 fi
228 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
229 SKIP_NEXT="YES"
230 fi
231}
232
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]233# skip next test if GnuTLS isn't available
234requires_gnutls() {
235 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]236 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]237 GNUTLS_AVAILABLE="YES"
238 else
239 GNUTLS_AVAILABLE="NO"
240 fi
241 fi
242 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
243 SKIP_NEXT="YES"
244 fi
245}
246
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]247# skip next test if GnuTLS-next isn't available
248requires_gnutls_next() {
249 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
250 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
251 GNUTLS_NEXT_AVAILABLE="YES"
252 else
253 GNUTLS_NEXT_AVAILABLE="NO"
254 fi
255 fi
256 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
257 SKIP_NEXT="YES"
258 fi
259}
260
261# skip next test if OpenSSL-legacy isn't available
262requires_openssl_legacy() {
263 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
264 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
265 OPENSSL_LEGACY_AVAILABLE="YES"
266 else
267 OPENSSL_LEGACY_AVAILABLE="NO"
268 fi
269 fi
270 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
271 SKIP_NEXT="YES"
272 fi
273}
274
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]275# skip next test if IPv6 isn't available on this host
276requires_ipv6() {
277 if [ -z "${HAS_IPV6:-}" ]; then
278 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
279 SRV_PID=$!
280 sleep 1
281 kill $SRV_PID >/dev/null 2>&1
282 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
283 HAS_IPV6="NO"
284 else
285 HAS_IPV6="YES"
286 fi
287 rm -r $SRV_OUT
288 fi
289
290 if [ "$HAS_IPV6" = "NO" ]; then
291 SKIP_NEXT="YES"
292 fi
293}
294
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]295# skip next test if it's i686 or uname is not available
296requires_not_i686() {
297 if [ -z "${IS_I686:-}" ]; then
298 IS_I686="YES"
299 if which "uname" >/dev/null 2>&1; then
300 if [ -z "$(uname -a | grep i686)" ]; then
301 IS_I686="NO"
302 fi
303 fi
304 fi
305 if [ "$IS_I686" = "YES" ]; then
306 SKIP_NEXT="YES"
307 fi
308}
309
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]310# Calculate the input & output maximum content lengths set in the config
Arto Kinnunen78213522019-09-26 11:06:39 +0300[diff] [blame]311MAX_CONTENT_LEN="$( get_config_value_or_default MBEDTLS_SSL_MAX_CONTENT_LEN )"
312if [ -z "$MAX_CONTENT_LEN" ]; then
313 MAX_CONTENT_LEN=16384
314fi
315
316MAX_IN_LEN="$( get_config_value_or_default MBEDTLS_SSL_IN_CONTENT_LEN )"
317if [ -z "$MAX_IN_LEN" ]; then
318 MAX_IN_LEN=$MAX_CONTENT_LEN
319fi
320
321MAX_OUT_LEN="$( get_config_value_or_default MBEDTLS_SSL_OUT_CONTENT_LEN )"
322if [ -z "$MAX_OUT_LEN" ]; then
323 MAX_OUT_LEN=$MAX_CONTENT_LEN
324fi
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]325
326if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
327 MAX_CONTENT_LEN="$MAX_IN_LEN"
328fi
329if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
330 MAX_CONTENT_LEN="$MAX_OUT_LEN"
331fi
332
333# skip the next test if the SSL output buffer is less than 16KB
334requires_full_size_output_buffer() {
335 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
336 SKIP_NEXT="YES"
337 fi
338}
339
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]340# skip the next test if valgrind is in use
341not_with_valgrind() {
342 if [ "$MEMCHECK" -gt 0 ]; then
343 SKIP_NEXT="YES"
344 fi
345}
346
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]347# skip the next test if valgrind is NOT in use
348only_with_valgrind() {
349 if [ "$MEMCHECK" -eq 0 ]; then
350 SKIP_NEXT="YES"
351 fi
352}
353
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]354# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]355client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]356 CLI_DELAY_FACTOR=$1
357}
358
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]359# wait for the given seconds after the client finished in the next test
360server_needs_more_time() {
361 SRV_DELAY_SECONDS=$1
362}
363
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]364# print_name <name>
365print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]366 TESTS=$(( $TESTS + 1 ))
367 LINE=""
368
369 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
370 LINE="$TESTS "
371 fi
372
373 LINE="$LINE$1"
374 printf "$LINE "
375 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]376 for i in `seq 1 $LEN`; do printf '.'; done
377 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]378
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]379}
380
381# fail <message>
382fail() {
383 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]384 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]385
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]386 mv $SRV_OUT o-srv-${TESTS}.log
387 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]388 if [ -n "$PXY_CMD" ]; then
389 mv $PXY_OUT o-pxy-${TESTS}.log
390 fi
391 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]392
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]393 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]394 echo " ! server output:"
395 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]396 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]397 echo " ! client output:"
398 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]399 if [ -n "$PXY_CMD" ]; then
400 echo " ! ========================================================"
401 echo " ! proxy output:"
402 cat o-pxy-${TESTS}.log
403 fi
404 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]405 fi
406
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]407 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]408}
409
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]410# is_polar <cmd_line>
411is_polar() {
412 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
413}
414
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]415# openssl s_server doesn't have -www with DTLS
416check_osrv_dtls() {
417 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
418 NEEDS_INPUT=1
419 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
420 else
421 NEEDS_INPUT=0
422 fi
423}
424
425# provide input to commands that need it
426provide_input() {
427 if [ $NEEDS_INPUT -eq 0 ]; then
428 return
429 fi
430
431 while true; do
432 echo "HTTP/1.0 200 OK"
433 sleep 1
434 done
435}
436
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]437# has_mem_err <log_file_name>
438has_mem_err() {
439 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
440 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
441 then
442 return 1 # false: does not have errors
443 else
444 return 0 # true: has errors
445 fi
446}
447
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]448# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]449if type lsof >/dev/null 2>/dev/null; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]450 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]451 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]452 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]453 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]454 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]455 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]456 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]457 # Make a tight loop, server normally takes less than 1s to start.
458 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
459 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]460 echo "$3 START TIMEOUT"
461 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]462 break
463 fi
464 # Linux and *BSD support decimal arguments to sleep. On other
465 # OSes this may be a tight loop.
466 sleep 0.1 2>/dev/null || true
467 done
468 }
469else
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]470 echo "Warning: lsof not available, wait_app_start = sleep"
471 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]472 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]473 }
474fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]475
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]476# Wait for server process $2 to be listening on port $1.
477wait_server_start() {
478 wait_app_start $1 $2 "SERVER" $SRV_OUT
479}
480
481# Wait for proxy process $2 to be listening on port $1.
482wait_proxy_start() {
483 wait_app_start $1 $2 "PROXY" $PXY_OUT
484}
485
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]486# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]487# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]488# acceptable bounds
489check_server_hello_time() {
490 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]491 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]492 # Get the Unix timestamp for now
493 CUR_TIME=$(date +'%s')
494 THRESHOLD_IN_SECS=300
495
496 # Check if the ServerHello time was printed
497 if [ -z "$SERVER_HELLO_TIME" ]; then
498 return 1
499 fi
500
501 # Check the time in ServerHello is within acceptable bounds
502 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
503 # The time in ServerHello is at least 5 minutes before now
504 return 1
505 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]506 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]507 return 1
508 else
509 return 0
510 fi
511}
512
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]513# Get handshake memory usage from server or client output and put it into the variable specified by the first argument
514handshake_memory_get() {
515 OUTPUT_VARIABLE="$1"
516 OUTPUT_FILE="$2"
517
518 # Get memory usage from a pattern like "Heap memory usage after handshake: 23112 bytes. Peak memory usage was 33112"
519 MEM_USAGE=$(sed -n 's/.*Heap memory usage after handshake: //p' < "$OUTPUT_FILE" | grep -o "[0-9]*" | head -1)
520
521 # Check if memory usage was read
522 if [ -z "$MEM_USAGE" ]; then
523 echo "Error: Can not read the value of handshake memory usage"
524 return 1
525 else
526 eval "$OUTPUT_VARIABLE=$MEM_USAGE"
527 return 0
528 fi
529}
530
531# Get handshake memory usage from server or client output and check if this value
532# is not higher than the maximum given by the first argument
533handshake_memory_check() {
534 MAX_MEMORY="$1"
535 OUTPUT_FILE="$2"
536
537 # Get memory usage
538 if ! handshake_memory_get "MEMORY_USAGE" "$OUTPUT_FILE"; then
539 return 1
540 fi
541
542 # Check if memory usage is below max value
543 if [ "$MEMORY_USAGE" -gt "$MAX_MEMORY" ]; then
544 echo "\nFailed: Handshake memory usage was $MEMORY_USAGE bytes," \
545 "but should be below $MAX_MEMORY bytes"
546 return 1
547 else
548 return 0
549 fi
550}
551
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]552# wait for client to terminate and set CLI_EXIT
553# must be called right after starting the client
554wait_client_done() {
555 CLI_PID=$!
556
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]557 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
558 CLI_DELAY_FACTOR=1
559
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]560 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]561 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]562
563 wait $CLI_PID
564 CLI_EXIT=$?
565
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]566 kill $DOG_PID >/dev/null 2>&1
567 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]568
569 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]570
571 sleep $SRV_DELAY_SECONDS
572 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]573}
574
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]575# check if the given command uses dtls and sets global variable DTLS
576detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]577 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]578 DTLS=1
579 else
580 DTLS=0
581 fi
582}
583
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]584# Strip off a particular parameter from the command line
585# and return its value.
586# Parameter 1: Command line parameter to strip off
587# ENV I/O: CMD command line to search and modify
588extract_cmdline_argument() {
589 __ARG=$(echo "$CMD" | sed -n "s/^.* $1=\([^ ]*\).*$/\1/p")
590 CMD=$(echo "$CMD" | sed "s/$1=\([^ ]*\)//")
591}
592
593# Check compatibility of the ssl_client2/ssl_server2 command-line
594# with a particular compile-time configurable option.
595# Parameter 1: Command-line argument (e.g. extended_ms)
596# Parameter 2: Corresponding compile-time configuration
597# (e.g. MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
598# ENV I/O: CMD command line to search and modify
599# SKIP_NEXT set to "YES" on a mismatch
600check_cmdline_param_compat() {
601 __VAL="$( get_config_value_or_default "$2" )"
602 if [ ! -z "$__VAL" ]; then
603 extract_cmdline_argument "$1"
604 if [ ! -z "$__ARG" ] && [ "$__ARG" != "$__VAL" ]; then
605 SKIP_NEXT="YES"
606 fi
607 fi
608}
609
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]610check_cmdline_check_tls_dtls() {
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]611 detect_dtls "$CMD"
612 if [ "$DTLS" = "0" ]; then
613 requires_config_disabled MBEDTLS_SSL_PROTO_NO_TLS
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]614 elif [ "$DTLS" = "1" ]; then
615 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]616 fi
617}
618
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]619check_cmdline_authmode_compat() {
620 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_AUTHMODE" )"
621 if [ ! -z "$__VAL" ]; then
622 extract_cmdline_argument "auth_mode"
623 if [ "$__ARG" = "none" ] && [ "$__VAL" != "0" ]; then
624 SKIP_NEXT="YES";
625 elif [ "$__ARG" = "optional" ] && [ "$__VAL" != "1" ]; then
626 SKIP_NEXT="YES"
627 elif [ "$__ARG" = "required" ] && [ "$__VAL" != "2" ]; then
628 SKIP_NEXT="YES"
629 fi
630 fi
631}
632
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]633check_cmdline_legacy_renego_compat() {
634 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )"
635 if [ ! -z "$__VAL" ]; then
636 extract_cmdline_argument "allow_legacy"
637 if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then
638 SKIP_NEXT="YES";
639 elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then
640 SKIP_NEXT="YES"
641 elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then
642 SKIP_NEXT="YES"
643 fi
644 fi
645}
646
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]647check_cmdline_min_minor_version_compat() {
648 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
649 if [ ! -z "$__VAL" ]; then
650 extract_cmdline_argument "min_version"
651 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
652 SKIP_NEXT="YES";
653 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
654 SKIP_NEXT="YES"
655 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
656 SKIP_NEXT="YES"
657 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
658 SKIP_NEXT="YES"
659 fi
660 fi
661}
662
663check_cmdline_max_minor_version_compat() {
664 __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
665 if [ ! -z "$__VAL" ]; then
666 extract_cmdline_argument "max_version"
667 if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
668 SKIP_NEXT="YES";
669 elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
670 SKIP_NEXT="YES"
671 elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
672 SKIP_NEXT="YES"
673 elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
674 SKIP_NEXT="YES"
675 fi
676 fi
677}
678
679check_cmdline_force_version_compat() {
680 __VAL_MAX="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
681 __VAL_MIN="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
682 if [ ! -z "$__VAL_MIN" ]; then
683
684 # SSL cli/srv cmd line
685
686 extract_cmdline_argument "force_version"
687 if [ "$__ARG" = "ssl3" ] && \
688 ( [ "$__VAL_MIN" != "0" ] || [ "$__VAL_MAX" != "0" ] ); then
689 SKIP_NEXT="YES";
690 elif [ "$__ARG" = "tls1" ] && \
691 ( [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ] ); then
692 SKIP_NEXT="YES"
693 elif ( [ "$__ARG" = "tls1_1" ] || [ "$__ARG" = "dtls1" ] ) && \
694 ( [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ] ); then
695 SKIP_NEXT="YES"
696 elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
697 ( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]698 SKIP_NEXT="YES"
699 fi
700
701 # OpenSSL cmd line
702
703 if echo "$CMD" | grep -e "-tls1\($\|[^_]\)" > /dev/null; then
704 if [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ]; then
705 SKIP_NEXT="YES"
706 fi
707 fi
708
709 if echo "$CMD" | grep -e "-\(dtls1\($\|[^_]\)\|tls1_1\)" > /dev/null; then
710 if [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ]; then
711 SKIP_NEXT="YES"
712 fi
713 fi
714
715 if echo "$CMD" | grep -e "-\(dtls1_2\($\|[^_]\)\|tls1_2\)" > /dev/null; then
716 if [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ]; then
717 SKIP_NEXT="YES"
718 fi
719 fi
720
721 fi
722}
723
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]724check_cmdline_crt_key_files_compat() {
725
726 # test-ca2.crt
727 if echo "$CMD" | grep -e "test-ca2" > /dev/null; then
728 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
729 fi
730
731 # Variants of server5.key and server5.crt
732 if echo "$CMD" | grep -e "server5" > /dev/null; then
733 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
734 fi
735
736 # Variants of server6.key and server6.crt
737 if echo "$CMD" | grep -e "server6" > /dev/null; then
738 requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
739 fi
740
741}
742
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]743# Go through all options that can be hardcoded at compile-time and
744# detect whether the command line configures them in a conflicting
745# way. If so, skip the test. Otherwise, remove the corresponding
746# entry.
747# Parameter 1: Command line to inspect
748# Output: Modified command line
749# ENV I/O: SKIP_TEST set to 1 on mismatch.
750check_cmdline_compat() {
751 CMD="$1"
752
Hanno Becker69c6cde2019-09-02 14:34:23 +0100[diff] [blame]753 # Check that if we're specifying particular certificate and/or
754 # ECC key files, the corresponding curve is enabled.
755 check_cmdline_crt_key_files_compat
756
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]757 # ExtendedMasterSecret configuration
758 check_cmdline_param_compat "extended_ms" \
759 "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET"
760 check_cmdline_param_compat "enforce_extended_master_secret" \
761 "MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET"
Hanno Becker7f376f42019-06-12 16:20:48 +0100[diff] [blame]762
763 # DTLS anti replay protection configuration
764 check_cmdline_param_compat "anti_replay" \
765 "MBEDTLS_SSL_CONF_ANTI_REPLAY"
766
Hanno Beckerde671542019-06-12 16:30:46 +0100[diff] [blame]767 # DTLS bad MAC limit
768 check_cmdline_param_compat "badmac_limit" \
769 "MBEDTLS_SSL_CONF_BADMAC_LIMIT"
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]770
Hanno Beckera43f85c2019-09-05 14:51:20 +0100[diff] [blame]771 # Skip tests relying on TLS/DTLS in configs that disable it.
772 check_cmdline_check_tls_dtls
Hanno Becker73b72d12019-07-26 12:00:38 +0100[diff] [blame]773
Hanno Beckeracd4fc02019-06-12 16:40:50 +0100[diff] [blame]774 # Authentication mode
775 check_cmdline_authmode_compat
Hanno Beckerb0b2b672019-06-12 16:58:10 +0100[diff] [blame]776
777 # Legacy renegotiation
778 check_cmdline_legacy_renego_compat
Hanno Beckerd82a0302019-07-05 11:40:52 +0100[diff] [blame]779
780 # Version configuration
781 check_cmdline_min_minor_version_compat
782 check_cmdline_max_minor_version_compat
783 check_cmdline_force_version_compat
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]784}
785
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]786# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]787# Options: -s pattern pattern that must be present in server output
788# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]789# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]790# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]791# -S pattern pattern that must be absent in server output
792# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]793# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]794# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]795run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]796 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]797 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]798
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]799 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
800 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]801 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]802 return
803 fi
804
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]805 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]806
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]807 # Do we only run numbered tests?
808 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
809 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
810 else
811 SKIP_NEXT="YES"
812 fi
813
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]814 # does this test use a proxy?
815 if [ "X$1" = "X-p" ]; then
816 PXY_CMD="$2"
817 shift 2
818 else
819 PXY_CMD=""
820 fi
821
822 # get commands and client output
823 SRV_CMD="$1"
824 CLI_CMD="$2"
825 CLI_EXPECT="$3"
826 shift 3
827
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]828 check_cmdline_compat "$SRV_CMD"
829 SRV_CMD="$CMD"
830
831 check_cmdline_compat "$CLI_CMD"
832 CLI_CMD="$CMD"
833
Hanno Becker7a11e722019-05-10 14:38:42 +0100[diff] [blame]834 # Check if test uses files
835 TEST_USES_FILES=$(echo "$SRV_CMD $CLI_CMD" | grep "\.\(key\|crt\|pem\)" )
836 if [ ! -z "$TEST_USES_FILES" ]; then
837 requires_config_enabled MBEDTLS_FS_IO
838 fi
839
840 # should we skip?
841 if [ "X$SKIP_NEXT" = "XYES" ]; then
842 SKIP_NEXT="NO"
843 echo "SKIP"
844 SKIPS=$(( $SKIPS + 1 ))
845 return
846 fi
847
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]848 # fix client port
849 if [ -n "$PXY_CMD" ]; then
850 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
851 else
852 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
853 fi
854
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]855 # update DTLS variable
856 detect_dtls "$SRV_CMD"
857
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]858 # prepend valgrind to our commands if active
859 if [ "$MEMCHECK" -gt 0 ]; then
860 if is_polar "$SRV_CMD"; then
861 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
862 fi
863 if is_polar "$CLI_CMD"; then
864 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
865 fi
866 fi
867
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]868 TIMES_LEFT=2
869 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]870 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]871
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]872 # run the commands
873 if [ -n "$PXY_CMD" ]; then
874 echo "$PXY_CMD" > $PXY_OUT
875 $PXY_CMD >> $PXY_OUT 2>&1 &
876 PXY_PID=$!
Unknown43dc0d62019-09-02 10:42:57 -0400[diff] [blame]877 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]878 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]879
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]880 check_osrv_dtls
881 echo "$SRV_CMD" > $SRV_OUT
882 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
883 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]884 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]885
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]886 echo "$CLI_CMD" > $CLI_OUT
887 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
888 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]889
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]890 sleep 0.05
891
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]892 # terminate the server (and the proxy)
893 kill $SRV_PID
894 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]895
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]896 if [ -n "$PXY_CMD" ]; then
897 kill $PXY_PID >/dev/null 2>&1
898 wait $PXY_PID
899 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]900
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]901 # retry only on timeouts
902 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
903 printf "RETRY "
904 else
905 TIMES_LEFT=0
906 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]907 done
908
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]909 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]910 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]911 # expected client exit to incorrectly succeed in case of catastrophic
912 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]913 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]914 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]915 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]916 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]917 return
918 fi
919 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]920 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]921 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]922 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]923 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]924 return
925 fi
926 fi
927
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]928 # check server exit code
929 if [ $? != 0 ]; then
930 fail "server fail"
931 return
932 fi
933
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]934 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]935 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
936 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]937 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]938 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]939 return
940 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]941
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]942 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]943 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]944 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]945 while [ $# -gt 0 ]
946 do
947 case $1 in
948 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]949 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]950 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]951 return
952 fi
953 ;;
954
955 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]956 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]957 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]958 return
959 fi
960 ;;
961
962 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]963 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]964 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]965 return
966 fi
967 ;;
968
969 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]970 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]971 fail "pattern '$2' MUST NOT be present in the Client output"
972 return
973 fi
974 ;;
975
976 # The filtering in the following two options (-u and -U) do the following
977 # - ignore valgrind output
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]978 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]979 # - keep one of each non-unique line
980 # - count how many lines remain
981 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
982 # if there were no duplicates.
983 "-U")
984 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
985 fail "lines following pattern '$2' must be unique in Server output"
986 return
987 fi
988 ;;
989
990 "-u")
991 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
992 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]993 return
994 fi
995 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]996 "-F")
997 if ! $2 "$SRV_OUT"; then
998 fail "function call to '$2' failed on Server output"
999 return
1000 fi
1001 ;;
1002 "-f")
1003 if ! $2 "$CLI_OUT"; then
1004 fail "function call to '$2' failed on Client output"
1005 return
1006 fi
1007 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1008
1009 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]1010 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1011 exit 1
1012 esac
1013 shift 2
1014 done
1015
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1016 # check valgrind's results
1017 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1018 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1019 fail "Server has memory errors"
1020 return
1021 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1022 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1023 fail "Client has memory errors"
1024 return
1025 fi
1026 fi
1027
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1028 # if we're here, everything is ok
1029 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]1030 if [ "$PRESERVE_LOGS" -gt 0 ]; then
1031 mv $SRV_OUT o-srv-${TESTS}.log
1032 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]1033 if [ -n "$PXY_CMD" ]; then
1034 mv $PXY_OUT o-pxy-${TESTS}.log
1035 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]1036 fi
1037
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1038 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1039}
1040
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]1041# Test that the server's memory usage after a handshake is reduced when a client specifies
1042# a maximum fragment length.
1043# first argument ($1) is MFL for SSL client
1044# second argument ($2) is memory usage for SSL client with default MFL (16k)
1045run_test_memory_after_hanshake_with_mfl()
1046{
1047 # The test passes if the difference is around 2*(16k-MFL)
1048 local MEMORY_USAGE_LIMIT="$(( $2 - ( 2 * ( 16384 - $1 )) ))"
1049
1050 # Leave some margin for robustness
1051 MEMORY_USAGE_LIMIT="$(( ( MEMORY_USAGE_LIMIT * 110 ) / 100 ))"
1052
1053 run_test "Handshake memory usage (MFL $1)" \
1054 "$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \
1055 "$P_CLI debug_level=3 force_version=tls1_2 \
1056 crt_file=data_files/server5.crt key_file=data_files/server5.key \
1057 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \
1058 0 \
1059 -F "handshake_memory_check $MEMORY_USAGE_LIMIT"
1060}
1061
1062
1063# Test that the server's memory usage after a handshake is reduced when a client specifies
1064# different values of Maximum Fragment Length: default (16k), 4k, 2k, 1k and 512 bytes
1065run_tests_memory_after_hanshake()
1066{
1067 # all tests in this sequence requires the same configuration (see requires_config_enabled())
1068 SKIP_THIS_TESTS="$SKIP_NEXT"
1069
1070 # first test with default MFU is to get reference memory usage
1071 MEMORY_USAGE_MFL_16K=0
1072 run_test "Handshake memory usage initial (MFL 16384 - default)" \
1073 "$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \
1074 "$P_CLI debug_level=3 force_version=tls1_2 \
1075 crt_file=data_files/server5.crt key_file=data_files/server5.key \
1076 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \
1077 0 \
1078 -F "handshake_memory_get MEMORY_USAGE_MFL_16K"
1079
1080 SKIP_NEXT="$SKIP_THIS_TESTS"
1081 run_test_memory_after_hanshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
1082
1083 SKIP_NEXT="$SKIP_THIS_TESTS"
1084 run_test_memory_after_hanshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
1085
1086 SKIP_NEXT="$SKIP_THIS_TESTS"
1087 run_test_memory_after_hanshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
1088
1089 SKIP_NEXT="$SKIP_THIS_TESTS"
1090 run_test_memory_after_hanshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
1091}
1092
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1093cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1094 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1095 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
1096 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
1097 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
1098 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1099 exit 1
1100}
1101
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]1102#
1103# MAIN
1104#
1105
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]1106get_options "$@"
1107
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1108# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]1109P_SRV_BIN="${P_SRV%%[ ]*}"
1110P_CLI_BIN="${P_CLI%%[ ]*}"
1111P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1112if [ ! -x "$P_SRV_BIN" ]; then
1113 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1114 exit 1
1115fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1116if [ ! -x "$P_CLI_BIN" ]; then
1117 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1118 exit 1
1119fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1120if [ ! -x "$P_PXY_BIN" ]; then
1121 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1122 exit 1
1123fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]1124if [ "$MEMCHECK" -gt 0 ]; then
1125 if which valgrind >/dev/null 2>&1; then :; else
1126 echo "Memcheck not possible. Valgrind not found"
1127 exit 1
1128 fi
1129fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1130if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
1131 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1132 exit 1
1133fi
1134
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]1135# used by watchdog
1136MAIN_PID="$$"
1137
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1138# We use somewhat arbitrary delays for tests:
1139# - how long do we wait for the server to start (when lsof not available)?
1140# - how long do we allow for the client to finish?
1141# (not to check performance, just to avoid waiting indefinitely)
1142# Things are slower with valgrind, so give extra time here.
1143#
1144# Note: without lsof, there is a trade-off between the running time of this
1145# script and the risk of spurious errors because we didn't wait long enough.
1146# The watchdog delay on the other hand doesn't affect normal running time of
1147# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1148if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1149 START_DELAY=6
1150 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1151else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1152 START_DELAY=2
1153 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1154fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1155
1156# some particular tests need more time:
1157# - for the client, we multiply the usual watchdog limit by a factor
1158# - for the server, we sleep for a number of seconds after the client exits
1159# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]1160CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]1161SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1162
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1163# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]1164# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1165P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
1166P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]1167P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]1168O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1169O_CLI="$O_CLI -connect localhost:+SRV_PORT"
1170G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1171G_CLI="$G_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1172
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1173if [ -n "${OPENSSL_LEGACY:-}" ]; then
1174 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
1175 O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
1176fi
1177
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1178if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1179 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
1180fi
1181
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1182if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1183 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1184fi
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1185
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]1186# Allow SHA-1, because many of our test certificates use it
1187P_SRV="$P_SRV allow_sha1=1"
1188P_CLI="$P_CLI allow_sha1=1"
1189
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1190# Also pick a unique name for intermediate files
1191SRV_OUT="srv_out.$$"
1192CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1193PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1194SESSION="session.$$"
1195
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]1196SKIP_NEXT="NO"
1197
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1198trap cleanup INT TERM HUP
1199
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1200# Basic test
1201
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1202run_test "Default" \
1203 "$P_SRV debug_level=3" \
1204 "$P_CLI" \
1205 0
1206
1207run_test "Default, DTLS" \
1208 "$P_SRV dtls=1" \
1209 "$P_CLI dtls=1" \
1210 0
1211
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1212# Checks that:
1213# - things work with all ciphersuites active (used with config-full in all.sh)
1214# - the expected (highest security) parameters are selected
1215# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1216requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1217requires_config_enabled MBEDTLS_SHA512_C
1218requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1219requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1220run_test "Default, choose highest security suite and hash" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1221 "$P_SRV debug_level=3" \
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]1222 "$P_CLI" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1223 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1224 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1225 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1226 -s "client hello v3, signature_algorithm ext: 6" \
1227 -s "ECDHE curve: secp521r1" \
1228 -S "error" \
1229 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1230
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1231requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
1232requires_config_enabled MBEDTLS_SHA512_C
1233requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
1234requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1235run_test "Default, choose highest security suite and hash, DTLS" \
1236 "$P_SRV debug_level=3 dtls=1" \
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1237 "$P_CLI dtls=1" \
1238 0 \
1239 -s "Protocol is DTLSv1.2" \
Hanno Becker91900362019-07-03 13:22:59 +0100[diff] [blame]1240 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
1241 -s "client hello v3, signature_algorithm ext: 6" \
1242 -s "ECDHE curve: secp521r1"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1243
Manuel Pégourié-Gonnard079864e2020-01-02 11:58:00 +0100[diff] [blame]1244requires_config_enabled MBEDTLS_ZLIB_SUPPORT
1245run_test "Default (compression enabled)" \
1246 "$P_SRV debug_level=3" \
1247 "$P_CLI debug_level=3" \
1248 0 \
1249 -s "Allocating compression buffer" \
1250 -c "Allocating compression buffer" \
1251 -s "Record expansion is unknown (compression)" \
1252 -c "Record expansion is unknown (compression)" \
1253 -S "error" \
1254 -C "error"
1255
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1256# Test current time in ServerHello
1257requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1258run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1259 "$P_SRV debug_level=3" \
1260 "$P_CLI debug_level=3" \
1261 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1262 -f "check_server_hello_time" \
1263 -F "check_server_hello_time"
1264
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1265# Test for uniqueness of IVs in AEAD ciphersuites
1266run_test "Unique IV in GCM" \
1267 "$P_SRV exchanges=20 debug_level=4" \
1268 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1269 0 \
1270 -u "IV used" \
1271 -U "IV used"
1272
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1273# Tests for rc4 option
1274
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1275requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1276run_test "RC4: server disabled, client enabled" \
1277 "$P_SRV" \
1278 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1279 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1280 -s "SSL - The server has no ciphersuites in common"
1281
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1282requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1283run_test "RC4: server half, client enabled" \
1284 "$P_SRV arc4=1" \
1285 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1286 1 \
1287 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1288
1289run_test "RC4: server enabled, client disabled" \
1290 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1291 "$P_CLI" \
1292 1 \
1293 -s "SSL - The server has no ciphersuites in common"
1294
1295run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1296 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1297 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1298 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1299 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1300 -S "SSL - The server has no ciphersuites in common"
1301
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1302# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
1303
1304requires_gnutls
1305requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
1306run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
1307 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1308 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1309 0
1310
1311requires_gnutls
1312requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
1313run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
1314 "$G_SRV"\
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]1315 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1316 0
1317
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1318# Tests for SHA-1 support
1319
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1320requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1321requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1322requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1323run_test "SHA-1 forbidden by default in server certificate" \
1324 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1325 "$P_CLI debug_level=2 allow_sha1=0" \
1326 1 \
1327 -c "The certificate is signed with an unacceptable hash"
1328
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1329requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1330run_test "SHA-1 forbidden by default in server certificate" \
1331 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1332 "$P_CLI debug_level=2 allow_sha1=0" \
1333 0
1334
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1335run_test "SHA-1 explicitly allowed in server certificate" \
1336 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1337 "$P_CLI allow_sha1=1" \
1338 0
1339
1340run_test "SHA-256 allowed by default in server certificate" \
1341 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
1342 "$P_CLI allow_sha1=0" \
1343 0
1344
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1345requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]1346requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]1347requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1348run_test "SHA-1 forbidden by default in client certificate" \
1349 "$P_SRV auth_mode=required allow_sha1=0" \
1350 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1351 1 \
1352 -s "The certificate is signed with an unacceptable hash"
1353
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1354requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1355run_test "SHA-1 forbidden by default in client certificate" \
1356 "$P_SRV auth_mode=required allow_sha1=0" \
1357 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1358 0
1359
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1360run_test "SHA-1 explicitly allowed in client certificate" \
1361 "$P_SRV auth_mode=required allow_sha1=1" \
1362 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1363 0
1364
1365run_test "SHA-256 allowed by default in client certificate" \
1366 "$P_SRV auth_mode=required allow_sha1=0" \
1367 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
1368 0
1369
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1370# Tests for datagram packing
Andrzej Kurek4f5549f2020-12-21 07:56:57 -0500[diff] [blame]1371requires_config_disabled MBEDTLS_SSL_IMMEDIATE_TRANSMISSION
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1372run_test "DTLS: multiple records in same datagram, client and server" \
1373 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1374 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1375 0 \
1376 -c "next record in same datagram" \
1377 -s "next record in same datagram"
1378
Andrzej Kurek4f5549f2020-12-21 07:56:57 -0500[diff] [blame]1379requires_config_disabled MBEDTLS_SSL_IMMEDIATE_TRANSMISSION
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1380run_test "DTLS: multiple records in same datagram, client only" \
1381 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1382 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1383 0 \
1384 -s "next record in same datagram" \
1385 -C "next record in same datagram"
1386
Andrzej Kurek4f5549f2020-12-21 07:56:57 -0500[diff] [blame]1387requires_config_disabled MBEDTLS_SSL_IMMEDIATE_TRANSMISSION
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1388run_test "DTLS: multiple records in same datagram, server only" \
1389 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1390 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1391 0 \
1392 -S "next record in same datagram" \
1393 -c "next record in same datagram"
1394
1395run_test "DTLS: multiple records in same datagram, neither client nor server" \
1396 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1397 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1398 0 \
1399 -S "next record in same datagram" \
1400 -C "next record in same datagram"
1401
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1402# Tests for Truncated HMAC extension
1403
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1404run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1405 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1406 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1407 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1408 -s "dumping 'expected mac' (20 bytes)" \
1409 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1410
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1411requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1412run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1413 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1414 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1415 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1416 -s "dumping 'expected mac' (20 bytes)" \
1417 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1418
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1419requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1420run_test "Truncated HMAC: client enabled, server default" \
1421 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1422 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1423 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1424 -s "dumping 'expected mac' (20 bytes)" \
1425 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1426
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1427requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1428run_test "Truncated HMAC: client enabled, server disabled" \
1429 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1430 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1431 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1432 -s "dumping 'expected mac' (20 bytes)" \
1433 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1434
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1435requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1436run_test "Truncated HMAC: client disabled, server enabled" \
1437 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1438 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1439 0 \
1440 -s "dumping 'expected mac' (20 bytes)" \
1441 -S "dumping 'expected mac' (10 bytes)"
1442
1443requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1444run_test "Truncated HMAC: client enabled, server enabled" \
1445 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1446 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1447 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1448 -S "dumping 'expected mac' (20 bytes)" \
1449 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1450
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1451requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1452run_test "Truncated HMAC, DTLS: client default, server default" \
1453 "$P_SRV dtls=1 debug_level=4" \
1454 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1455 0 \
1456 -s "dumping 'expected mac' (20 bytes)" \
1457 -S "dumping 'expected mac' (10 bytes)"
1458
1459requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1460run_test "Truncated HMAC, DTLS: client disabled, server default" \
1461 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1462 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1463 0 \
1464 -s "dumping 'expected mac' (20 bytes)" \
1465 -S "dumping 'expected mac' (10 bytes)"
1466
1467requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1468run_test "Truncated HMAC, DTLS: client enabled, server default" \
1469 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1470 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1471 0 \
1472 -s "dumping 'expected mac' (20 bytes)" \
1473 -S "dumping 'expected mac' (10 bytes)"
1474
1475requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1476run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1477 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1478 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1479 0 \
1480 -s "dumping 'expected mac' (20 bytes)" \
1481 -S "dumping 'expected mac' (10 bytes)"
1482
1483requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1484run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1485 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1486 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1487 0 \
1488 -s "dumping 'expected mac' (20 bytes)" \
1489 -S "dumping 'expected mac' (10 bytes)"
1490
1491requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1492run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1493 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1494 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1495 0 \
1496 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1497 -s "dumping 'expected mac' (10 bytes)"
1498
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1499# Tests for Context serialization
1500
1501requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1502run_test "Context serialization, client serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1503 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1504 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1505 0 \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1506 -c "Deserializing connection..." \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1507 -S "Deserializing connection..."
1508
1509requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1510run_test "Context serialization, client serializes, ChaChaPoly" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1511 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1512 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1513 0 \
1514 -c "Deserializing connection..." \
1515 -S "Deserializing connection..."
1516
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1517requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1518run_test "Context serialization, client serializes, GCM" \
1519 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1520 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1521 0 \
1522 -c "Deserializing connection..." \
1523 -S "Deserializing connection..."
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1524
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1525requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1526requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1527run_test "Context serialization, client serializes, with CID" \
1528 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1529 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1530 0 \
1531 -c "Deserializing connection..." \
1532 -S "Deserializing connection..."
1533
1534requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1535run_test "Context serialization, server serializes, CCM" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1536 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1537 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1538 0 \
1539 -C "Deserializing connection..." \
1540 -s "Deserializing connection..."
1541
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1542requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1543run_test "Context serialization, server serializes, ChaChaPoly" \
1544 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1545 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1546 0 \
1547 -C "Deserializing connection..." \
1548 -s "Deserializing connection..."
1549
1550requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1551run_test "Context serialization, server serializes, GCM" \
1552 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1553 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1554 0 \
1555 -C "Deserializing connection..." \
Jarno Lamsacc281b82019-06-04 15:21:13 +0300[diff] [blame]1556 -s "Deserializing connection..."
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1557
1558requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1559requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1560run_test "Context serialization, server serializes, with CID" \
1561 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1562 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1563 0 \
1564 -C "Deserializing connection..." \
1565 -s "Deserializing connection..."
1566
1567requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1568run_test "Context serialization, both serialize, CCM" \
Jarno Lamsadcfc2a72019-06-04 15:18:19 +0300[diff] [blame]1569 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1570 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1571 0 \
1572 -c "Deserializing connection..." \
1573 -s "Deserializing connection..."
1574
1575requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1576run_test "Context serialization, both serialize, ChaChaPoly" \
1577 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1578 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1579 0 \
1580 -c "Deserializing connection..." \
1581 -s "Deserializing connection..."
1582
1583requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1584run_test "Context serialization, both serialize, GCM" \
1585 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1586 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsafa45e602019-06-04 11:33:23 +0300[diff] [blame]1587 0 \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1588 -c "Deserializing connection..." \
1589 -s "Deserializing connection..."
1590
1591requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1592requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1593run_test "Context serialization, both serialize, with CID" \
1594 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1595 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1596 0 \
1597 -c "Deserializing connection..." \
1598 -s "Deserializing connection..."
1599
1600requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1601run_test "Context serialization, re-init, client serializes, CCM" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1602 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1603 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1604 0 \
1605 -c "Deserializing connection..." \
1606 -S "Deserializing connection..."
1607
1608requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1609run_test "Context serialization, re-init, client serializes, ChaChaPoly" \
1610 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1611 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1612 0 \
1613 -c "Deserializing connection..." \
1614 -S "Deserializing connection..."
1615
1616requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1617run_test "Context serialization, re-init, client serializes, GCM" \
1618 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1619 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1620 0 \
1621 -c "Deserializing connection..." \
1622 -S "Deserializing connection..."
1623
1624requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1625requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1626run_test "Context serialization, re-init, client serializes, with CID" \
1627 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1628 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1629 0 \
1630 -c "Deserializing connection..." \
1631 -S "Deserializing connection..."
1632
1633requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1634run_test "Context serialization, re-init, server serializes, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1635 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1636 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1637 0 \
1638 -C "Deserializing connection..." \
1639 -s "Deserializing connection..."
1640
1641requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1642run_test "Context serialization, re-init, server serializes, ChaChaPoly" \
1643 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1644 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1645 0 \
1646 -C "Deserializing connection..." \
1647 -s "Deserializing connection..."
1648
1649requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1650run_test "Context serialization, re-init, server serializes, GCM" \
1651 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1652 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1653 0 \
1654 -C "Deserializing connection..." \
1655 -s "Deserializing connection..."
1656
1657requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1658requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1659run_test "Context serialization, re-init, server serializes, with CID" \
1660 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1661 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1662 0 \
1663 -C "Deserializing connection..." \
1664 -s "Deserializing connection..."
1665
1666requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1667run_test "Context serialization, re-init, both serialize, CCM" \
Manuel Pégourié-Gonnard0d832712019-07-23 14:13:43 +0200[diff] [blame]1668 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Becker2e72dd82019-08-30 11:32:12 +0100[diff] [blame]1669 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1670 0 \
1671 -c "Deserializing connection..." \
1672 -s "Deserializing connection..."
1673
1674requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1675run_test "Context serialization, re-init, both serialize, ChaChaPoly" \
1676 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1677 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1678 0 \
1679 -c "Deserializing connection..." \
1680 -s "Deserializing connection..."
1681
1682requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1683run_test "Context serialization, re-init, both serialize, GCM" \
1684 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1685 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsa8a91c062019-06-06 10:44:14 +0300[diff] [blame]1686 0 \
1687 -c "Deserializing connection..." \
1688 -s "Deserializing connection..."
1689
Hanno Beckere80c1b02019-08-30 11:18:59 +0100[diff] [blame]1690requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1691requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1692run_test "Context serialization, re-init, both serialize, with CID" \
1693 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1694 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1695 0 \
1696 -c "Deserializing connection..." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1697 -s "Deserializing connection..."
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1698
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1699# Tests for DTLS Connection ID extension
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1700
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1701# So far, the CID API isn't implemented, so we can't
1702# grep for output witnessing its use. This needs to be
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1703# changed once the CID extension is implemented.
Hanno Beckerad8e2c92019-05-08 13:19:53 +0100[diff] [blame]1704
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1705requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1706run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1707 "$P_SRV debug_level=3 dtls=1 cid=0" \
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1708 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=dead" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1709 0 \
1710 -s "Disable use of CID extension." \
1711 -s "found CID extension" \
1712 -s "Client sent CID extension, but CID disabled" \
1713 -c "Enable use of CID extension." \
1714 -c "client hello, adding CID extension" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1715 -S "server hello, adding CID extension" \
1716 -C "found CID extension" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1717 -S "Copy CIDs into SSL transform" \
1718 -C "Copy CIDs into SSL transform" \
1719 -c "Use of Connection ID was rejected by the server"
1720
1721requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1722run_test "Connection ID: Cli disabled, Srv enabled" \
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1723 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1724 "$P_CLI debug_level=3 dtls=1 cid=0" \
1725 0 \
1726 -c "Disable use of CID extension." \
1727 -C "client hello, adding CID extension" \
1728 -S "found CID extension" \
1729 -s "Enable use of CID extension." \
1730 -S "server hello, adding CID extension" \
1731 -C "found CID extension" \
1732 -S "Copy CIDs into SSL transform" \
1733 -C "Copy CIDs into SSL transform" \
1734 -s "Use of Connection ID was not offered by client"
1735
1736requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb60c85c2019-04-23 12:02:34 +0100[diff] [blame]1737run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1738 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1739 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
1740 0 \
1741 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1742 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1743 -c "client hello, adding CID extension" \
1744 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1745 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1746 -s "server hello, adding CID extension" \
1747 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1748 -c "Use of CID extension negotiated" \
1749 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1750 -c "Copy CIDs into SSL transform" \
1751 -c "Peer CID (length 2 Bytes): de ad" \
1752 -s "Peer CID (length 2 Bytes): be ef" \
1753 -s "Use of Connection ID has been negotiated" \
1754 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1755
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1756requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1757run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1758 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1759 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
1760 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
1761 0 \
1762 -c "Enable use of CID extension." \
1763 -s "Enable use of CID extension." \
1764 -c "client hello, adding CID extension" \
1765 -s "found CID extension" \
1766 -s "Use of CID extension negotiated" \
1767 -s "server hello, adding CID extension" \
1768 -c "found CID extension" \
1769 -c "Use of CID extension negotiated" \
1770 -s "Copy CIDs into SSL transform" \
1771 -c "Copy CIDs into SSL transform" \
1772 -c "Peer CID (length 2 Bytes): de ad" \
1773 -s "Peer CID (length 2 Bytes): be ef" \
1774 -s "Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1775 -c "Use of Connection ID has been negotiated" \
1776 -c "ignoring unexpected CID" \
1777 -s "ignoring unexpected CID"
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1778
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1779requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1780run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
1781 -p "$P_PXY mtu=800" \
1782 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1783 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1784 0 \
1785 -c "Enable use of CID extension." \
1786 -s "Enable use of CID extension." \
1787 -c "client hello, adding CID extension" \
1788 -s "found CID extension" \
1789 -s "Use of CID extension negotiated" \
1790 -s "server hello, adding CID extension" \
1791 -c "found CID extension" \
1792 -c "Use of CID extension negotiated" \
1793 -s "Copy CIDs into SSL transform" \
1794 -c "Copy CIDs into SSL transform" \
1795 -c "Peer CID (length 2 Bytes): de ad" \
1796 -s "Peer CID (length 2 Bytes): be ef" \
1797 -s "Use of Connection ID has been negotiated" \
1798 -c "Use of Connection ID has been negotiated"
1799
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1800requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1801run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1802 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1803 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1804 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1805 0 \
1806 -c "Enable use of CID extension." \
1807 -s "Enable use of CID extension." \
1808 -c "client hello, adding CID extension" \
1809 -s "found CID extension" \
1810 -s "Use of CID extension negotiated" \
1811 -s "server hello, adding CID extension" \
1812 -c "found CID extension" \
1813 -c "Use of CID extension negotiated" \
1814 -s "Copy CIDs into SSL transform" \
1815 -c "Copy CIDs into SSL transform" \
1816 -c "Peer CID (length 2 Bytes): de ad" \
1817 -s "Peer CID (length 2 Bytes): be ef" \
1818 -s "Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]1819 -c "Use of Connection ID has been negotiated" \
1820 -c "ignoring unexpected CID" \
1821 -s "ignoring unexpected CID"
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1822
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1823requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1824requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1825run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1826 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1827 "$P_CLI debug_level=3 dtls=1 cid=1" \
1828 0 \
1829 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1830 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1831 -c "client hello, adding CID extension" \
1832 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1833 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1834 -s "server hello, adding CID extension" \
1835 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1836 -c "Use of CID extension negotiated" \
1837 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1838 -c "Copy CIDs into SSL transform" \
1839 -c "Peer CID (length 4 Bytes): de ad be ef" \
1840 -s "Peer CID (length 0 Bytes):" \
1841 -s "Use of Connection ID has been negotiated" \
1842 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1843
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1844requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1845requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1846run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1847 "$P_SRV debug_level=3 dtls=1 cid=1" \
1848 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1849 0 \
1850 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1851 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1852 -c "client hello, adding CID extension" \
1853 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1854 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1855 -s "server hello, adding CID extension" \
1856 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1857 -c "Use of CID extension negotiated" \
1858 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1859 -c "Copy CIDs into SSL transform" \
1860 -s "Peer CID (length 4 Bytes): de ad be ef" \
1861 -c "Peer CID (length 0 Bytes):" \
1862 -s "Use of Connection ID has been negotiated" \
1863 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1864
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1865requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1866requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1867run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1868 "$P_SRV debug_level=3 dtls=1 cid=1" \
1869 "$P_CLI debug_level=3 dtls=1 cid=1" \
1870 0 \
1871 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1872 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1873 -c "client hello, adding CID extension" \
1874 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1875 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1876 -s "server hello, adding CID extension" \
1877 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1878 -c "Use of CID extension negotiated" \
1879 -s "Copy CIDs into SSL transform" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1880 -c "Copy CIDs into SSL transform" \
1881 -S "Use of Connection ID has been negotiated" \
1882 -C "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1883
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1884requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1885run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1886 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1887 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1888 0 \
1889 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1890 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1891 -c "client hello, adding CID extension" \
1892 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1893 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1894 -s "server hello, adding CID extension" \
1895 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1896 -c "Use of CID extension negotiated" \
1897 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1898 -c "Copy CIDs into SSL transform" \
1899 -c "Peer CID (length 2 Bytes): de ad" \
1900 -s "Peer CID (length 2 Bytes): be ef" \
1901 -s "Use of Connection ID has been negotiated" \
1902 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1903
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1904requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1905requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1906run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1907 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1908 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1909 0 \
1910 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1911 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1912 -c "client hello, adding CID extension" \
1913 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1914 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1915 -s "server hello, adding CID extension" \
1916 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1917 -c "Use of CID extension negotiated" \
1918 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1919 -c "Copy CIDs into SSL transform" \
1920 -c "Peer CID (length 4 Bytes): de ad be ef" \
1921 -s "Peer CID (length 0 Bytes):" \
1922 -s "Use of Connection ID has been negotiated" \
1923 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1924
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1925requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1926requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1927run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1928 "$P_SRV debug_level=3 dtls=1 cid=1" \
1929 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1930 0 \
1931 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1932 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1933 -c "client hello, adding CID extension" \
1934 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1935 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1936 -s "server hello, adding CID extension" \
1937 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1938 -c "Use of CID extension negotiated" \
1939 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1940 -c "Copy CIDs into SSL transform" \
1941 -s "Peer CID (length 4 Bytes): de ad be ef" \
1942 -c "Peer CID (length 0 Bytes):" \
1943 -s "Use of Connection ID has been negotiated" \
1944 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1945
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1946requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1947requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1948run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1949 "$P_SRV debug_level=3 dtls=1 cid=1" \
1950 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1951 0 \
1952 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1953 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1954 -c "client hello, adding CID extension" \
1955 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1956 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1957 -s "server hello, adding CID extension" \
1958 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1959 -c "Use of CID extension negotiated" \
1960 -s "Copy CIDs into SSL transform" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]1961 -c "Copy CIDs into SSL transform" \
1962 -S "Use of Connection ID has been negotiated" \
1963 -C "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1964
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1965requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1966requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1967run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1968 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1969 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
1970 0 \
1971 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1972 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1973 -c "client hello, adding CID extension" \
1974 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1975 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1976 -s "server hello, adding CID extension" \
1977 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]1978 -c "Use of CID extension negotiated" \
1979 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]1980 -c "Copy CIDs into SSL transform" \
1981 -c "Peer CID (length 2 Bytes): de ad" \
1982 -s "Peer CID (length 2 Bytes): be ef" \
1983 -s "Use of Connection ID has been negotiated" \
1984 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]1985
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]1986requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]1987requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
1988requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]1989run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]1990 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1991 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
1992 0 \
1993 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]1994 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]1995 -c "client hello, adding CID extension" \
1996 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]1997 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]1998 -s "server hello, adding CID extension" \
1999 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]2000 -c "Use of CID extension negotiated" \
2001 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]2002 -c "Copy CIDs into SSL transform" \
2003 -c "Peer CID (length 4 Bytes): de ad be ef" \
2004 -s "Peer CID (length 0 Bytes):" \
2005 -s "Use of Connection ID has been negotiated" \
2006 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]2007
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2008requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]2009requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
2010requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2011run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]2012 "$P_SRV debug_level=3 dtls=1 cid=1" \
2013 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2014 0 \
2015 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]2016 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]2017 -c "client hello, adding CID extension" \
2018 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]2019 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]2020 -s "server hello, adding CID extension" \
2021 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]2022 -c "Use of CID extension negotiated" \
2023 -s "Copy CIDs into SSL transform" \
Hanno Beckerb7f9e9c2019-05-03 17:04:23 +0100[diff] [blame]2024 -c "Copy CIDs into SSL transform" \
2025 -s "Peer CID (length 4 Bytes): de ad be ef" \
2026 -c "Peer CID (length 0 Bytes):" \
2027 -s "Use of Connection ID has been negotiated" \
2028 -c "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]2029
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2030requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]2031requires_config_disabled MBEDTLS_SSL_CONF_CID_LEN
2032requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2033run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]2034 "$P_SRV debug_level=3 dtls=1 cid=1" \
2035 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2036 0 \
2037 -c "Enable use of CID extension." \
Hanno Becker73455992019-04-25 17:01:43 +0100[diff] [blame]2038 -s "Enable use of CID extension." \
Hanno Beckerc008cb52019-04-26 14:17:56 +0100[diff] [blame]2039 -c "client hello, adding CID extension" \
2040 -s "found CID extension" \
Hanno Becker4eb05872019-04-26 16:00:29 +0100[diff] [blame]2041 -s "Use of CID extension negotiated" \
Hanno Beckercf2a5652019-04-26 16:13:31 +0100[diff] [blame]2042 -s "server hello, adding CID extension" \
2043 -c "found CID extension" \
Hanno Becker5e2cd142019-04-26 16:23:52 +0100[diff] [blame]2044 -c "Use of CID extension negotiated" \
2045 -s "Copy CIDs into SSL transform" \
Hanno Becker6a3ff282019-04-26 17:19:46 +0100[diff] [blame]2046 -c "Copy CIDs into SSL transform" \
2047 -S "Use of Connection ID has been negotiated" \
2048 -C "Use of Connection ID has been negotiated"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]2049
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2050requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker963cb352019-04-23 11:52:44 +0100[diff] [blame]2051requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2052run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
Hanno Becker9dae9fd2019-04-25 16:05:45 +0100[diff] [blame]2053 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2054 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2055 0 \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2056 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2057 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2058 -s "(initial handshake) Use of Connection ID has been negotiated" \
2059 -c "(initial handshake) Use of Connection ID has been negotiated" \
2060 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2061 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2062 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2063 -c "(after renegotiation) Use of Connection ID has been negotiated"
2064
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2065requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2066requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2067run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2068 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
2069 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2070 0 \
2071 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2072 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2073 -s "(initial handshake) Use of Connection ID has been negotiated" \
2074 -c "(initial handshake) Use of Connection ID has been negotiated" \
2075 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2076 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2077 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2078 -c "(after renegotiation) Use of Connection ID has been negotiated"
2079
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2080requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2081requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2082run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
2083 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
2084 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2085 0 \
2086 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2087 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2088 -s "(initial handshake) Use of Connection ID has been negotiated" \
2089 -c "(initial handshake) Use of Connection ID has been negotiated" \
2090 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2091 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2092 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2093 -c "(after renegotiation) Use of Connection ID has been negotiated"
2094
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2095requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2096requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2097run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2098 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2099 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
2100 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2101 0 \
2102 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2103 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2104 -s "(initial handshake) Use of Connection ID has been negotiated" \
2105 -c "(initial handshake) Use of Connection ID has been negotiated" \
2106 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2107 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2108 -s "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2109 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2110 -c "ignoring unexpected CID" \
2111 -s "ignoring unexpected CID"
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2112
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2113requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2114requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2115run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2116 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2117 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2118 0 \
2119 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2120 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2121 -s "(initial handshake) Use of Connection ID has been negotiated" \
2122 -c "(initial handshake) Use of Connection ID has been negotiated" \
2123 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2124 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2125 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2126 -S "(after renegotiation) Use of Connection ID has been negotiated"
2127
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2128requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2129requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2130run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
2131 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2132 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2133 0 \
2134 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2135 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2136 -s "(initial handshake) Use of Connection ID has been negotiated" \
2137 -c "(initial handshake) Use of Connection ID has been negotiated" \
2138 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2139 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2140 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2141 -S "(after renegotiation) Use of Connection ID has been negotiated"
2142
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2143requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2144requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2145run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2146 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2147 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2148 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2149 0 \
2150 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2151 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2152 -s "(initial handshake) Use of Connection ID has been negotiated" \
2153 -c "(initial handshake) Use of Connection ID has been negotiated" \
2154 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2155 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2156 -C "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2157 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2158 -c "ignoring unexpected CID" \
2159 -s "ignoring unexpected CID"
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2160
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2161requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2162requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2163run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2164 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2165 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2166 0 \
2167 -S "(initial handshake) Use of Connection ID has been negotiated" \
2168 -C "(initial handshake) Use of Connection ID has been negotiated" \
2169 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2170 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2171 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2172 -s "(after renegotiation) Use of Connection ID has been negotiated"
2173
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2174requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2175requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2176run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
2177 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2178 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2179 0 \
2180 -S "(initial handshake) Use of Connection ID has been negotiated" \
2181 -C "(initial handshake) Use of Connection ID has been negotiated" \
2182 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2183 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2184 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2185 -s "(after renegotiation) Use of Connection ID has been negotiated"
2186
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2187requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker84bbc512019-05-08 16:20:46 +0100[diff] [blame]2188requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2189run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2190 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2191 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2192 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2193 0 \
2194 -S "(initial handshake) Use of Connection ID has been negotiated" \
2195 -C "(initial handshake) Use of Connection ID has been negotiated" \
2196 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2197 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2198 -c "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2199 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2200 -c "ignoring unexpected CID" \
2201 -s "ignoring unexpected CID"
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2202
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2203requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2204requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2205run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2206 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2207 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2208 0 \
2209 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2210 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2211 -s "(initial handshake) Use of Connection ID has been negotiated" \
2212 -c "(initial handshake) Use of Connection ID has been negotiated" \
2213 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2214 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2215 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2216 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2217 -s "(after renegotiation) Use of Connection ID was not offered by client"
2218
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2219requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2220requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2221run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2222 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2223 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2224 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2225 0 \
2226 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2227 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2228 -s "(initial handshake) Use of Connection ID has been negotiated" \
2229 -c "(initial handshake) Use of Connection ID has been negotiated" \
2230 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2231 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2232 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2233 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2234 -s "(after renegotiation) Use of Connection ID was not offered by client" \
2235 -c "ignoring unexpected CID" \
2236 -s "ignoring unexpected CID"
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2237
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2238requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2239requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2240run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
2241 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2242 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2243 0 \
2244 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2245 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2246 -s "(initial handshake) Use of Connection ID has been negotiated" \
2247 -c "(initial handshake) Use of Connection ID has been negotiated" \
2248 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2249 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2250 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2251 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2252 -c "(after renegotiation) Use of Connection ID was rejected by the server"
2253
Hanno Beckera5a2b082019-05-15 14:03:01 +0100[diff] [blame]2254requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker04ca04c2019-05-08 13:31:15 +0100[diff] [blame]2255requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2256run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2257 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker96870292019-05-03 17:30:59 +0100[diff] [blame]2258 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2259 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2260 0 \
2261 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2262 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2263 -s "(initial handshake) Use of Connection ID has been negotiated" \
2264 -c "(initial handshake) Use of Connection ID has been negotiated" \
2265 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2266 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2267 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2268 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerf6fb4ea2019-05-24 10:11:23 +0100[diff] [blame]2269 -c "(after renegotiation) Use of Connection ID was rejected by the server" \
2270 -c "ignoring unexpected CID" \
2271 -s "ignoring unexpected CID"
Hanno Becker2dcdc922019-04-09 18:08:47 +0100[diff] [blame]2272
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]2273requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2274requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
2275run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \
2276 "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
2277 "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \
2278 0 \
2279 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2280 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2281 -s "(initial handshake) Use of Connection ID has been negotiated" \
2282 -c "(initial handshake) Use of Connection ID has been negotiated" \
2283 -s "Reallocating in_buf" \
2284 -s "Reallocating out_buf"
2285
2286requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2287requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
2288run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \
2289 "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
2290 "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \
2291 0 \
2292 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2293 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2294 -s "(initial handshake) Use of Connection ID has been negotiated" \
2295 -c "(initial handshake) Use of Connection ID has been negotiated" \
2296 -s "Reallocating in_buf" \
2297 -s "Reallocating out_buf"
2298
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2299# Tests for Encrypt-then-MAC extension
2300
2301run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2302 "$P_SRV debug_level=3 \
2303 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2304 "$P_CLI debug_level=3" \
2305 0 \
2306 -c "client hello, adding encrypt_then_mac extension" \
2307 -s "found encrypt then mac extension" \
2308 -s "server hello, adding encrypt then mac extension" \
2309 -c "found encrypt_then_mac extension" \
2310 -c "using encrypt then mac" \
2311 -s "using encrypt then mac"
2312
2313run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2314 "$P_SRV debug_level=3 etm=0 \
2315 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2316 "$P_CLI debug_level=3 etm=1" \
2317 0 \
2318 -c "client hello, adding encrypt_then_mac extension" \
2319 -s "found encrypt then mac extension" \
2320 -S "server hello, adding encrypt then mac extension" \
2321 -C "found encrypt_then_mac extension" \
2322 -C "using encrypt then mac" \
2323 -S "using encrypt then mac"
2324
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2325run_test "Encrypt then MAC: client enabled, aead cipher" \
2326 "$P_SRV debug_level=3 etm=1 \
2327 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
2328 "$P_CLI debug_level=3 etm=1" \
2329 0 \
2330 -c "client hello, adding encrypt_then_mac extension" \
2331 -s "found encrypt then mac extension" \
2332 -S "server hello, adding encrypt then mac extension" \
2333 -C "found encrypt_then_mac extension" \
2334 -C "using encrypt then mac" \
2335 -S "using encrypt then mac"
2336
2337run_test "Encrypt then MAC: client enabled, stream cipher" \
2338 "$P_SRV debug_level=3 etm=1 \
2339 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2340 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2341 0 \
2342 -c "client hello, adding encrypt_then_mac extension" \
2343 -s "found encrypt then mac extension" \
2344 -S "server hello, adding encrypt then mac extension" \
2345 -C "found encrypt_then_mac extension" \
2346 -C "using encrypt then mac" \
2347 -S "using encrypt then mac"
2348
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2349run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2350 "$P_SRV debug_level=3 etm=1 \
2351 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2352 "$P_CLI debug_level=3 etm=0" \
2353 0 \
2354 -C "client hello, adding encrypt_then_mac extension" \
2355 -S "found encrypt then mac extension" \
2356 -S "server hello, adding encrypt then mac extension" \
2357 -C "found encrypt_then_mac extension" \
2358 -C "using encrypt then mac" \
2359 -S "using encrypt then mac"
2360
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2361requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2362run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2363 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2364 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2365 "$P_CLI debug_level=3 force_version=ssl3" \
2366 0 \
2367 -C "client hello, adding encrypt_then_mac extension" \
2368 -S "found encrypt then mac extension" \
2369 -S "server hello, adding encrypt then mac extension" \
2370 -C "found encrypt_then_mac extension" \
2371 -C "using encrypt then mac" \
2372 -S "using encrypt then mac"
2373
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2374requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2375run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2376 "$P_SRV debug_level=3 force_version=ssl3 \
2377 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2378 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2379 0 \
2380 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2381 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2382 -S "server hello, adding encrypt then mac extension" \
2383 -C "found encrypt_then_mac extension" \
2384 -C "using encrypt then mac" \
2385 -S "using encrypt then mac"
2386
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2387# Tests for Extended Master Secret extension
2388
Jarno Lamsa31d940b2019-06-12 10:21:33 +0300[diff] [blame]2389run_test "Extended Master Secret: default (not enforcing)" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2390 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0 " \
2391 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Jarno Lamsa31d940b2019-06-12 10:21:33 +0300[diff] [blame]2392 0 \
2393 -c "client hello, adding extended_master_secret extension" \
2394 -s "found extended master secret extension" \
2395 -s "server hello, adding extended master secret extension" \
2396 -c "found extended_master_secret extension" \
2397 -c "session hash for extended master secret" \
2398 -s "session hash for extended master secret"
2399
2400run_test "Extended Master Secret: both enabled, both enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2401 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2402 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2403 0 \
2404 -c "client hello, adding extended_master_secret extension" \
2405 -s "found extended master secret extension" \
2406 -s "server hello, adding extended master secret extension" \
2407 -c "found extended_master_secret extension" \
2408 -c "session hash for extended master secret" \
2409 -s "session hash for extended master secret"
2410
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2411run_test "Extended Master Secret: both enabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2412 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2413 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2414 0 \
2415 -c "client hello, adding extended_master_secret extension" \
2416 -s "found extended master secret extension" \
2417 -s "server hello, adding extended master secret extension" \
2418 -c "found extended_master_secret extension" \
2419 -c "session hash for extended master secret" \
2420 -s "session hash for extended master secret"
2421
2422run_test "Extended Master Secret: both enabled, server enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2423 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2424 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2425 0 \
2426 -c "client hello, adding extended_master_secret extension" \
2427 -s "found extended master secret extension" \
2428 -s "server hello, adding extended master secret extension" \
2429 -c "found extended_master_secret extension" \
2430 -c "session hash for extended master secret" \
2431 -s "session hash for extended master secret"
2432
2433run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2434 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2435 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2436 1 \
2437 -c "client hello, adding extended_master_secret extension" \
2438 -s "found extended master secret extension" \
2439 -S "server hello, adding extended master secret extension" \
2440 -C "found extended_master_secret extension" \
2441 -c "Peer not offering extended master secret, while it is enforced"
2442
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2443run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2444 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2445 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa41b35912019-06-10 15:51:11 +0300[diff] [blame]2446 1 \
2447 -C "client hello, adding extended_master_secret extension" \
2448 -S "found extended master secret extension" \
2449 -S "server hello, adding extended master secret extension" \
2450 -C "found extended_master_secret extension" \
2451 -s "Peer not offering extended master secret, while it is enforced"
2452
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2453run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2454 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2455 "$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2456 0 \
2457 -c "client hello, adding extended_master_secret extension" \
2458 -s "found extended master secret extension" \
2459 -S "server hello, adding extended master secret extension" \
2460 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2461 -C "session hash for extended master secret" \
2462 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2463
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2464run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2465 "$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
2466 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2467 0 \
2468 -C "client hello, adding extended_master_secret extension" \
2469 -S "found extended master secret extension" \
2470 -S "server hello, adding extended master secret extension" \
2471 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2472 -C "session hash for extended master secret" \
2473 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2474
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2475run_test "Extended Master Secret: client disabled, server disabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2476 "$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
2477 "$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
Jarno Lamsa20095af2019-06-11 17:16:58 +0300[diff] [blame]2478 0 \
2479 -C "client hello, adding extended_master_secret extension" \
2480 -S "found extended master secret extension" \
2481 -S "server hello, adding extended master secret extension" \
2482 -C "found extended_master_secret extension" \
2483 -C "session hash for extended master secret" \
2484 -S "session hash for extended master secret"
2485
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2486requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2487run_test "Extended Master Secret: client SSLv3, server enabled" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2488 "$P_SRV debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2489 "$P_CLI debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2490 0 \
2491 -C "client hello, adding extended_master_secret extension" \
2492 -S "found extended master secret extension" \
2493 -S "server hello, adding extended master secret extension" \
2494 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2495 -C "session hash for extended master secret" \
2496 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2497
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2498requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2499run_test "Extended Master Secret: client enabled, server SSLv3" \
Hanno Beckeraf5ab912019-06-21 12:59:46 +0100[diff] [blame]2500 "$P_SRV debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
2501 "$P_CLI debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2502 0 \
2503 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2504 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2505 -S "server hello, adding extended master secret extension" \
2506 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard9c5bcc92019-05-20 12:09:50 +0200[diff] [blame]2507 -C "session hash for extended master secret" \
2508 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2509
Jarno Lamsaff434c22019-10-25 12:21:54 +0300[diff] [blame]2510run_test "Extended Master Secret: both enabled, both enforcing, DTLS" \
2511 "$P_SRV dtls=1 debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2512 "$P_CLI dtls=1 debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
2513 0 \
2514 -c "client hello, adding extended_master_secret extension" \
2515 -s "found extended master secret extension" \
2516 -s "server hello, adding extended master secret extension" \
2517 -c "found extended_master_secret extension" \
2518 -c "session hash for extended master secret" \
2519 -s "session hash for extended master secret"
2520
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2521# Tests for FALLBACK_SCSV
2522
2523run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2524 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2525 "$P_CLI debug_level=3 force_version=tls1_1" \
2526 0 \
2527 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2528 -S "received FALLBACK_SCSV" \
2529 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2530 -C "is a fatal alert message (msg 86)"
2531
2532run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2533 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2534 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2535 0 \
2536 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2537 -S "received FALLBACK_SCSV" \
2538 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2539 -C "is a fatal alert message (msg 86)"
2540
2541run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2542 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2543 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2544 1 \
2545 -c "adding FALLBACK_SCSV" \
2546 -s "received FALLBACK_SCSV" \
2547 -s "inapropriate fallback" \
2548 -c "is a fatal alert message (msg 86)"
2549
2550run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2551 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2552 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2553 0 \
2554 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2555 -s "received FALLBACK_SCSV" \
2556 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2557 -C "is a fatal alert message (msg 86)"
2558
2559requires_openssl_with_fallback_scsv
2560run_test "Fallback SCSV: default, openssl server" \
2561 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2562 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2563 0 \
2564 -C "adding FALLBACK_SCSV" \
2565 -C "is a fatal alert message (msg 86)"
2566
2567requires_openssl_with_fallback_scsv
2568run_test "Fallback SCSV: enabled, openssl server" \
2569 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2570 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2571 1 \
2572 -c "adding FALLBACK_SCSV" \
2573 -c "is a fatal alert message (msg 86)"
2574
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2575requires_openssl_with_fallback_scsv
2576run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2577 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2578 "$O_CLI -tls1_1" \
2579 0 \
2580 -S "received FALLBACK_SCSV" \
2581 -S "inapropriate fallback"
2582
2583requires_openssl_with_fallback_scsv
2584run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2585 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2586 "$O_CLI -tls1_1 -fallback_scsv" \
2587 1 \
2588 -s "received FALLBACK_SCSV" \
2589 -s "inapropriate fallback"
2590
2591requires_openssl_with_fallback_scsv
2592run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2593 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2594 "$O_CLI -fallback_scsv" \
2595 0 \
2596 -s "received FALLBACK_SCSV" \
2597 -S "inapropriate fallback"
2598
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2599# Test sending and receiving empty application data records
2600
2601run_test "Encrypt then MAC: empty application data record" \
2602 "$P_SRV auth_mode=none debug_level=4 etm=1" \
2603 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
2604 0 \
2605 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2606 -s "dumping 'input payload after decrypt' (0 bytes)" \
2607 -c "0 bytes written in 1 fragments"
2608
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]2609run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2610 "$P_SRV auth_mode=none debug_level=4 etm=0" \
2611 "$P_CLI auth_mode=none etm=0 request_size=0" \
2612 0 \
2613 -s "dumping 'input payload after decrypt' (0 bytes)" \
2614 -c "0 bytes written in 1 fragments"
2615
2616run_test "Encrypt then MAC, DTLS: empty application data record" \
2617 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
2618 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
2619 0 \
2620 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2621 -s "dumping 'input payload after decrypt' (0 bytes)" \
2622 -c "0 bytes written in 1 fragments"
2623
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]2624run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2625 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
2626 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
2627 0 \
2628 -s "dumping 'input payload after decrypt' (0 bytes)" \
2629 -c "0 bytes written in 1 fragments"
2630
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2631## ClientHello generated with
2632## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
2633## then manually twiddling the ciphersuite list.
2634## The ClientHello content is spelled out below as a hex string as
2635## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
2636## The expected response is an inappropriate_fallback alert.
2637requires_openssl_with_fallback_scsv
2638run_test "Fallback SCSV: beginning of list" \
2639 "$P_SRV debug_level=2" \
2640 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
2641 0 \
2642 -s "received FALLBACK_SCSV" \
2643 -s "inapropriate fallback"
2644
2645requires_openssl_with_fallback_scsv
2646run_test "Fallback SCSV: end of list" \
2647 "$P_SRV debug_level=2" \
2648 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
2649 0 \
2650 -s "received FALLBACK_SCSV" \
2651 -s "inapropriate fallback"
2652
2653## Here the expected response is a valid ServerHello prefix, up to the random.
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]2654## Due to the way the clienthello was generated, this currently needs the
2655## server to have support for session tickets.
2656requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2657requires_openssl_with_fallback_scsv
2658run_test "Fallback SCSV: not in list" \
2659 "$P_SRV debug_level=2" \
2660 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
2661 0 \
2662 -S "received FALLBACK_SCSV" \
2663 -S "inapropriate fallback"
2664
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2665# Tests for CBC 1/n-1 record splitting
2666
2667run_test "CBC Record splitting: TLS 1.2, no splitting" \
2668 "$P_SRV" \
2669 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2670 request_size=123 force_version=tls1_2" \
2671 0 \
2672 -s "Read from client: 123 bytes read" \
2673 -S "Read from client: 1 bytes read" \
2674 -S "122 bytes read"
2675
2676run_test "CBC Record splitting: TLS 1.1, no splitting" \
2677 "$P_SRV" \
2678 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2679 request_size=123 force_version=tls1_1" \
2680 0 \
2681 -s "Read from client: 123 bytes read" \
2682 -S "Read from client: 1 bytes read" \
2683 -S "122 bytes read"
2684
2685run_test "CBC Record splitting: TLS 1.0, splitting" \
2686 "$P_SRV" \
2687 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2688 request_size=123 force_version=tls1" \
2689 0 \
2690 -S "Read from client: 123 bytes read" \
2691 -s "Read from client: 1 bytes read" \
2692 -s "122 bytes read"
2693
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2694requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2695run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2696 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2697 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2698 request_size=123 force_version=ssl3" \
2699 0 \
2700 -S "Read from client: 123 bytes read" \
2701 -s "Read from client: 1 bytes read" \
2702 -s "122 bytes read"
2703
2704run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2705 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2706 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2707 request_size=123 force_version=tls1" \
2708 0 \
2709 -s "Read from client: 123 bytes read" \
2710 -S "Read from client: 1 bytes read" \
2711 -S "122 bytes read"
2712
2713run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
2714 "$P_SRV" \
2715 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2716 request_size=123 force_version=tls1 recsplit=0" \
2717 0 \
2718 -s "Read from client: 123 bytes read" \
2719 -S "Read from client: 1 bytes read" \
2720 -S "122 bytes read"
2721
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]2722run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
2723 "$P_SRV nbio=2" \
2724 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2725 request_size=123 force_version=tls1" \
2726 0 \
2727 -S "Read from client: 123 bytes read" \
2728 -s "Read from client: 1 bytes read" \
2729 -s "122 bytes read"
2730
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2731# Tests for Session Tickets
2732
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2733requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2734requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2735run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2736 "$P_SRV debug_level=3 tickets=1" \
2737 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2738 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2739 -c "client hello, adding session ticket extension" \
2740 -s "found session ticket extension" \
2741 -s "server hello, adding session ticket extension" \
2742 -c "found session_ticket extension" \
2743 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2744 -S "session successfully restored from cache" \
2745 -s "session successfully restored from ticket" \
2746 -s "a session has been resumed" \
2747 -c "a session has been resumed"
2748
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2749requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2750requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2751run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2752 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2753 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2754 0 \
2755 -c "client hello, adding session ticket extension" \
2756 -s "found session ticket extension" \
2757 -s "server hello, adding session ticket extension" \
2758 -c "found session_ticket extension" \
2759 -c "parse new session ticket" \
2760 -S "session successfully restored from cache" \
2761 -s "session successfully restored from ticket" \
2762 -s "a session has been resumed" \
2763 -c "a session has been resumed"
2764
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2765requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2766requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2767run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2768 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
2769 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2770 0 \
2771 -c "client hello, adding session ticket extension" \
2772 -s "found session ticket extension" \
2773 -s "server hello, adding session ticket extension" \
2774 -c "found session_ticket extension" \
2775 -c "parse new session ticket" \
2776 -S "session successfully restored from cache" \
2777 -S "session successfully restored from ticket" \
2778 -S "a session has been resumed" \
2779 -C "a session has been resumed"
2780
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2781requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2782requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2783run_test "Session resume using tickets: session copy" \
2784 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2785 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
2786 0 \
2787 -c "client hello, adding session ticket extension" \
2788 -s "found session ticket extension" \
2789 -s "server hello, adding session ticket extension" \
2790 -c "found session_ticket extension" \
2791 -c "parse new session ticket" \
2792 -S "session successfully restored from cache" \
2793 -s "session successfully restored from ticket" \
2794 -s "a session has been resumed" \
2795 -c "a session has been resumed"
2796
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2797requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2798requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2799run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2800 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2801 "$P_CLI debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2802 0 \
2803 -c "client hello, adding session ticket extension" \
2804 -c "found session_ticket extension" \
2805 -c "parse new session ticket" \
2806 -c "a session has been resumed"
2807
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2808requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2809requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2810run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2811 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2812 "( $O_CLI -sess_out $SESSION; \
2813 $O_CLI -sess_in $SESSION; \
2814 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2815 0 \
2816 -s "found session ticket extension" \
2817 -s "server hello, adding session ticket extension" \
2818 -S "session successfully restored from cache" \
2819 -s "session successfully restored from ticket" \
2820 -s "a session has been resumed"
2821
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2822# Tests for Session Tickets with DTLS
2823
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2824requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2825requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2826run_test "Session resume using tickets, DTLS: basic" \
2827 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]2828 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2829 0 \
2830 -c "client hello, adding session ticket extension" \
2831 -s "found session ticket extension" \
2832 -s "server hello, adding session ticket extension" \
2833 -c "found session_ticket extension" \
2834 -c "parse new session ticket" \
2835 -S "session successfully restored from cache" \
2836 -s "session successfully restored from ticket" \
2837 -s "a session has been resumed" \
2838 -c "a session has been resumed"
2839
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2840requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2841requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2842run_test "Session resume using tickets, DTLS: cache disabled" \
2843 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]2844 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2845 0 \
2846 -c "client hello, adding session ticket extension" \
2847 -s "found session ticket extension" \
2848 -s "server hello, adding session ticket extension" \
2849 -c "found session_ticket extension" \
2850 -c "parse new session ticket" \
2851 -S "session successfully restored from cache" \
2852 -s "session successfully restored from ticket" \
2853 -s "a session has been resumed" \
2854 -c "a session has been resumed"
2855
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2856requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2857requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2858run_test "Session resume using tickets, DTLS: timeout" \
2859 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]2860 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2861 0 \
2862 -c "client hello, adding session ticket extension" \
2863 -s "found session ticket extension" \
2864 -s "server hello, adding session ticket extension" \
2865 -c "found session_ticket extension" \
2866 -c "parse new session ticket" \
2867 -S "session successfully restored from cache" \
2868 -S "session successfully restored from ticket" \
2869 -S "a session has been resumed" \
2870 -C "a session has been resumed"
2871
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2872requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2873requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]2874run_test "Session resume using tickets, DTLS: session copy" \
2875 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2876 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_mode=0" \
2877 0 \
2878 -c "client hello, adding session ticket extension" \
2879 -s "found session ticket extension" \
2880 -s "server hello, adding session ticket extension" \
2881 -c "found session_ticket extension" \
2882 -c "parse new session ticket" \
2883 -S "session successfully restored from cache" \
2884 -s "session successfully restored from ticket" \
2885 -s "a session has been resumed" \
2886 -c "a session has been resumed"
2887
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2888requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2889requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2890run_test "Session resume using tickets, DTLS: openssl server" \
2891 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]2892 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2893 0 \
2894 -c "client hello, adding session ticket extension" \
2895 -c "found session_ticket extension" \
2896 -c "parse new session ticket" \
2897 -c "a session has been resumed"
2898
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2899requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2900requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2901run_test "Session resume using tickets, DTLS: openssl client" \
2902 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2903 "( $O_CLI -dtls1 -sess_out $SESSION; \
2904 $O_CLI -dtls1 -sess_in $SESSION; \
2905 rm -f $SESSION )" \
2906 0 \
2907 -s "found session ticket extension" \
2908 -s "server hello, adding session ticket extension" \
2909 -S "session successfully restored from cache" \
2910 -s "session successfully restored from ticket" \
2911 -s "a session has been resumed"
2912
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2913# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2914
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2915requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2916requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2917requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2918run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2919 "$P_SRV debug_level=3 tickets=0" \
2920 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2921 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2922 -c "client hello, adding session ticket extension" \
2923 -s "found session ticket extension" \
2924 -S "server hello, adding session ticket extension" \
2925 -C "found session_ticket extension" \
2926 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2927 -s "session successfully restored from cache" \
2928 -S "session successfully restored from ticket" \
2929 -s "a session has been resumed" \
2930 -c "a session has been resumed"
2931
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2932requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]2933requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2934requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2935run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2936 "$P_SRV debug_level=3 tickets=1" \
2937 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2938 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2939 -C "client hello, adding session ticket extension" \
2940 -S "found session ticket extension" \
2941 -S "server hello, adding session ticket extension" \
2942 -C "found session_ticket extension" \
2943 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2944 -s "session successfully restored from cache" \
2945 -S "session successfully restored from ticket" \
2946 -s "a session has been resumed" \
2947 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2948
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2949requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2950requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2951run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2952 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
2953 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2954 0 \
2955 -S "session successfully restored from cache" \
2956 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2957 -S "a session has been resumed" \
2958 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2959
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2960requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2961requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2962run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2963 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
2964 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2965 0 \
2966 -s "session successfully restored from cache" \
2967 -S "session successfully restored from ticket" \
2968 -s "a session has been resumed" \
2969 -c "a session has been resumed"
2970
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2971requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2972requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]2973run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2974 "$P_SRV debug_level=3 tickets=0" \
2975 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2976 0 \
2977 -s "session successfully restored from cache" \
2978 -S "session successfully restored from ticket" \
2979 -s "a session has been resumed" \
2980 -c "a session has been resumed"
2981
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2982requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2983requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2984run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2985 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
2986 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2987 0 \
2988 -S "session successfully restored from cache" \
2989 -S "session successfully restored from ticket" \
2990 -S "a session has been resumed" \
2991 -C "a session has been resumed"
2992
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]2993requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
2994requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2995run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2996 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
2997 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2998 0 \
2999 -s "session successfully restored from cache" \
3000 -S "session successfully restored from ticket" \
3001 -s "a session has been resumed" \
3002 -c "a session has been resumed"
3003
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3004requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3005requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]3006run_test "Session resume using cache: session copy" \
3007 "$P_SRV debug_level=3 tickets=0" \
3008 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
3009 0 \
3010 -s "session successfully restored from cache" \
3011 -S "session successfully restored from ticket" \
3012 -s "a session has been resumed" \
3013 -c "a session has been resumed"
3014
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3015requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3016requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3017run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3018 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]3019 "( $O_CLI -sess_out $SESSION; \
3020 $O_CLI -sess_in $SESSION; \
3021 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]3022 0 \
3023 -s "found session ticket extension" \
3024 -S "server hello, adding session ticket extension" \
3025 -s "session successfully restored from cache" \
3026 -S "session successfully restored from ticket" \
3027 -s "a session has been resumed"
3028
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3029requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3030requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3031run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]3032 "$O_SRV" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3033 "$P_CLI debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]3034 0 \
3035 -C "found session_ticket extension" \
3036 -C "parse new session ticket" \
3037 -c "a session has been resumed"
3038
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3039# Tests for Session Resume based on session-ID and cache, DTLS
3040
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3041requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]3042requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3043requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3044run_test "Session resume using cache, DTLS: tickets enabled on client" \
3045 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]3046 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3047 0 \
3048 -c "client hello, adding session ticket extension" \
3049 -s "found session ticket extension" \
3050 -S "server hello, adding session ticket extension" \
3051 -C "found session_ticket extension" \
3052 -C "parse new session ticket" \
3053 -s "session successfully restored from cache" \
3054 -S "session successfully restored from ticket" \
3055 -s "a session has been resumed" \
3056 -c "a session has been resumed"
3057
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3058requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]3059requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3060requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3061run_test "Session resume using cache, DTLS: tickets enabled on server" \
3062 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]3063 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3064 0 \
3065 -C "client hello, adding session ticket extension" \
3066 -S "found session ticket extension" \
3067 -S "server hello, adding session ticket extension" \
3068 -C "found session_ticket extension" \
3069 -C "parse new session ticket" \
3070 -s "session successfully restored from cache" \
3071 -S "session successfully restored from ticket" \
3072 -s "a session has been resumed" \
3073 -c "a session has been resumed"
3074
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3075requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3076requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3077run_test "Session resume using cache, DTLS: cache_max=0" \
3078 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]3079 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3080 0 \
3081 -S "session successfully restored from cache" \
3082 -S "session successfully restored from ticket" \
3083 -S "a session has been resumed" \
3084 -C "a session has been resumed"
3085
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3086requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3087requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3088run_test "Session resume using cache, DTLS: cache_max=1" \
3089 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]3090 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3091 0 \
3092 -s "session successfully restored from cache" \
3093 -S "session successfully restored from ticket" \
3094 -s "a session has been resumed" \
3095 -c "a session has been resumed"
3096
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3097requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3098requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3099run_test "Session resume using cache, DTLS: timeout > delay" \
3100 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]3101 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3102 0 \
3103 -s "session successfully restored from cache" \
3104 -S "session successfully restored from ticket" \
3105 -s "a session has been resumed" \
3106 -c "a session has been resumed"
3107
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3108requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3109requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3110run_test "Session resume using cache, DTLS: timeout < delay" \
3111 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]3112 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3113 0 \
3114 -S "session successfully restored from cache" \
3115 -S "session successfully restored from ticket" \
3116 -S "a session has been resumed" \
3117 -C "a session has been resumed"
3118
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3119requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3120requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3121run_test "Session resume using cache, DTLS: no timeout" \
3122 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]3123 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3124 0 \
3125 -s "session successfully restored from cache" \
3126 -S "session successfully restored from ticket" \
3127 -s "a session has been resumed" \
3128 -c "a session has been resumed"
3129
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3130requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3131requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard57a348b2019-05-20 12:46:26 +0200[diff] [blame]3132run_test "Session resume using cache, DTLS: session copy" \
3133 "$P_SRV dtls=1 debug_level=3 tickets=0" \
3134 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
3135 0 \
3136 -s "session successfully restored from cache" \
3137 -S "session successfully restored from ticket" \
3138 -s "a session has been resumed" \
3139 -c "a session has been resumed"
3140
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3141requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3142requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3143run_test "Session resume using cache, DTLS: openssl client" \
3144 "$P_SRV dtls=1 debug_level=3 tickets=0" \
3145 "( $O_CLI -dtls1 -sess_out $SESSION; \
3146 $O_CLI -dtls1 -sess_in $SESSION; \
3147 rm -f $SESSION )" \
3148 0 \
3149 -s "found session ticket extension" \
3150 -S "server hello, adding session ticket extension" \
3151 -s "session successfully restored from cache" \
3152 -S "session successfully restored from ticket" \
3153 -s "a session has been resumed"
3154
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]3155requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
3156requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3157run_test "Session resume using cache, DTLS: openssl server" \
3158 "$O_SRV -dtls1" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3159 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3160 0 \
3161 -C "found session_ticket extension" \
3162 -C "parse new session ticket" \
3163 -c "a session has been resumed"
3164
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3165# Tests for Max Fragment Length extension
3166
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3167if [ $MAX_CONTENT_LEN -ne 16384 ]; then
3168 printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
3169fi
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3170requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3171run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3172 "$P_SRV debug_level=3" \
3173 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3174 0 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3175 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3176 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3177 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3178 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3179 -C "client hello, adding max_fragment_length extension" \
3180 -S "found max fragment length extension" \
3181 -S "server hello, max_fragment_length extension" \
3182 -C "found max_fragment_length extension"
3183
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3184requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3185run_test "Max fragment length: enabled, default, larger message" \
3186 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3187 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3188 0 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3189 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3190 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3191 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3192 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3193 -C "client hello, adding max_fragment_length extension" \
3194 -S "found max fragment length extension" \
3195 -S "server hello, max_fragment_length extension" \
3196 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3197 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3198 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3199 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3200
3201requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3202run_test "Max fragment length, DTLS: enabled, default, larger message" \
3203 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3204 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3205 1 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3206 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3207 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3208 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3209 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3210 -C "client hello, adding max_fragment_length extension" \
3211 -S "found max fragment length extension" \
3212 -S "server hello, max_fragment_length extension" \
3213 -C "found max_fragment_length extension" \
3214 -c "fragment larger than.*maximum "
3215
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3216# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
3217# (session fragment length will be 16384 regardless of mbedtls
3218# content length configuration.)
3219
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3220requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3221run_test "Max fragment length: disabled, larger message" \
3222 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3223 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3224 0 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3225 -C "Maximum input fragment length is 16384" \
3226 -C "Maximum output fragment length is 16384" \
3227 -S "Maximum input fragment length is 16384" \
3228 -S "Maximum output fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3229 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3230 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3231 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3232
3233requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3234run_test "Max fragment length DTLS: disabled, larger message" \
3235 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3236 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3237 1 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3238 -C "Maximum input fragment length is 16384" \
3239 -C "Maximum output fragment length is 16384" \
3240 -S "Maximum input fragment length is 16384" \
3241 -S "Maximum output fragment length is 16384" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3242 -c "fragment larger than.*maximum "
3243
3244requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3245run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3246 "$P_SRV debug_level=3" \
3247 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3248 0 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3249 -c "Maximum input fragment length is 4096" \
3250 -c "Maximum output fragment length is 4096" \
3251 -s "Maximum input fragment length is 4096" \
3252 -s "Maximum output fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3253 -c "client hello, adding max_fragment_length extension" \
3254 -s "found max fragment length extension" \
3255 -s "server hello, max_fragment_length extension" \
3256 -c "found max_fragment_length extension"
3257
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3258requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3259run_test "Max fragment length: client 512, server 1024" \
3260 "$P_SRV debug_level=3 max_frag_len=1024" \
3261 "$P_CLI debug_level=3 max_frag_len=512" \
3262 0 \
3263 -c "Maximum input fragment length is 512" \
3264 -c "Maximum output fragment length is 512" \
3265 -s "Maximum input fragment length is 512" \
3266 -s "Maximum output fragment length is 512" \
3267 -c "client hello, adding max_fragment_length extension" \
3268 -s "found max fragment length extension" \
3269 -s "server hello, max_fragment_length extension" \
3270 -c "found max_fragment_length extension"
3271
3272requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3273run_test "Max fragment length: client 512, server 2048" \
3274 "$P_SRV debug_level=3 max_frag_len=2048" \
3275 "$P_CLI debug_level=3 max_frag_len=512" \
3276 0 \
3277 -c "Maximum input fragment length is 512" \
3278 -c "Maximum output fragment length is 512" \
3279 -s "Maximum input fragment length is 512" \
3280 -s "Maximum output fragment length is 512" \
3281 -c "client hello, adding max_fragment_length extension" \
3282 -s "found max fragment length extension" \
3283 -s "server hello, max_fragment_length extension" \
3284 -c "found max_fragment_length extension"
3285
3286requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3287run_test "Max fragment length: client 512, server 4096" \
3288 "$P_SRV debug_level=3 max_frag_len=4096" \
3289 "$P_CLI debug_level=3 max_frag_len=512" \
3290 0 \
3291 -c "Maximum input fragment length is 512" \
3292 -c "Maximum output fragment length is 512" \
3293 -s "Maximum input fragment length is 512" \
3294 -s "Maximum output fragment length is 512" \
3295 -c "client hello, adding max_fragment_length extension" \
3296 -s "found max fragment length extension" \
3297 -s "server hello, max_fragment_length extension" \
3298 -c "found max_fragment_length extension"
3299
3300requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3301run_test "Max fragment length: client 1024, server 512" \
3302 "$P_SRV debug_level=3 max_frag_len=512" \
3303 "$P_CLI debug_level=3 max_frag_len=1024" \
3304 0 \
3305 -c "Maximum input fragment length is 1024" \
3306 -c "Maximum output fragment length is 1024" \
3307 -s "Maximum input fragment length is 1024" \
3308 -s "Maximum output fragment length is 512" \
3309 -c "client hello, adding max_fragment_length extension" \
3310 -s "found max fragment length extension" \
3311 -s "server hello, max_fragment_length extension" \
3312 -c "found max_fragment_length extension"
3313
3314requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3315run_test "Max fragment length: client 1024, server 2048" \
3316 "$P_SRV debug_level=3 max_frag_len=2048" \
3317 "$P_CLI debug_level=3 max_frag_len=1024" \
3318 0 \
3319 -c "Maximum input fragment length is 1024" \
3320 -c "Maximum output fragment length is 1024" \
3321 -s "Maximum input fragment length is 1024" \
3322 -s "Maximum output fragment length is 1024" \
3323 -c "client hello, adding max_fragment_length extension" \
3324 -s "found max fragment length extension" \
3325 -s "server hello, max_fragment_length extension" \
3326 -c "found max_fragment_length extension"
3327
3328requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3329run_test "Max fragment length: client 1024, server 4096" \
3330 "$P_SRV debug_level=3 max_frag_len=4096" \
3331 "$P_CLI debug_level=3 max_frag_len=1024" \
3332 0 \
3333 -c "Maximum input fragment length is 1024" \
3334 -c "Maximum output fragment length is 1024" \
3335 -s "Maximum input fragment length is 1024" \
3336 -s "Maximum output fragment length is 1024" \
3337 -c "client hello, adding max_fragment_length extension" \
3338 -s "found max fragment length extension" \
3339 -s "server hello, max_fragment_length extension" \
3340 -c "found max_fragment_length extension"
3341
3342requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3343run_test "Max fragment length: client 2048, server 512" \
3344 "$P_SRV debug_level=3 max_frag_len=512" \
3345 "$P_CLI debug_level=3 max_frag_len=2048" \
3346 0 \
3347 -c "Maximum input fragment length is 2048" \
3348 -c "Maximum output fragment length is 2048" \
3349 -s "Maximum input fragment length is 2048" \
3350 -s "Maximum output fragment length is 512" \
3351 -c "client hello, adding max_fragment_length extension" \
3352 -s "found max fragment length extension" \
3353 -s "server hello, max_fragment_length extension" \
3354 -c "found max_fragment_length extension"
3355
3356requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3357run_test "Max fragment length: client 2048, server 1024" \
3358 "$P_SRV debug_level=3 max_frag_len=1024" \
3359 "$P_CLI debug_level=3 max_frag_len=2048" \
3360 0 \
3361 -c "Maximum input fragment length is 2048" \
3362 -c "Maximum output fragment length is 2048" \
3363 -s "Maximum input fragment length is 2048" \
3364 -s "Maximum output fragment length is 1024" \
3365 -c "client hello, adding max_fragment_length extension" \
3366 -s "found max fragment length extension" \
3367 -s "server hello, max_fragment_length extension" \
3368 -c "found max_fragment_length extension"
3369
3370requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3371run_test "Max fragment length: client 2048, server 4096" \
3372 "$P_SRV debug_level=3 max_frag_len=4096" \
3373 "$P_CLI debug_level=3 max_frag_len=2048" \
3374 0 \
3375 -c "Maximum input fragment length is 2048" \
3376 -c "Maximum output fragment length is 2048" \
3377 -s "Maximum input fragment length is 2048" \
3378 -s "Maximum output fragment length is 2048" \
3379 -c "client hello, adding max_fragment_length extension" \
3380 -s "found max fragment length extension" \
3381 -s "server hello, max_fragment_length extension" \
3382 -c "found max_fragment_length extension"
3383
3384requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3385run_test "Max fragment length: client 4096, server 512" \
3386 "$P_SRV debug_level=3 max_frag_len=512" \
3387 "$P_CLI debug_level=3 max_frag_len=4096" \
3388 0 \
3389 -c "Maximum input fragment length is 4096" \
3390 -c "Maximum output fragment length is 4096" \
3391 -s "Maximum input fragment length is 4096" \
3392 -s "Maximum output fragment length is 512" \
3393 -c "client hello, adding max_fragment_length extension" \
3394 -s "found max fragment length extension" \
3395 -s "server hello, max_fragment_length extension" \
3396 -c "found max_fragment_length extension"
3397
3398requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3399run_test "Max fragment length: client 4096, server 1024" \
3400 "$P_SRV debug_level=3 max_frag_len=1024" \
3401 "$P_CLI debug_level=3 max_frag_len=4096" \
3402 0 \
3403 -c "Maximum input fragment length is 4096" \
3404 -c "Maximum output fragment length is 4096" \
3405 -s "Maximum input fragment length is 4096" \
3406 -s "Maximum output fragment length is 1024" \
3407 -c "client hello, adding max_fragment_length extension" \
3408 -s "found max fragment length extension" \
3409 -s "server hello, max_fragment_length extension" \
3410 -c "found max_fragment_length extension"
3411
3412requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3413run_test "Max fragment length: client 4096, server 2048" \
3414 "$P_SRV debug_level=3 max_frag_len=2048" \
3415 "$P_CLI debug_level=3 max_frag_len=4096" \
3416 0 \
3417 -c "Maximum input fragment length is 4096" \
3418 -c "Maximum output fragment length is 4096" \
3419 -s "Maximum input fragment length is 4096" \
3420 -s "Maximum output fragment length is 2048" \
3421 -c "client hello, adding max_fragment_length extension" \
3422 -s "found max fragment length extension" \
3423 -s "server hello, max_fragment_length extension" \
3424 -c "found max_fragment_length extension"
3425
3426requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3427run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3428 "$P_SRV debug_level=3 max_frag_len=4096" \
3429 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3430 0 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3431 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3432 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3433 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3434 -s "Maximum output fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3435 -C "client hello, adding max_fragment_length extension" \
3436 -S "found max fragment length extension" \
3437 -S "server hello, max_fragment_length extension" \
3438 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3439
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3440requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3441requires_gnutls
3442run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3443 "$G_SRV" \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3444 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3445 0 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3446 -c "Maximum input fragment length is 4096" \
3447 -c "Maximum output fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3448 -c "client hello, adding max_fragment_length extension" \
3449 -c "found max_fragment_length extension"
3450
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3451requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3452run_test "Max fragment length: client, message just fits" \
3453 "$P_SRV debug_level=3" \
3454 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
3455 0 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3456 -c "Maximum input fragment length is 2048" \
3457 -c "Maximum output fragment length is 2048" \
3458 -s "Maximum input fragment length is 2048" \
3459 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3460 -c "client hello, adding max_fragment_length extension" \
3461 -s "found max fragment length extension" \
3462 -s "server hello, max_fragment_length extension" \
3463 -c "found max_fragment_length extension" \
3464 -c "2048 bytes written in 1 fragments" \
3465 -s "2048 bytes read"
3466
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3467requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3468run_test "Max fragment length: client, larger message" \
3469 "$P_SRV debug_level=3" \
3470 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
3471 0 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3472 -c "Maximum input fragment length is 2048" \
3473 -c "Maximum output fragment length is 2048" \
3474 -s "Maximum input fragment length is 2048" \
3475 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3476 -c "client hello, adding max_fragment_length extension" \
3477 -s "found max fragment length extension" \
3478 -s "server hello, max_fragment_length extension" \
3479 -c "found max_fragment_length extension" \
3480 -c "2345 bytes written in 2 fragments" \
3481 -s "2048 bytes read" \
3482 -s "297 bytes read"
3483
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3484requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]3485run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3486 "$P_SRV debug_level=3 dtls=1" \
3487 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
3488 1 \
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3489 -c "Maximum input fragment length is 2048" \
3490 -c "Maximum output fragment length is 2048" \
3491 -s "Maximum input fragment length is 2048" \
3492 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3493 -c "client hello, adding max_fragment_length extension" \
3494 -s "found max fragment length extension" \
3495 -s "server hello, max_fragment_length extension" \
3496 -c "found max_fragment_length extension" \
3497 -c "fragment larger than.*maximum"
3498
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3499# Tests for renegotiation
3500
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3501# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3502run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3503 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3504 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3505 0 \
3506 -C "client hello, adding renegotiation extension" \
3507 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3508 -S "found renegotiation extension" \
3509 -s "server hello, secure renegotiation extension" \
3510 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3511 -C "=> renegotiate" \
3512 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3513 -S "write hello request"
3514
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3515requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3516run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3517 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3518 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3519 0 \
3520 -c "client hello, adding renegotiation extension" \
3521 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3522 -s "found renegotiation extension" \
3523 -s "server hello, secure renegotiation extension" \
3524 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3525 -c "=> renegotiate" \
3526 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3527 -S "write hello request"
3528
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3529requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3530run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3531 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3532 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3533 0 \
3534 -c "client hello, adding renegotiation extension" \
3535 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3536 -s "found renegotiation extension" \
3537 -s "server hello, secure renegotiation extension" \
3538 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3539 -c "=> renegotiate" \
3540 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3541 -s "write hello request"
3542
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3543# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3544# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3545# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3546requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3547run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
3548 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
3549 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
3550 0 \
3551 -c "client hello, adding renegotiation extension" \
3552 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3553 -s "found renegotiation extension" \
3554 -s "server hello, secure renegotiation extension" \
3555 -c "found renegotiation extension" \
3556 -c "=> renegotiate" \
3557 -s "=> renegotiate" \
3558 -S "write hello request" \
3559 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3560
3561# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3562# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3563# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3564requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3565run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
3566 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
3567 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3568 0 \
3569 -c "client hello, adding renegotiation extension" \
3570 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3571 -s "found renegotiation extension" \
3572 -s "server hello, secure renegotiation extension" \
3573 -c "found renegotiation extension" \
3574 -c "=> renegotiate" \
3575 -s "=> renegotiate" \
3576 -s "write hello request" \
3577 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3578
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3579requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3580run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3581 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3582 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3583 0 \
3584 -c "client hello, adding renegotiation extension" \
3585 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3586 -s "found renegotiation extension" \
3587 -s "server hello, secure renegotiation extension" \
3588 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3589 -c "=> renegotiate" \
3590 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3591 -s "write hello request"
3592
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3593requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]3594requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3595run_test "Renegotiation with max fragment length: client 2048, server 512" \
3596 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \
3597 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 max_frag_len=2048 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
3598 0 \
3599 -c "Maximum input fragment length is 2048" \
3600 -c "Maximum output fragment length is 2048" \
3601 -s "Maximum input fragment length is 2048" \
3602 -s "Maximum output fragment length is 512" \
3603 -c "client hello, adding max_fragment_length extension" \
3604 -s "found max fragment length extension" \
3605 -s "server hello, max_fragment_length extension" \
3606 -c "found max_fragment_length extension" \
3607 -c "client hello, adding renegotiation extension" \
3608 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3609 -s "found renegotiation extension" \
3610 -s "server hello, secure renegotiation extension" \
3611 -c "found renegotiation extension" \
3612 -c "=> renegotiate" \
3613 -s "=> renegotiate" \
3614 -s "write hello request"
3615
3616requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3617run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3618 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3619 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3620 1 \
3621 -c "client hello, adding renegotiation extension" \
3622 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3623 -S "found renegotiation extension" \
3624 -s "server hello, secure renegotiation extension" \
3625 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3626 -c "=> renegotiate" \
3627 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3628 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]3629 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3630 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3631
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3632requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3633run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3634 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3635 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3636 0 \
3637 -C "client hello, adding renegotiation extension" \
3638 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3639 -S "found renegotiation extension" \
3640 -s "server hello, secure renegotiation extension" \
3641 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3642 -C "=> renegotiate" \
3643 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3644 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]3645 -S "SSL - An unexpected message was received from our peer" \
3646 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3647
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3648requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3649run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3650 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3651 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3652 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3653 0 \
3654 -C "client hello, adding renegotiation extension" \
3655 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3656 -S "found renegotiation extension" \
3657 -s "server hello, secure renegotiation extension" \
3658 -c "found renegotiation extension" \
3659 -C "=> renegotiate" \
3660 -S "=> renegotiate" \
3661 -s "write hello request" \
3662 -S "SSL - An unexpected message was received from our peer" \
3663 -S "failed"
3664
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3665# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3666requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3667run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3668 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3669 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3670 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3671 0 \
3672 -C "client hello, adding renegotiation extension" \
3673 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3674 -S "found renegotiation extension" \
3675 -s "server hello, secure renegotiation extension" \
3676 -c "found renegotiation extension" \
3677 -C "=> renegotiate" \
3678 -S "=> renegotiate" \
3679 -s "write hello request" \
3680 -S "SSL - An unexpected message was received from our peer" \
3681 -S "failed"
3682
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3683requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3684run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3685 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3686 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3687 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3688 0 \
3689 -C "client hello, adding renegotiation extension" \
3690 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3691 -S "found renegotiation extension" \
3692 -s "server hello, secure renegotiation extension" \
3693 -c "found renegotiation extension" \
3694 -C "=> renegotiate" \
3695 -S "=> renegotiate" \
3696 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3697 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3698
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3699requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3700run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3701 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3702 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3703 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3704 0 \
3705 -c "client hello, adding renegotiation extension" \
3706 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3707 -s "found renegotiation extension" \
3708 -s "server hello, secure renegotiation extension" \
3709 -c "found renegotiation extension" \
3710 -c "=> renegotiate" \
3711 -s "=> renegotiate" \
3712 -s "write hello request" \
3713 -S "SSL - An unexpected message was received from our peer" \
3714 -S "failed"
3715
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3716requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3717run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3718 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3719 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3720 0 \
3721 -C "client hello, adding renegotiation extension" \
3722 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3723 -S "found renegotiation extension" \
3724 -s "server hello, secure renegotiation extension" \
3725 -c "found renegotiation extension" \
3726 -S "record counter limit reached: renegotiate" \
3727 -C "=> renegotiate" \
3728 -S "=> renegotiate" \
3729 -S "write hello request" \
3730 -S "SSL - An unexpected message was received from our peer" \
3731 -S "failed"
3732
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3733# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3734requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3735run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3736 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3737 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3738 0 \
3739 -c "client hello, adding renegotiation extension" \
3740 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3741 -s "found renegotiation extension" \
3742 -s "server hello, secure renegotiation extension" \
3743 -c "found renegotiation extension" \
3744 -s "record counter limit reached: renegotiate" \
3745 -c "=> renegotiate" \
3746 -s "=> renegotiate" \
3747 -s "write hello request" \
3748 -S "SSL - An unexpected message was received from our peer" \
3749 -S "failed"
3750
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3751requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3752run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3753 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3754 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3755 0 \
3756 -c "client hello, adding renegotiation extension" \
3757 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3758 -s "found renegotiation extension" \
3759 -s "server hello, secure renegotiation extension" \
3760 -c "found renegotiation extension" \
3761 -s "record counter limit reached: renegotiate" \
3762 -c "=> renegotiate" \
3763 -s "=> renegotiate" \
3764 -s "write hello request" \
3765 -S "SSL - An unexpected message was received from our peer" \
3766 -S "failed"
3767
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3768requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3769run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3770 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3771 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
3772 0 \
3773 -C "client hello, adding renegotiation extension" \
3774 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3775 -S "found renegotiation extension" \
3776 -s "server hello, secure renegotiation extension" \
3777 -c "found renegotiation extension" \
3778 -S "record counter limit reached: renegotiate" \
3779 -C "=> renegotiate" \
3780 -S "=> renegotiate" \
3781 -S "write hello request" \
3782 -S "SSL - An unexpected message was received from our peer" \
3783 -S "failed"
3784
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3785requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3786run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3787 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3788 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3789 0 \
3790 -c "client hello, adding renegotiation extension" \
3791 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3792 -s "found renegotiation extension" \
3793 -s "server hello, secure renegotiation extension" \
3794 -c "found renegotiation extension" \
3795 -c "=> renegotiate" \
3796 -s "=> renegotiate" \
3797 -S "write hello request"
3798
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3799requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3800run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3801 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3802 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3803 0 \
3804 -c "client hello, adding renegotiation extension" \
3805 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3806 -s "found renegotiation extension" \
3807 -s "server hello, secure renegotiation extension" \
3808 -c "found renegotiation extension" \
3809 -c "=> renegotiate" \
3810 -s "=> renegotiate" \
3811 -s "write hello request"
3812
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3813requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3814run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3815 "$O_SRV -www" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3816 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3817 0 \
3818 -c "client hello, adding renegotiation extension" \
3819 -c "found renegotiation extension" \
3820 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3821 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3822 -C "error" \
3823 -c "HTTP/1.0 200 [Oo][Kk]"
3824
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3825requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3826requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3827run_test "Renegotiation: gnutls server strict, client-initiated" \
3828 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3829 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3830 0 \
3831 -c "client hello, adding renegotiation extension" \
3832 -c "found renegotiation extension" \
3833 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3834 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3835 -C "error" \
3836 -c "HTTP/1.0 200 [Oo][Kk]"
3837
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3838requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3839requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3840run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
3841 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3842 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3843 1 \
3844 -c "client hello, adding renegotiation extension" \
3845 -C "found renegotiation extension" \
3846 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3847 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3848 -c "error" \
3849 -C "HTTP/1.0 200 [Oo][Kk]"
3850
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3851requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3852requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3853run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
3854 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3855 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3856 allow_legacy=0" \
3857 1 \
3858 -c "client hello, adding renegotiation extension" \
3859 -C "found renegotiation extension" \
3860 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3861 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3862 -c "error" \
3863 -C "HTTP/1.0 200 [Oo][Kk]"
3864
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3865requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3866requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3867run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
3868 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3869 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3870 allow_legacy=1" \
3871 0 \
3872 -c "client hello, adding renegotiation extension" \
3873 -C "found renegotiation extension" \
3874 -c "=> renegotiate" \
3875 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3876 -C "error" \
3877 -c "HTTP/1.0 200 [Oo][Kk]"
3878
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3879requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]3880run_test "Renegotiation: DTLS, client-initiated" \
3881 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
3882 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
3883 0 \
3884 -c "client hello, adding renegotiation extension" \
3885 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3886 -s "found renegotiation extension" \
3887 -s "server hello, secure renegotiation extension" \
3888 -c "found renegotiation extension" \
3889 -c "=> renegotiate" \
3890 -s "=> renegotiate" \
3891 -S "write hello request"
3892
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3893requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3894run_test "Renegotiation: DTLS, server-initiated" \
3895 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]3896 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
3897 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3898 0 \
3899 -c "client hello, adding renegotiation extension" \
3900 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3901 -s "found renegotiation extension" \
3902 -s "server hello, secure renegotiation extension" \
3903 -c "found renegotiation extension" \
3904 -c "=> renegotiate" \
3905 -s "=> renegotiate" \
3906 -s "write hello request"
3907
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3908requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3909run_test "Renegotiation: DTLS, renego_period overflow" \
3910 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
3911 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
3912 0 \
3913 -c "client hello, adding renegotiation extension" \
3914 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3915 -s "found renegotiation extension" \
3916 -s "server hello, secure renegotiation extension" \
3917 -s "record counter limit reached: renegotiate" \
3918 -c "=> renegotiate" \
3919 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3920 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3921
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3922requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3923requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3924run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
3925 "$G_SRV -u --mtu 4096" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3926 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3927 0 \
3928 -c "client hello, adding renegotiation extension" \
3929 -c "found renegotiation extension" \
3930 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3931 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3932 -C "error" \
3933 -s "Extra-header:"
3934
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3935# Test for the "secure renegotation" extension only (no actual renegotiation)
3936
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3937requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3938run_test "Renego ext: gnutls server strict, client default" \
3939 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3940 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3941 0 \
3942 -c "found renegotiation extension" \
3943 -C "error" \
3944 -c "HTTP/1.0 200 [Oo][Kk]"
3945
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3946requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3947run_test "Renego ext: gnutls server unsafe, client default" \
3948 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3949 "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3950 0 \
3951 -C "found renegotiation extension" \
3952 -C "error" \
3953 -c "HTTP/1.0 200 [Oo][Kk]"
3954
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3955requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3956run_test "Renego ext: gnutls server unsafe, client break legacy" \
3957 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3958 "$P_CLI debug_level=3 allow_legacy=-1" \
3959 1 \
3960 -C "found renegotiation extension" \
3961 -c "error" \
3962 -C "HTTP/1.0 200 [Oo][Kk]"
3963
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3964requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3965run_test "Renego ext: gnutls client strict, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3966 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3967 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3968 0 \
3969 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3970 -s "server hello, secure renegotiation extension"
3971
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3972requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3973run_test "Renego ext: gnutls client unsafe, server default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3974 "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3975 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3976 0 \
3977 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3978 -S "server hello, secure renegotiation extension"
3979
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3980requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3981run_test "Renego ext: gnutls client unsafe, server break legacy" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]3982 "$P_SRV debug_level=3 allow_legacy=-1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3983 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3984 1 \
3985 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3986 -S "server hello, secure renegotiation extension"
3987
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3988# Tests for silently dropping trailing extra bytes in .der certificates
3989
3990requires_gnutls
3991run_test "DER format: no trailing bytes" \
3992 "$P_SRV crt_file=data_files/server5-der0.crt \
3993 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3994 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3995 0 \
3996 -c "Handshake was completed" \
3997
3998requires_gnutls
3999run_test "DER format: with a trailing zero byte" \
4000 "$P_SRV crt_file=data_files/server5-der1a.crt \
4001 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4002 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4003 0 \
4004 -c "Handshake was completed" \
4005
4006requires_gnutls
4007run_test "DER format: with a trailing random byte" \
4008 "$P_SRV crt_file=data_files/server5-der1b.crt \
4009 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4010 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4011 0 \
4012 -c "Handshake was completed" \
4013
4014requires_gnutls
4015run_test "DER format: with 2 trailing random bytes" \
4016 "$P_SRV crt_file=data_files/server5-der2.crt \
4017 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4018 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4019 0 \
4020 -c "Handshake was completed" \
4021
4022requires_gnutls
4023run_test "DER format: with 4 trailing random bytes" \
4024 "$P_SRV crt_file=data_files/server5-der4.crt \
4025 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4026 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4027 0 \
4028 -c "Handshake was completed" \
4029
4030requires_gnutls
4031run_test "DER format: with 8 trailing random bytes" \
4032 "$P_SRV crt_file=data_files/server5-der8.crt \
4033 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4034 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4035 0 \
4036 -c "Handshake was completed" \
4037
4038requires_gnutls
4039run_test "DER format: with 9 trailing random bytes" \
4040 "$P_SRV crt_file=data_files/server5-der9.crt \
4041 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4042 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4043 0 \
4044 -c "Handshake was completed" \
4045
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4046# Tests for auth_mode
4047
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4048requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4049requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4050run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4051 "$P_SRV crt_file=data_files/server5-badsign.crt \
4052 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4053 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4054 1 \
4055 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4056 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4057 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4058 -c "X509 - Certificate verification failed"
4059
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4060requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4061requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4062run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4063 "$P_SRV crt_file=data_files/server5-badsign.crt \
4064 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4065 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4066 0 \
4067 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4068 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4069 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4070 -C "X509 - Certificate verification failed"
4071
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4072requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4073requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]4074run_test "Authentication: server goodcert, client optional, no trusted CA" \
4075 "$P_SRV" \
4076 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
4077 0 \
4078 -c "x509_verify_cert() returned" \
4079 -c "! The certificate is not correctly signed by the trusted CA" \
4080 -c "! Certificate verification flags"\
4081 -C "! mbedtls_ssl_handshake returned" \
4082 -C "X509 - Certificate verification failed" \
4083 -C "SSL - No CA Chain is set, but required to operate"
4084
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4085requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4086requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]4087run_test "Authentication: server goodcert, client required, no trusted CA" \
4088 "$P_SRV" \
4089 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
4090 1 \
4091 -c "x509_verify_cert() returned" \
4092 -c "! The certificate is not correctly signed by the trusted CA" \
4093 -c "! Certificate verification flags"\
4094 -c "! mbedtls_ssl_handshake returned" \
4095 -c "SSL - No CA Chain is set, but required to operate"
4096
4097# The purpose of the next two tests is to test the client's behaviour when receiving a server
4098# certificate with an unsupported elliptic curve. This should usually not happen because
4099# the client informs the server about the supported curves - it does, though, in the
4100# corner case of a static ECDH suite, because the server doesn't check the curve on that
4101# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
4102# different means to have the server ignoring the client's supported curve list.
4103
4104requires_config_enabled MBEDTLS_ECP_C
4105run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
4106 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4107 crt_file=data_files/server5.ku-ka.crt" \
4108 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
4109 1 \
4110 -c "bad certificate (EC key curve)"\
4111 -c "! Certificate verification flags"\
4112 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
4113
4114requires_config_enabled MBEDTLS_ECP_C
4115run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
4116 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4117 crt_file=data_files/server5.ku-ka.crt" \
4118 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
4119 1 \
4120 -c "bad certificate (EC key curve)"\
4121 -c "! Certificate verification flags"\
4122 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
4123
Jarno Lamsa6ba32ca2019-10-29 15:16:40 +0200[diff] [blame]4124requires_config_enabled MBEDTLS_USE_TINYCRYPT
Jarno Lamsa2e2fa5e2019-10-30 15:08:26 +0200[diff] [blame]4125run_test "Authentication: DTLS server ECDH p256, client required, server goodcert" \
Jarno Lamsa6ba32ca2019-10-29 15:16:40 +0200[diff] [blame]4126 "$P_SRV dtls=1 debug_level=1 key_file=data_files/server11.key.der \
4127 crt_file=data_files/server11.crt.der" \
4128 "$P_CLI dtls=1 debug_level=3 auth_mode=required" \
4129 0 \
4130 -C "bad certificate (EC key curve)"\
4131 -C "! Certificate verification flags"\
4132 -C "! mbedtls_ssl_handshake returned"
4133
4134requires_config_enabled MBEDTLS_USE_TINYCRYPT
Jarno Lamsa2e2fa5e2019-10-30 15:08:26 +0200[diff] [blame]4135run_test "Authentication: DTLS server ECDH p256, client required, server badcert" \
Jarno Lamsa6ba32ca2019-10-29 15:16:40 +0200[diff] [blame]4136 "$P_SRV dtls=1 debug_level=1 key_file=data_files/server11.key.der \
4137 crt_file=data_files/server11-bad.crt.der" \
4138 "$P_CLI dtls=1 debug_level=3 auth_mode=required" \
4139 1 \
4140 -c "! Certificate verification flags"\
4141 -c "! mbedtls_ssl_handshake returned"
4142
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4143run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]4144 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4145 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4146 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4147 0 \
4148 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4149 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4150 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4151 -C "X509 - Certificate verification failed"
4152
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4153run_test "Authentication: client SHA256, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4154 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4155 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4156 key_file=data_files/server6.key \
4157 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
4158 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4159 -c "Supported Signature Algorithm found: 5,"
4160
4161run_test "Authentication: client SHA384, server required" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4162 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4163 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4164 key_file=data_files/server6.key \
4165 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
4166 0 \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4167 -c "Supported Signature Algorithm found: 5,"
4168
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]4169requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4170run_test "Authentication: client has no cert, server required (SSLv3)" \
4171 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
4172 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
4173 key_file=data_files/server5.key" \
4174 1 \
4175 -S "skip write certificate request" \
4176 -C "skip parse certificate request" \
4177 -c "got a certificate request" \
4178 -c "got no certificate to send" \
4179 -S "x509_verify_cert() returned" \
4180 -s "client has no certificate" \
4181 -s "! mbedtls_ssl_handshake returned" \
4182 -c "! mbedtls_ssl_handshake returned" \
4183 -s "No client certification received from the client, but required by the authentication mode"
4184
4185run_test "Authentication: client has no cert, server required (TLS)" \
4186 "$P_SRV debug_level=3 auth_mode=required" \
4187 "$P_CLI debug_level=3 crt_file=none \
4188 key_file=data_files/server5.key" \
4189 1 \
4190 -S "skip write certificate request" \
4191 -C "skip parse certificate request" \
4192 -c "got a certificate request" \
4193 -c "= write certificate$" \
4194 -C "skip write certificate$" \
4195 -S "x509_verify_cert() returned" \
4196 -s "client has no certificate" \
4197 -s "! mbedtls_ssl_handshake returned" \
4198 -c "! mbedtls_ssl_handshake returned" \
4199 -s "No client certification received from the client, but required by the authentication mode"
4200
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4201requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4202requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4203run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4204 "$P_SRV debug_level=3 auth_mode=required" \
4205 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4206 key_file=data_files/server5.key" \
4207 1 \
4208 -S "skip write certificate request" \
4209 -C "skip parse certificate request" \
4210 -c "got a certificate request" \
4211 -C "skip write certificate" \
4212 -C "skip write certificate verify" \
4213 -S "skip parse certificate verify" \
4214 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4215 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4216 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4217 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4218 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4219 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4220# We don't check that the client receives the alert because it might
4221# detect that its write end of the connection is closed and abort
4222# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4223
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4224requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4225requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4226run_test "Authentication: client cert not trusted, server required" \
4227 "$P_SRV debug_level=3 auth_mode=required" \
4228 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4229 key_file=data_files/server5.key" \
4230 1 \
4231 -S "skip write certificate request" \
4232 -C "skip parse certificate request" \
4233 -c "got a certificate request" \
4234 -C "skip write certificate" \
4235 -C "skip write certificate verify" \
4236 -S "skip parse certificate verify" \
4237 -s "x509_verify_cert() returned" \
4238 -s "! The certificate is not correctly signed by the trusted CA" \
4239 -s "! mbedtls_ssl_handshake returned" \
4240 -c "! mbedtls_ssl_handshake returned" \
4241 -s "X509 - Certificate verification failed"
4242
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4243requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4244requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4245run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4246 "$P_SRV debug_level=3 auth_mode=optional" \
4247 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4248 key_file=data_files/server5.key" \
4249 0 \
4250 -S "skip write certificate request" \
4251 -C "skip parse certificate request" \
4252 -c "got a certificate request" \
4253 -C "skip write certificate" \
4254 -C "skip write certificate verify" \
4255 -S "skip parse certificate verify" \
4256 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4257 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4258 -S "! mbedtls_ssl_handshake returned" \
4259 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4260 -S "X509 - Certificate verification failed"
4261
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4262run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4263 "$P_SRV debug_level=3 auth_mode=none" \
4264 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4265 key_file=data_files/server5.key" \
4266 0 \
4267 -s "skip write certificate request" \
4268 -C "skip parse certificate request" \
4269 -c "got no certificate request" \
4270 -c "skip write certificate" \
4271 -c "skip write certificate verify" \
4272 -s "skip parse certificate verify" \
4273 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4274 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4275 -S "! mbedtls_ssl_handshake returned" \
4276 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4277 -S "X509 - Certificate verification failed"
4278
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4279requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4280requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4281run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4282 "$P_SRV debug_level=3 auth_mode=optional" \
4283 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4284 0 \
4285 -S "skip write certificate request" \
4286 -C "skip parse certificate request" \
4287 -c "got a certificate request" \
4288 -C "skip write certificate$" \
4289 -C "got no certificate to send" \
4290 -S "SSLv3 client has no certificate" \
4291 -c "skip write certificate verify" \
4292 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4293 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4294 -S "! mbedtls_ssl_handshake returned" \
4295 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4296 -S "X509 - Certificate verification failed"
4297
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4298requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4299requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4300run_test "Authentication: openssl client no cert, server optional" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4301 "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4302 "$O_CLI" \
4303 0 \
4304 -S "skip write certificate request" \
4305 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4306 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4307 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4308 -S "X509 - Certificate verification failed"
4309
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4310run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4311 "$O_SRV -verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4312 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4313 0 \
4314 -C "skip parse certificate request" \
4315 -c "got a certificate request" \
4316 -C "skip write certificate$" \
4317 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4318 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4319
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]4320run_test "Authentication: client no cert, openssl server required" \
4321 "$O_SRV -Verify 10" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4322 "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]4323 1 \
4324 -C "skip parse certificate request" \
4325 -c "got a certificate request" \
4326 -C "skip write certificate$" \
4327 -c "skip write certificate verify" \
4328 -c "! mbedtls_ssl_handshake returned"
4329
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4330requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]4331requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4332requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4333run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4334 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4335 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4336 0 \
4337 -S "skip write certificate request" \
4338 -C "skip parse certificate request" \
4339 -c "got a certificate request" \
4340 -C "skip write certificate$" \
4341 -c "skip write certificate verify" \
4342 -c "got no certificate to send" \
4343 -s "SSLv3 client has no certificate" \
4344 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4345 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4346 -S "! mbedtls_ssl_handshake returned" \
4347 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4348 -S "X509 - Certificate verification failed"
4349
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]4350# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
4351# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]4352
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]4353MAX_IM_CA='8'
Arto Kinnunen78213522019-09-26 11:06:39 +0300[diff] [blame]4354MAX_IM_CA_CONFIG="$( get_config_value_or_default MBEDTLS_X509_MAX_INTERMEDIATE_CA )"
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]4355
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4356requires_full_size_output_buffer
Arto Kinnunenc457ab12019-09-27 12:00:51 +0300[diff] [blame]4357requires_config_value_exactly "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4358run_test "Authentication: server max_int chain, client default" \
4359 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
4360 key_file=data_files/dir-maxpath/09.key" \
4361 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
4362 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4363 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4364
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4365requires_full_size_output_buffer
Arto Kinnunencfbeb762019-09-27 13:43:05 +0300[diff] [blame]4366requires_config_value_exactly "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4367run_test "Authentication: server max_int+1 chain, client default" \
4368 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4369 key_file=data_files/dir-maxpath/10.key" \
4370 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
4371 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4372 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4373
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4374requires_full_size_output_buffer
Arto Kinnunencfbeb762019-09-27 13:43:05 +0300[diff] [blame]4375requires_config_value_exactly "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4376run_test "Authentication: server max_int+1 chain, client optional" \
4377 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4378 key_file=data_files/dir-maxpath/10.key" \
4379 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4380 auth_mode=optional" \
4381 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4382 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4383
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4384requires_full_size_output_buffer
Arto Kinnunencfbeb762019-09-27 13:43:05 +0300[diff] [blame]4385requires_config_value_exactly "MBEDTLS_X509_MAX_INTERMEDIATE_CA" 8
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4386run_test "Authentication: server max_int+1 chain, client none" \
4387 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4388 key_file=data_files/dir-maxpath/10.key" \
4389 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4390 auth_mode=none" \
4391 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4392 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4393
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4394requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4395run_test "Authentication: client max_int+1 chain, server default" \
4396 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
4397 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4398 key_file=data_files/dir-maxpath/10.key" \
4399 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4400 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4401
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4402requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4403run_test "Authentication: client max_int+1 chain, server optional" \
4404 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4405 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4406 key_file=data_files/dir-maxpath/10.key" \
4407 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4408 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4409
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4410requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4411run_test "Authentication: client max_int+1 chain, server required" \
4412 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4413 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4414 key_file=data_files/dir-maxpath/10.key" \
4415 1 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4416 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4417
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4418requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4419run_test "Authentication: client max_int chain, server required" \
4420 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4421 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4422 key_file=data_files/dir-maxpath/09.key" \
4423 0 \
Antonin Décimod5f47592019-01-23 15:24:37 +0100[diff] [blame]4424 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4425
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4426# Tests for CA list in CertificateRequest messages
4427
4428run_test "Authentication: send CA list in CertificateRequest (default)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4429 "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4430 "$P_CLI crt_file=data_files/server6.crt \
4431 key_file=data_files/server6.key" \
4432 0 \
4433 -s "requested DN"
4434
4435run_test "Authentication: do not send CA list in CertificateRequest" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4436 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0 ca_file=data_files/test-ca2.crt" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4437 "$P_CLI crt_file=data_files/server6.crt \
4438 key_file=data_files/server6.key" \
4439 0 \
4440 -S "requested DN"
4441
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4442requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4443requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4444run_test "Authentication: send CA list in CertificateRequest, client self signed" \
4445 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4446 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4447 key_file=data_files/server5.key" \
4448 1 \
4449 -S "requested DN" \
4450 -s "x509_verify_cert() returned" \
4451 -s "! The certificate is not correctly signed by the trusted CA" \
4452 -s "! mbedtls_ssl_handshake returned" \
4453 -c "! mbedtls_ssl_handshake returned" \
4454 -s "X509 - Certificate verification failed"
4455
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4456# Tests for certificate selection based on SHA verson
4457
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4458requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4459requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4460run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
4461 "$P_SRV crt_file=data_files/server5.crt \
4462 key_file=data_files/server5.key \
4463 crt_file2=data_files/server5-sha1.crt \
4464 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4465 "$P_CLI force_version=tls1_2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4466 0 \
4467 -c "signed using.*ECDSA with SHA256" \
4468 -C "signed using.*ECDSA with SHA1"
4469
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4470requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4471requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4472run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
4473 "$P_SRV crt_file=data_files/server5.crt \
4474 key_file=data_files/server5.key \
4475 crt_file2=data_files/server5-sha1.crt \
4476 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4477 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4478 0 \
4479 -C "signed using.*ECDSA with SHA256" \
4480 -c "signed using.*ECDSA with SHA1"
4481
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4482requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4483requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4484run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
4485 "$P_SRV crt_file=data_files/server5.crt \
4486 key_file=data_files/server5.key \
4487 crt_file2=data_files/server5-sha1.crt \
4488 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4489 "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4490 0 \
4491 -C "signed using.*ECDSA with SHA256" \
4492 -c "signed using.*ECDSA with SHA1"
4493
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4494requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4495requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4496run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
4497 "$P_SRV crt_file=data_files/server5.crt \
4498 key_file=data_files/server5.key \
4499 crt_file2=data_files/server6.crt \
4500 key_file2=data_files/server6.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4501 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4502 0 \
4503 -c "serial number.*09" \
4504 -c "signed using.*ECDSA with SHA256" \
4505 -C "signed using.*ECDSA with SHA1"
4506
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4507requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4508requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4509run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
4510 "$P_SRV crt_file=data_files/server6.crt \
4511 key_file=data_files/server6.key \
4512 crt_file2=data_files/server5.crt \
4513 key_file2=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4514 "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4515 0 \
4516 -c "serial number.*0A" \
4517 -c "signed using.*ECDSA with SHA256" \
4518 -C "signed using.*ECDSA with SHA1"
4519
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4520# tests for SNI
4521
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4522requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4523requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4524run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4525 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4526 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4527 "$P_CLI server_name=localhost ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4528 0 \
4529 -S "parse ServerName extension" \
4530 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4531 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4532
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4533requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4534requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4535requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4536run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4537 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4538 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4539 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4540 "$P_CLI server_name=localhost ca_file=data_files/test-ca.crt" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4541 0 \
4542 -s "parse ServerName extension" \
4543 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4544 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4545
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4546requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4547requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4548requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4549run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4550 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4551 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4552 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4553 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4554 0 \
4555 -s "parse ServerName extension" \
4556 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4557 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4558
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4559requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4560run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4561 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4562 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4563 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4564 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4565 1 \
4566 -s "parse ServerName extension" \
4567 -s "ssl_sni_wrapper() returned" \
4568 -s "mbedtls_ssl_handshake returned" \
4569 -c "mbedtls_ssl_handshake returned" \
4570 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4571
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4572run_test "SNI: client auth no override: optional" \
4573 "$P_SRV debug_level=3 auth_mode=optional \
4574 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4575 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4576 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4577 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4578 -S "skip write certificate request" \
4579 -C "skip parse certificate request" \
4580 -c "got a certificate request" \
4581 -C "skip write certificate" \
4582 -C "skip write certificate verify" \
4583 -S "skip parse certificate verify"
4584
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4585requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4586run_test "SNI: client auth override: none -> optional" \
4587 "$P_SRV debug_level=3 auth_mode=none \
4588 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4589 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4590 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4591 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4592 -S "skip write certificate request" \
4593 -C "skip parse certificate request" \
4594 -c "got a certificate request" \
4595 -C "skip write certificate" \
4596 -C "skip write certificate verify" \
4597 -S "skip parse certificate verify"
4598
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4599requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4600run_test "SNI: client auth override: optional -> none" \
4601 "$P_SRV debug_level=3 auth_mode=optional \
4602 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4603 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4604 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4605 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4606 -s "skip write certificate request" \
4607 -C "skip parse certificate request" \
4608 -c "got no certificate request" \
4609 -c "skip write certificate" \
4610 -c "skip write certificate verify" \
4611 -s "skip parse certificate verify"
4612
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4613requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4614requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4615requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4616run_test "SNI: CA no override" \
4617 "$P_SRV debug_level=3 auth_mode=optional \
4618 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4619 ca_file=data_files/test-ca.crt \
4620 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4621 "$P_CLI debug_level=3 server_name=localhost \
4622 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4623 1 \
4624 -S "skip write certificate request" \
4625 -C "skip parse certificate request" \
4626 -c "got a certificate request" \
4627 -C "skip write certificate" \
4628 -C "skip write certificate verify" \
4629 -S "skip parse certificate verify" \
4630 -s "x509_verify_cert() returned" \
4631 -s "! The certificate is not correctly signed by the trusted CA" \
4632 -S "The certificate has been revoked (is on a CRL)"
4633
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4634requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4635requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4636requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4637run_test "SNI: CA override" \
4638 "$P_SRV debug_level=3 auth_mode=optional \
4639 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4640 ca_file=data_files/test-ca.crt \
4641 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4642 "$P_CLI debug_level=3 server_name=localhost \
4643 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4644 0 \
4645 -S "skip write certificate request" \
4646 -C "skip parse certificate request" \
4647 -c "got a certificate request" \
4648 -C "skip write certificate" \
4649 -C "skip write certificate verify" \
4650 -S "skip parse certificate verify" \
4651 -S "x509_verify_cert() returned" \
4652 -S "! The certificate is not correctly signed by the trusted CA" \
4653 -S "The certificate has been revoked (is on a CRL)"
4654
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4655requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4656requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4657requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4658run_test "SNI: CA override with CRL" \
4659 "$P_SRV debug_level=3 auth_mode=optional \
4660 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4661 ca_file=data_files/test-ca.crt \
4662 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4663 "$P_CLI debug_level=3 server_name=localhost \
4664 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4665 1 \
4666 -S "skip write certificate request" \
4667 -C "skip parse certificate request" \
4668 -c "got a certificate request" \
4669 -C "skip write certificate" \
4670 -C "skip write certificate verify" \
4671 -S "skip parse certificate verify" \
4672 -s "x509_verify_cert() returned" \
4673 -S "! The certificate is not correctly signed by the trusted CA" \
4674 -s "The certificate has been revoked (is on a CRL)"
4675
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4676# Tests for SNI and DTLS
4677
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4678requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4679requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4680run_test "SNI: DTLS, no SNI callback" \
4681 "$P_SRV debug_level=3 dtls=1 \
4682 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4683 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca2.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4684 0 \
4685 -S "parse ServerName extension" \
4686 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4687 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4688
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4689requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4690requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4691requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4692run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4693 "$P_SRV debug_level=3 dtls=1 \
4694 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4695 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4696 "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca.crt" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4697 0 \
4698 -s "parse ServerName extension" \
4699 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4700 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4701
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4702requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4703requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4704requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4705run_test "SNI: DTLS, matching cert 2" \
4706 "$P_SRV debug_level=3 dtls=1 \
4707 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4708 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]4709 "$P_CLI server_name=polarssl.example dtls=1 ca_file=data_files/test-ca.crt" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4710 0 \
4711 -s "parse ServerName extension" \
4712 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4713 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4714
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4715requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4716run_test "SNI: DTLS, no matching cert" \
4717 "$P_SRV debug_level=3 dtls=1 \
4718 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4719 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4720 "$P_CLI server_name=nonesuch.example dtls=1" \
4721 1 \
4722 -s "parse ServerName extension" \
4723 -s "ssl_sni_wrapper() returned" \
4724 -s "mbedtls_ssl_handshake returned" \
4725 -c "mbedtls_ssl_handshake returned" \
4726 -c "SSL - A fatal alert message was received from our peer"
4727
4728run_test "SNI: DTLS, client auth no override: optional" \
4729 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4730 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4731 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4732 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4733 0 \
4734 -S "skip write certificate request" \
4735 -C "skip parse certificate request" \
4736 -c "got a certificate request" \
4737 -C "skip write certificate" \
4738 -C "skip write certificate verify" \
4739 -S "skip parse certificate verify"
4740
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4741requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4742run_test "SNI: DTLS, client auth override: none -> optional" \
4743 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
4744 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4745 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4746 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4747 0 \
4748 -S "skip write certificate request" \
4749 -C "skip parse certificate request" \
4750 -c "got a certificate request" \
4751 -C "skip write certificate" \
4752 -C "skip write certificate verify" \
4753 -S "skip parse certificate verify"
4754
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4755requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4756run_test "SNI: DTLS, client auth override: optional -> none" \
4757 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4758 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4759 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4760 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4761 0 \
4762 -s "skip write certificate request" \
4763 -C "skip parse certificate request" \
4764 -c "got no certificate request" \
4765 -c "skip write certificate" \
4766 -c "skip write certificate verify" \
4767 -s "skip parse certificate verify"
4768
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4769requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4770requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4771requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4772run_test "SNI: DTLS, CA no override" \
4773 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4774 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4775 ca_file=data_files/test-ca.crt \
4776 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4777 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4778 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4779 1 \
4780 -S "skip write certificate request" \
4781 -C "skip parse certificate request" \
4782 -c "got a certificate request" \
4783 -C "skip write certificate" \
4784 -C "skip write certificate verify" \
4785 -S "skip parse certificate verify" \
4786 -s "x509_verify_cert() returned" \
4787 -s "! The certificate is not correctly signed by the trusted CA" \
4788 -S "The certificate has been revoked (is on a CRL)"
4789
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4790requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4791run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4792 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4793 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4794 ca_file=data_files/test-ca.crt \
4795 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4796 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4797 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4798 0 \
4799 -S "skip write certificate request" \
4800 -C "skip parse certificate request" \
4801 -c "got a certificate request" \
4802 -C "skip write certificate" \
4803 -C "skip write certificate verify" \
4804 -S "skip parse certificate verify" \
4805 -S "x509_verify_cert() returned" \
4806 -S "! The certificate is not correctly signed by the trusted CA" \
4807 -S "The certificate has been revoked (is on a CRL)"
4808
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]4809requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]4810requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]4811requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4812run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4813 "$P_SRV debug_level=3 auth_mode=optional \
4814 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
4815 ca_file=data_files/test-ca.crt \
4816 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4817 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4818 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4819 1 \
4820 -S "skip write certificate request" \
4821 -C "skip parse certificate request" \
4822 -c "got a certificate request" \
4823 -C "skip write certificate" \
4824 -C "skip write certificate verify" \
4825 -S "skip parse certificate verify" \
4826 -s "x509_verify_cert() returned" \
4827 -S "! The certificate is not correctly signed by the trusted CA" \
4828 -s "The certificate has been revoked (is on a CRL)"
4829
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4830# Tests for non-blocking I/O: exercise a variety of handshake flows
4831
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4832run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4833 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4834 "$P_CLI nbio=2 tickets=0" \
4835 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4836 -S "mbedtls_ssl_handshake returned" \
4837 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4838 -c "Read from server: .* bytes read"
4839
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4840run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4841 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
4842 "$P_CLI nbio=2 tickets=0" \
4843 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4844 -S "mbedtls_ssl_handshake returned" \
4845 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4846 -c "Read from server: .* bytes read"
4847
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4848run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4849 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4850 "$P_CLI nbio=2 tickets=1" \
4851 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4852 -S "mbedtls_ssl_handshake returned" \
4853 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4854 -c "Read from server: .* bytes read"
4855
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4856run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4857 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4858 "$P_CLI nbio=2 tickets=1" \
4859 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4860 -S "mbedtls_ssl_handshake returned" \
4861 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4862 -c "Read from server: .* bytes read"
4863
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4864run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4865 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4866 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4867 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4868 -S "mbedtls_ssl_handshake returned" \
4869 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4870 -c "Read from server: .* bytes read"
4871
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4872run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4873 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4874 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4875 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4876 -S "mbedtls_ssl_handshake returned" \
4877 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4878 -c "Read from server: .* bytes read"
4879
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4880run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4881 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4882 "$P_CLI nbio=2 tickets=0 reconnect=1" \
4883 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4884 -S "mbedtls_ssl_handshake returned" \
4885 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4886 -c "Read from server: .* bytes read"
4887
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]4888# Tests for event-driven I/O: exercise a variety of handshake flows
4889
4890run_test "Event-driven I/O: basic handshake" \
4891 "$P_SRV event=1 tickets=0 auth_mode=none" \
4892 "$P_CLI event=1 tickets=0" \
4893 0 \
4894 -S "mbedtls_ssl_handshake returned" \
4895 -C "mbedtls_ssl_handshake returned" \
4896 -c "Read from server: .* bytes read"
4897
4898run_test "Event-driven I/O: client auth" \
4899 "$P_SRV event=1 tickets=0 auth_mode=required" \
4900 "$P_CLI event=1 tickets=0" \
4901 0 \
4902 -S "mbedtls_ssl_handshake returned" \
4903 -C "mbedtls_ssl_handshake returned" \
4904 -c "Read from server: .* bytes read"
4905
4906run_test "Event-driven I/O: ticket" \
4907 "$P_SRV event=1 tickets=1 auth_mode=none" \
4908 "$P_CLI event=1 tickets=1" \
4909 0 \
4910 -S "mbedtls_ssl_handshake returned" \
4911 -C "mbedtls_ssl_handshake returned" \
4912 -c "Read from server: .* bytes read"
4913
4914run_test "Event-driven I/O: ticket + client auth" \
4915 "$P_SRV event=1 tickets=1 auth_mode=required" \
4916 "$P_CLI event=1 tickets=1" \
4917 0 \
4918 -S "mbedtls_ssl_handshake returned" \
4919 -C "mbedtls_ssl_handshake returned" \
4920 -c "Read from server: .* bytes read"
4921
4922run_test "Event-driven I/O: ticket + client auth + resume" \
4923 "$P_SRV event=1 tickets=1 auth_mode=required" \
4924 "$P_CLI event=1 tickets=1 reconnect=1" \
4925 0 \
4926 -S "mbedtls_ssl_handshake returned" \
4927 -C "mbedtls_ssl_handshake returned" \
4928 -c "Read from server: .* bytes read"
4929
4930run_test "Event-driven I/O: ticket + resume" \
4931 "$P_SRV event=1 tickets=1 auth_mode=none" \
4932 "$P_CLI event=1 tickets=1 reconnect=1" \
4933 0 \
4934 -S "mbedtls_ssl_handshake returned" \
4935 -C "mbedtls_ssl_handshake returned" \
4936 -c "Read from server: .* bytes read"
4937
4938run_test "Event-driven I/O: session-id resume" \
4939 "$P_SRV event=1 tickets=0 auth_mode=none" \
4940 "$P_CLI event=1 tickets=0 reconnect=1" \
4941 0 \
4942 -S "mbedtls_ssl_handshake returned" \
4943 -C "mbedtls_ssl_handshake returned" \
4944 -c "Read from server: .* bytes read"
4945
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4946run_test "Event-driven I/O, DTLS: basic handshake" \
4947 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4948 "$P_CLI dtls=1 event=1 tickets=0" \
4949 0 \
4950 -c "Read from server: .* bytes read"
4951
4952run_test "Event-driven I/O, DTLS: client auth" \
4953 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4954 "$P_CLI dtls=1 event=1 tickets=0" \
4955 0 \
4956 -c "Read from server: .* bytes read"
4957
4958run_test "Event-driven I/O, DTLS: ticket" \
4959 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4960 "$P_CLI dtls=1 event=1 tickets=1" \
4961 0 \
4962 -c "Read from server: .* bytes read"
4963
4964run_test "Event-driven I/O, DTLS: ticket + client auth" \
4965 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4966 "$P_CLI dtls=1 event=1 tickets=1" \
4967 0 \
4968 -c "Read from server: .* bytes read"
4969
4970run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
4971 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]4972 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4973 0 \
4974 -c "Read from server: .* bytes read"
4975
4976run_test "Event-driven I/O, DTLS: ticket + resume" \
4977 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]4978 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4979 0 \
4980 -c "Read from server: .* bytes read"
4981
4982run_test "Event-driven I/O, DTLS: session-id resume" \
4983 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]4984 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4985 0 \
4986 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4987
4988# This test demonstrates the need for the mbedtls_ssl_check_pending function.
4989# During session resumption, the client will send its ApplicationData record
4990# within the same datagram as the Finished messages. In this situation, the
4991# server MUST NOT idle on the underlying transport after handshake completion,
4992# because the ApplicationData request has already been queued internally.
4993run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]4994 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4995 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]4996 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4997 0 \
4998 -c "Read from server: .* bytes read"
4999
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5000# Tests for version negotiation
5001
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5002run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5003 "$P_SRV" \
5004 "$P_CLI" \
5005 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5006 -S "mbedtls_ssl_handshake returned" \
5007 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5008 -s "Protocol is TLSv1.2" \
5009 -c "Protocol is TLSv1.2"
5010
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5011run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5012 "$P_SRV" \
5013 "$P_CLI max_version=tls1_1" \
5014 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5015 -S "mbedtls_ssl_handshake returned" \
5016 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5017 -s "Protocol is TLSv1.1" \
5018 -c "Protocol is TLSv1.1"
5019
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5020run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5021 "$P_SRV max_version=tls1_1" \
5022 "$P_CLI" \
5023 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5024 -S "mbedtls_ssl_handshake returned" \
5025 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5026 -s "Protocol is TLSv1.1" \
5027 -c "Protocol is TLSv1.1"
5028
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5029run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5030 "$P_SRV max_version=tls1_1" \
5031 "$P_CLI max_version=tls1_1" \
5032 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5033 -S "mbedtls_ssl_handshake returned" \
5034 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5035 -s "Protocol is TLSv1.1" \
5036 -c "Protocol is TLSv1.1"
5037
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5038run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5039 "$P_SRV min_version=tls1_1" \
5040 "$P_CLI max_version=tls1_1" \
5041 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5042 -S "mbedtls_ssl_handshake returned" \
5043 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5044 -s "Protocol is TLSv1.1" \
5045 -c "Protocol is TLSv1.1"
5046
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5047run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5048 "$P_SRV max_version=tls1_1" \
5049 "$P_CLI min_version=tls1_1" \
5050 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5051 -S "mbedtls_ssl_handshake returned" \
5052 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5053 -s "Protocol is TLSv1.1" \
5054 -c "Protocol is TLSv1.1"
5055
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5056run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5057 "$P_SRV max_version=tls1_1" \
5058 "$P_CLI min_version=tls1_2" \
5059 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5060 -s "mbedtls_ssl_handshake returned" \
5061 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5062 -c "SSL - Handshake protocol not within min/max boundaries"
5063
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5064run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5065 "$P_SRV min_version=tls1_2" \
5066 "$P_CLI max_version=tls1_1" \
5067 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5068 -s "mbedtls_ssl_handshake returned" \
5069 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5070 -s "SSL - Handshake protocol not within min/max boundaries"
5071
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5072# Tests for ALPN extension
5073
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5074run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5075 "$P_SRV debug_level=3" \
5076 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5077 0 \
5078 -C "client hello, adding alpn extension" \
5079 -S "found alpn extension" \
5080 -C "got an alert message, type: \\[2:120]" \
5081 -S "server hello, adding alpn extension" \
5082 -C "found alpn extension " \
5083 -C "Application Layer Protocol is" \
5084 -S "Application Layer Protocol is"
5085
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5086run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5087 "$P_SRV debug_level=3" \
5088 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5089 0 \
5090 -c "client hello, adding alpn extension" \
5091 -s "found alpn extension" \
5092 -C "got an alert message, type: \\[2:120]" \
5093 -S "server hello, adding alpn extension" \
5094 -C "found alpn extension " \
5095 -c "Application Layer Protocol is (none)" \
5096 -S "Application Layer Protocol is"
5097
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5098run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5099 "$P_SRV debug_level=3 alpn=abc,1234" \
5100 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5101 0 \
5102 -C "client hello, adding alpn extension" \
5103 -S "found alpn extension" \
5104 -C "got an alert message, type: \\[2:120]" \
5105 -S "server hello, adding alpn extension" \
5106 -C "found alpn extension " \
5107 -C "Application Layer Protocol is" \
5108 -s "Application Layer Protocol is (none)"
5109
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5110run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5111 "$P_SRV debug_level=3 alpn=abc,1234" \
5112 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5113 0 \
5114 -c "client hello, adding alpn extension" \
5115 -s "found alpn extension" \
5116 -C "got an alert message, type: \\[2:120]" \
5117 -s "server hello, adding alpn extension" \
5118 -c "found alpn extension" \
5119 -c "Application Layer Protocol is abc" \
5120 -s "Application Layer Protocol is abc"
5121
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5122run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5123 "$P_SRV debug_level=3 alpn=abc,1234" \
5124 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5125 0 \
5126 -c "client hello, adding alpn extension" \
5127 -s "found alpn extension" \
5128 -C "got an alert message, type: \\[2:120]" \
5129 -s "server hello, adding alpn extension" \
5130 -c "found alpn extension" \
5131 -c "Application Layer Protocol is abc" \
5132 -s "Application Layer Protocol is abc"
5133
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5134run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5135 "$P_SRV debug_level=3 alpn=abc,1234" \
5136 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5137 0 \
5138 -c "client hello, adding alpn extension" \
5139 -s "found alpn extension" \
5140 -C "got an alert message, type: \\[2:120]" \
5141 -s "server hello, adding alpn extension" \
5142 -c "found alpn extension" \
5143 -c "Application Layer Protocol is 1234" \
5144 -s "Application Layer Protocol is 1234"
5145
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5146run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5147 "$P_SRV debug_level=3 alpn=abc,123" \
5148 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5149 1 \
5150 -c "client hello, adding alpn extension" \
5151 -s "found alpn extension" \
5152 -c "got an alert message, type: \\[2:120]" \
5153 -S "server hello, adding alpn extension" \
5154 -C "found alpn extension" \
5155 -C "Application Layer Protocol is 1234" \
5156 -S "Application Layer Protocol is 1234"
5157
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]5158
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5159# Tests for keyUsage in leaf certificates, part 1:
5160# server-side certificate/suite selection
5161
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5162run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5163 "$P_SRV key_file=data_files/server2.key \
5164 crt_file=data_files/server2.ku-ds.crt" \
5165 "$P_CLI" \
5166 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]5167 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5168
5169
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5170run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5171 "$P_SRV key_file=data_files/server2.key \
5172 crt_file=data_files/server2.ku-ke.crt" \
5173 "$P_CLI" \
5174 0 \
5175 -c "Ciphersuite is TLS-RSA-WITH-"
5176
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5177run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5178 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5179 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5180 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5181 1 \
5182 -C "Ciphersuite is "
5183
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5184run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5185 "$P_SRV key_file=data_files/server5.key \
5186 crt_file=data_files/server5.ku-ds.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5187 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5188 0 \
5189 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
5190
Jarno Lamsac5118b72019-10-28 10:30:58 +0200[diff] [blame]5191run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA p256" \
5192 "$P_SRV dtls=1 key_file=data_files/server11.key.der \
5193 crt_file=data_files/server11.crt.der" \
5194 "$P_CLI dtls=1 ca_file=data_files/test-ca3.crt.der" \
5195 0 \
5196 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5197
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5198run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5199 "$P_SRV key_file=data_files/server5.key \
5200 crt_file=data_files/server5.ku-ka.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5201 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5202 0 \
5203 -c "Ciphersuite is TLS-ECDH-"
5204
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5205run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5206 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5207 crt_file=data_files/server5.ku-ke.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5208 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5209 1 \
5210 -C "Ciphersuite is "
5211
5212# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5213# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5214
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5215run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5216 "$O_SRV -key data_files/server2.key \
5217 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5218 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5219 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5220 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5221 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5222 -C "Processing of the Certificate handshake message failed" \
5223 -c "Ciphersuite is TLS-"
5224
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5225run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5226 "$O_SRV -key data_files/server2.key \
5227 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5228 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5229 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5230 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5231 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5232 -C "Processing of the Certificate handshake message failed" \
5233 -c "Ciphersuite is TLS-"
5234
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5235run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5236 "$O_SRV -key data_files/server2.key \
5237 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5238 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5239 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5240 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5241 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5242 -C "Processing of the Certificate handshake message failed" \
5243 -c "Ciphersuite is TLS-"
5244
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5245run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5246 "$O_SRV -key data_files/server2.key \
5247 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5248 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5249 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5250 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5251 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5252 -c "Processing of the Certificate handshake message failed" \
5253 -C "Ciphersuite is TLS-"
5254
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]5255requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]5256requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]5257run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
5258 "$O_SRV -key data_files/server2.key \
5259 -cert data_files/server2.ku-ke.crt" \
5260 "$P_CLI debug_level=1 auth_mode=optional \
5261 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5262 0 \
5263 -c "bad certificate (usage extensions)" \
5264 -C "Processing of the Certificate handshake message failed" \
5265 -c "Ciphersuite is TLS-" \
5266 -c "! Usage does not match the keyUsage extension"
5267
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5268run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5269 "$O_SRV -key data_files/server2.key \
5270 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5271 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5272 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5273 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5274 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5275 -C "Processing of the Certificate handshake message failed" \
5276 -c "Ciphersuite is TLS-"
5277
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5278run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5279 "$O_SRV -key data_files/server2.key \
5280 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5281 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5282 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5283 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5284 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5285 -c "Processing of the Certificate handshake message failed" \
5286 -C "Ciphersuite is TLS-"
5287
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]5288requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]5289requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]5290run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
5291 "$O_SRV -key data_files/server2.key \
5292 -cert data_files/server2.ku-ds.crt" \
5293 "$P_CLI debug_level=1 auth_mode=optional \
5294 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5295 0 \
5296 -c "bad certificate (usage extensions)" \
5297 -C "Processing of the Certificate handshake message failed" \
5298 -c "Ciphersuite is TLS-" \
5299 -c "! Usage does not match the keyUsage extension"
5300
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5301# Tests for keyUsage in leaf certificates, part 3:
5302# server-side checking of client cert
5303
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5304run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5305 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5306 "$O_CLI -key data_files/server2.key \
5307 -cert data_files/server2.ku-ds.crt" \
5308 0 \
5309 -S "bad certificate (usage extensions)" \
5310 -S "Processing of the Certificate handshake message failed"
5311
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5312run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5313 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5314 "$O_CLI -key data_files/server2.key \
5315 -cert data_files/server2.ku-ke.crt" \
5316 0 \
5317 -s "bad certificate (usage extensions)" \
5318 -S "Processing of the Certificate handshake message failed"
5319
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5320run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5321 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5322 "$O_CLI -key data_files/server2.key \
5323 -cert data_files/server2.ku-ke.crt" \
5324 1 \
5325 -s "bad certificate (usage extensions)" \
5326 -s "Processing of the Certificate handshake message failed"
5327
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5328run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5329 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5330 "$O_CLI -key data_files/server5.key \
5331 -cert data_files/server5.ku-ds.crt" \
5332 0 \
5333 -S "bad certificate (usage extensions)" \
5334 -S "Processing of the Certificate handshake message failed"
5335
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5336run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5337 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5338 "$O_CLI -key data_files/server5.key \
5339 -cert data_files/server5.ku-ka.crt" \
5340 0 \
5341 -s "bad certificate (usage extensions)" \
5342 -S "Processing of the Certificate handshake message failed"
5343
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5344# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
5345
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5346run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5347 "$P_SRV key_file=data_files/server5.key \
5348 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5349 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5350 0
5351
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5352run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5353 "$P_SRV key_file=data_files/server5.key \
5354 crt_file=data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5355 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5356 0
5357
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5358run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5359 "$P_SRV key_file=data_files/server5.key \
5360 crt_file=data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5361 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5362 0
5363
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5364run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]5365 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5366 crt_file=data_files/server5.eku-cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5367 "$P_CLI ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5368 1
5369
5370# Tests for extendedKeyUsage, part 2: client-side checking of server cert
5371
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5372run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5373 "$O_SRV -key data_files/server5.key \
5374 -cert data_files/server5.eku-srv.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5375 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5376 0 \
5377 -C "bad certificate (usage extensions)" \
5378 -C "Processing of the Certificate handshake message failed" \
5379 -c "Ciphersuite is TLS-"
5380
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5381run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5382 "$O_SRV -key data_files/server5.key \
5383 -cert data_files/server5.eku-srv_cli.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5384 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5385 0 \
5386 -C "bad certificate (usage extensions)" \
5387 -C "Processing of the Certificate handshake message failed" \
5388 -c "Ciphersuite is TLS-"
5389
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5390run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5391 "$O_SRV -key data_files/server5.key \
5392 -cert data_files/server5.eku-cs_any.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5393 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5394 0 \
5395 -C "bad certificate (usage extensions)" \
5396 -C "Processing of the Certificate handshake message failed" \
5397 -c "Ciphersuite is TLS-"
5398
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5399run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5400 "$O_SRV -key data_files/server5.key \
5401 -cert data_files/server5.eku-cs.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5402 "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5403 1 \
5404 -c "bad certificate (usage extensions)" \
5405 -c "Processing of the Certificate handshake message failed" \
5406 -C "Ciphersuite is TLS-"
5407
5408# Tests for extendedKeyUsage, part 3: server-side checking of client cert
5409
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5410run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5411 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5412 "$O_CLI -key data_files/server5.key \
5413 -cert data_files/server5.eku-cli.crt" \
5414 0 \
5415 -S "bad certificate (usage extensions)" \
5416 -S "Processing of the Certificate handshake message failed"
5417
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5418run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5419 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5420 "$O_CLI -key data_files/server5.key \
5421 -cert data_files/server5.eku-srv_cli.crt" \
5422 0 \
5423 -S "bad certificate (usage extensions)" \
5424 -S "Processing of the Certificate handshake message failed"
5425
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5426run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5427 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5428 "$O_CLI -key data_files/server5.key \
5429 -cert data_files/server5.eku-cs_any.crt" \
5430 0 \
5431 -S "bad certificate (usage extensions)" \
5432 -S "Processing of the Certificate handshake message failed"
5433
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5434run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5435 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5436 "$O_CLI -key data_files/server5.key \
5437 -cert data_files/server5.eku-cs.crt" \
5438 0 \
5439 -s "bad certificate (usage extensions)" \
5440 -S "Processing of the Certificate handshake message failed"
5441
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5442run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]5443 "$P_SRV debug_level=1 auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5444 "$O_CLI -key data_files/server5.key \
5445 -cert data_files/server5.eku-cs.crt" \
5446 1 \
5447 -s "bad certificate (usage extensions)" \
5448 -s "Processing of the Certificate handshake message failed"
5449
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5450# Tests for DHM parameters loading
5451
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5452run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5453 "$P_SRV" \
5454 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5455 debug_level=3" \
5456 0 \
5457 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]5458 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5459
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5460run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5461 "$P_SRV dhm_file=data_files/dhparams.pem" \
5462 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5463 debug_level=3" \
5464 0 \
5465 -c "value of 'DHM: P ' (1024 bits)" \
5466 -c "value of 'DHM: G ' (2 bits)"
5467
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5468# Tests for DHM client-side size checking
5469
5470run_test "DHM size: server default, client default, OK" \
5471 "$P_SRV" \
5472 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5473 debug_level=1" \
5474 0 \
5475 -C "DHM prime too short:"
5476
5477run_test "DHM size: server default, client 2048, OK" \
5478 "$P_SRV" \
5479 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5480 debug_level=1 dhmlen=2048" \
5481 0 \
5482 -C "DHM prime too short:"
5483
5484run_test "DHM size: server 1024, client default, OK" \
5485 "$P_SRV dhm_file=data_files/dhparams.pem" \
5486 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5487 debug_level=1" \
5488 0 \
5489 -C "DHM prime too short:"
5490
5491run_test "DHM size: server 1000, client default, rejected" \
5492 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5493 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5494 debug_level=1" \
5495 1 \
5496 -c "DHM prime too short:"
5497
5498run_test "DHM size: server default, client 2049, rejected" \
5499 "$P_SRV" \
5500 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5501 debug_level=1 dhmlen=2049" \
5502 1 \
5503 -c "DHM prime too short:"
5504
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5505# Tests for PSK callback
5506
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5507run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5508 "$P_SRV psk=abc123 psk_identity=foo" \
5509 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5510 psk_identity=foo psk=abc123" \
5511 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5512 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5513 -S "SSL - Unknown identity received" \
5514 -S "SSL - Verification of the message MAC failed"
5515
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5516run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5517 "$P_SRV" \
5518 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5519 psk_identity=foo psk=abc123" \
5520 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5521 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5522 -S "SSL - Unknown identity received" \
5523 -S "SSL - Verification of the message MAC failed"
5524
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5525run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5526 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
5527 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5528 psk_identity=foo psk=abc123" \
5529 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5530 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5531 -s "SSL - Unknown identity received" \
5532 -S "SSL - Verification of the message MAC failed"
5533
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5534run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5535 "$P_SRV psk_list=abc,dead,def,beef" \
5536 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5537 psk_identity=abc psk=dead" \
5538 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5539 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5540 -S "SSL - Unknown identity received" \
5541 -S "SSL - Verification of the message MAC failed"
5542
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5543run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5544 "$P_SRV psk_list=abc,dead,def,beef" \
5545 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5546 psk_identity=def psk=beef" \
5547 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5548 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5549 -S "SSL - Unknown identity received" \
5550 -S "SSL - Verification of the message MAC failed"
5551
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5552run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5553 "$P_SRV psk_list=abc,dead,def,beef" \
5554 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5555 psk_identity=ghi psk=beef" \
5556 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5557 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5558 -s "SSL - Unknown identity received" \
5559 -S "SSL - Verification of the message MAC failed"
5560
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5561run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5562 "$P_SRV psk_list=abc,dead,def,beef" \
5563 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5564 psk_identity=abc psk=beef" \
5565 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5566 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5567 -S "SSL - Unknown identity received" \
5568 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5569
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5570# Tests for EC J-PAKE
5571
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5572requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5573run_test "ECJPAKE: client not configured" \
5574 "$P_SRV debug_level=3" \
5575 "$P_CLI debug_level=3" \
5576 0 \
5577 -C "add ciphersuite: c0ff" \
5578 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5579 -S "found ecjpake kkpp extension" \
5580 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5581 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5582 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5583 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5584 -S "None of the common ciphersuites is usable"
5585
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5586requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5587run_test "ECJPAKE: server not configured" \
5588 "$P_SRV debug_level=3" \
5589 "$P_CLI debug_level=3 ecjpake_pw=bla \
5590 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5591 1 \
5592 -c "add ciphersuite: c0ff" \
5593 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5594 -s "found ecjpake kkpp extension" \
5595 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5596 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5597 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5598 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5599 -s "None of the common ciphersuites is usable"
5600
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5601requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5602run_test "ECJPAKE: working, TLS" \
5603 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5604 "$P_CLI debug_level=3 ecjpake_pw=bla \
5605 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]5606 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5607 -c "add ciphersuite: c0ff" \
5608 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5609 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5610 -s "found ecjpake kkpp extension" \
5611 -S "skip ecjpake kkpp extension" \
5612 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5613 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5614 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5615 -S "None of the common ciphersuites is usable" \
5616 -S "SSL - Verification of the message MAC failed"
5617
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5618server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5619requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5620run_test "ECJPAKE: password mismatch, TLS" \
5621 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5622 "$P_CLI debug_level=3 ecjpake_pw=bad \
5623 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5624 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5625 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5626 -s "SSL - Verification of the message MAC failed"
5627
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5628requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5629run_test "ECJPAKE: working, DTLS" \
5630 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5631 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5632 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5633 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5634 -c "re-using cached ecjpake parameters" \
5635 -S "SSL - Verification of the message MAC failed"
5636
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5637requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5638run_test "ECJPAKE: working, DTLS, no cookie" \
5639 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
5640 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5641 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5642 0 \
5643 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5644 -S "SSL - Verification of the message MAC failed"
5645
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5646server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5647requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5648run_test "ECJPAKE: password mismatch, DTLS" \
5649 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5650 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
5651 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5652 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5653 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5654 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5655
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5656# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5657requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5658run_test "ECJPAKE: working, DTLS, nolog" \
5659 "$P_SRV dtls=1 ecjpake_pw=bla" \
5660 "$P_CLI dtls=1 ecjpake_pw=bla \
5661 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5662 0
5663
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5664# Tests for ciphersuites per version
5665
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5666requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5667requires_config_enabled MBEDTLS_CAMELLIA_C
5668requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5669run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5670 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5671 "$P_CLI force_version=ssl3" \
5672 0 \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5673 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5674
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5675requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
5676requires_config_enabled MBEDTLS_CAMELLIA_C
5677requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5678run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5679 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]5680 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5681 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5682 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5683
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5684requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
5685requires_config_enabled MBEDTLS_CAMELLIA_C
5686requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5687run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5688 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5689 "$P_CLI force_version=tls1_1" \
5690 0 \
5691 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
5692
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5693requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
5694requires_config_enabled MBEDTLS_CAMELLIA_C
5695requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5696run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardf1e62e82019-03-01 10:14:58 +0100[diff] [blame]5697 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5698 "$P_CLI force_version=tls1_2" \
5699 0 \
5700 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
5701
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5702# Test for ClientHello without extensions
5703
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]5704requires_gnutls
Manuel Pégourié-Gonnardd817f542020-01-30 12:45:14 +0100[diff] [blame]5705run_test "ClientHello without extensions" \
Manuel Pégourié-Gonnard7006ca12020-01-30 10:58:57 +0100[diff] [blame]5706 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5707 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5708 0 \
5709 -s "dumping 'client hello extensions' (0 bytes)"
5710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5711# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5712
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5713run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5714 "$P_SRV" \
5715 "$P_CLI request_size=100" \
5716 0 \
5717 -s "Read from client: 100 bytes read$"
5718
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5719run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5720 "$P_SRV" \
5721 "$P_CLI request_size=500" \
5722 0 \
5723 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5724
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5725# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5726
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5727requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5728run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5729 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5730 "$P_CLI request_size=1 force_version=ssl3 \
5731 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5732 0 \
5733 -s "Read from client: 1 bytes read"
5734
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5735requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5736run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5737 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5738 "$P_CLI request_size=1 force_version=ssl3 \
5739 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5740 0 \
5741 -s "Read from client: 1 bytes read"
5742
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5743run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5744 "$P_SRV" \
5745 "$P_CLI request_size=1 force_version=tls1 \
5746 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5747 0 \
5748 -s "Read from client: 1 bytes read"
5749
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5750run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5751 "$P_SRV" \
5752 "$P_CLI request_size=1 force_version=tls1 etm=0 \
5753 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5754 0 \
5755 -s "Read from client: 1 bytes read"
5756
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5757requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5758run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5759 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5760 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5761 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5762 0 \
5763 -s "Read from client: 1 bytes read"
5764
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5765requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5766run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5767 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5768 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5769 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5770 0 \
5771 -s "Read from client: 1 bytes read"
5772
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5773run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5774 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5775 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5776 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5777 0 \
5778 -s "Read from client: 1 bytes read"
5779
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5780run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5781 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5782 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5783 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5784 0 \
5785 -s "Read from client: 1 bytes read"
5786
5787requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5788run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5789 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5790 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5791 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5792 0 \
5793 -s "Read from client: 1 bytes read"
5794
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5795requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5796run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5797 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5798 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5799 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5800 0 \
5801 -s "Read from client: 1 bytes read"
5802
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5803run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5804 "$P_SRV" \
5805 "$P_CLI request_size=1 force_version=tls1_1 \
5806 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5807 0 \
5808 -s "Read from client: 1 bytes read"
5809
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5810run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5811 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5812 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5813 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5814 0 \
5815 -s "Read from client: 1 bytes read"
5816
5817requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5818run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5819 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5820 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5821 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5822 0 \
5823 -s "Read from client: 1 bytes read"
5824
5825requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5826run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5827 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5828 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5829 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5830 0 \
5831 -s "Read from client: 1 bytes read"
5832
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5833run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5834 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5835 "$P_CLI request_size=1 force_version=tls1_1 \
5836 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5837 0 \
5838 -s "Read from client: 1 bytes read"
5839
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5840run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5841 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5842 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5843 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5844 0 \
5845 -s "Read from client: 1 bytes read"
5846
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5847requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5848run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5849 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5850 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5851 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5852 0 \
5853 -s "Read from client: 1 bytes read"
5854
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5855requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5856run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5857 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5858 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5859 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5860 0 \
5861 -s "Read from client: 1 bytes read"
5862
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5863run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5864 "$P_SRV" \
5865 "$P_CLI request_size=1 force_version=tls1_2 \
5866 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5867 0 \
5868 -s "Read from client: 1 bytes read"
5869
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5870run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5871 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5872 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5873 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5874 0 \
5875 -s "Read from client: 1 bytes read"
5876
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5877run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5878 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5879 "$P_CLI request_size=1 force_version=tls1_2 \
5880 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5881 0 \
5882 -s "Read from client: 1 bytes read"
5883
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5884requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5885run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5886 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5887 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5888 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5889 0 \
5890 -s "Read from client: 1 bytes read"
5891
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5892requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5893run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5894 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5895 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5896 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5897 0 \
5898 -s "Read from client: 1 bytes read"
5899
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5900run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5901 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5902 "$P_CLI request_size=1 force_version=tls1_2 \
5903 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5904 0 \
5905 -s "Read from client: 1 bytes read"
5906
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5907run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5908 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5909 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5910 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5911 0 \
5912 -s "Read from client: 1 bytes read"
5913
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5914requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5915run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5916 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5917 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5918 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5919 0 \
5920 -s "Read from client: 1 bytes read"
5921
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5922requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5923run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5924 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5925 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5926 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5927 0 \
5928 -s "Read from client: 1 bytes read"
5929
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5930run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5931 "$P_SRV" \
5932 "$P_CLI request_size=1 force_version=tls1_2 \
5933 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5934 0 \
5935 -s "Read from client: 1 bytes read"
5936
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5937run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5938 "$P_SRV" \
5939 "$P_CLI request_size=1 force_version=tls1_2 \
5940 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5941 0 \
5942 -s "Read from client: 1 bytes read"
5943
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5944# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5945
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5946run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5947 "$P_SRV dtls=1 force_version=dtls1" \
5948 "$P_CLI dtls=1 request_size=1 \
5949 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5950 0 \
5951 -s "Read from client: 1 bytes read"
5952
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5953run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5954 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
5955 "$P_CLI dtls=1 request_size=1 \
5956 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5957 0 \
5958 -s "Read from client: 1 bytes read"
5959
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5960requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5961run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5962 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
5963 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5964 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5965 0 \
5966 -s "Read from client: 1 bytes read"
5967
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5968requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5969run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5970 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5971 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5972 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5973 0 \
5974 -s "Read from client: 1 bytes read"
5975
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5976run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5977 "$P_SRV dtls=1 force_version=dtls1_2" \
5978 "$P_CLI dtls=1 request_size=1 \
5979 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5980 0 \
5981 -s "Read from client: 1 bytes read"
5982
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5983run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5984 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5985 "$P_CLI dtls=1 request_size=1 \
5986 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5987 0 \
5988 -s "Read from client: 1 bytes read"
5989
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5990requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5991run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5992 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5993 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5994 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5995 0 \
5996 -s "Read from client: 1 bytes read"
5997
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5998requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5999run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6000 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6001 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6002 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6003 0 \
6004 -s "Read from client: 1 bytes read"
6005
Jarno Lamsa0ed68082019-10-28 14:10:59 +0200[diff] [blame]6006run_test "Small client packet DTLS, ECDHE-ECDSA" \
6007 "$P_SRV dtls=1" \
6008 "$P_CLI dtls=1 request_size=1 \
6009 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
6010 0 \
6011 -s "Read from client: 1 bytes read"
6012
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6013# Tests for small server packets
6014
6015requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6016run_test "Small server packet SSLv3 BlockCipher" \
6017 "$P_SRV response_size=1 min_version=ssl3" \
6018 "$P_CLI force_version=ssl3 \
6019 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6020 0 \
6021 -c "Read from server: 1 bytes read"
6022
6023requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6024run_test "Small server packet SSLv3 StreamCipher" \
6025 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6026 "$P_CLI force_version=ssl3 \
6027 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6028 0 \
6029 -c "Read from server: 1 bytes read"
6030
6031run_test "Small server packet TLS 1.0 BlockCipher" \
6032 "$P_SRV response_size=1" \
6033 "$P_CLI force_version=tls1 \
6034 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6035 0 \
6036 -c "Read from server: 1 bytes read"
6037
6038run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
6039 "$P_SRV response_size=1" \
6040 "$P_CLI force_version=tls1 etm=0 \
6041 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6042 0 \
6043 -c "Read from server: 1 bytes read"
6044
6045requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6046run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
6047 "$P_SRV response_size=1 trunc_hmac=1" \
6048 "$P_CLI force_version=tls1 \
6049 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6050 0 \
6051 -c "Read from server: 1 bytes read"
6052
6053requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6054run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
6055 "$P_SRV response_size=1 trunc_hmac=1" \
6056 "$P_CLI force_version=tls1 \
6057 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6058 0 \
6059 -c "Read from server: 1 bytes read"
6060
6061run_test "Small server packet TLS 1.0 StreamCipher" \
6062 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6063 "$P_CLI force_version=tls1 \
6064 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6065 0 \
6066 -c "Read from server: 1 bytes read"
6067
6068run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
6069 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6070 "$P_CLI force_version=tls1 \
6071 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6072 0 \
6073 -c "Read from server: 1 bytes read"
6074
6075requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6076run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
6077 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6078 "$P_CLI force_version=tls1 \
6079 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6080 0 \
6081 -c "Read from server: 1 bytes read"
6082
6083requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6084run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6085 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6086 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6087 trunc_hmac=1 etm=0" \
6088 0 \
6089 -c "Read from server: 1 bytes read"
6090
6091run_test "Small server packet TLS 1.1 BlockCipher" \
6092 "$P_SRV response_size=1" \
6093 "$P_CLI force_version=tls1_1 \
6094 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6095 0 \
6096 -c "Read from server: 1 bytes read"
6097
6098run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
6099 "$P_SRV response_size=1" \
6100 "$P_CLI force_version=tls1_1 \
6101 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
6102 0 \
6103 -c "Read from server: 1 bytes read"
6104
6105requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6106run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
6107 "$P_SRV response_size=1 trunc_hmac=1" \
6108 "$P_CLI force_version=tls1_1 \
6109 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6110 0 \
6111 -c "Read from server: 1 bytes read"
6112
6113requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6114run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6115 "$P_SRV response_size=1 trunc_hmac=1" \
6116 "$P_CLI force_version=tls1_1 \
6117 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6118 0 \
6119 -c "Read from server: 1 bytes read"
6120
6121run_test "Small server packet TLS 1.1 StreamCipher" \
6122 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6123 "$P_CLI force_version=tls1_1 \
6124 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6125 0 \
6126 -c "Read from server: 1 bytes read"
6127
6128run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
6129 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6130 "$P_CLI force_version=tls1_1 \
6131 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6132 0 \
6133 -c "Read from server: 1 bytes read"
6134
6135requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6136run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
6137 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6138 "$P_CLI force_version=tls1_1 \
6139 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6140 0 \
6141 -c "Read from server: 1 bytes read"
6142
6143requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6144run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6145 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6146 "$P_CLI force_version=tls1_1 \
6147 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6148 0 \
6149 -c "Read from server: 1 bytes read"
6150
6151run_test "Small server packet TLS 1.2 BlockCipher" \
6152 "$P_SRV response_size=1" \
6153 "$P_CLI force_version=tls1_2 \
6154 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6155 0 \
6156 -c "Read from server: 1 bytes read"
6157
6158run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
6159 "$P_SRV response_size=1" \
6160 "$P_CLI force_version=tls1_2 \
6161 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
6162 0 \
6163 -c "Read from server: 1 bytes read"
6164
6165run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
6166 "$P_SRV response_size=1" \
6167 "$P_CLI force_version=tls1_2 \
6168 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6169 0 \
6170 -c "Read from server: 1 bytes read"
6171
6172requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6173run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
6174 "$P_SRV response_size=1 trunc_hmac=1" \
6175 "$P_CLI force_version=tls1_2 \
6176 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6177 0 \
6178 -c "Read from server: 1 bytes read"
6179
6180requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6181run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6182 "$P_SRV response_size=1 trunc_hmac=1" \
6183 "$P_CLI force_version=tls1_2 \
6184 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6185 0 \
6186 -c "Read from server: 1 bytes read"
6187
6188run_test "Small server packet TLS 1.2 StreamCipher" \
6189 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6190 "$P_CLI force_version=tls1_2 \
6191 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6192 0 \
6193 -c "Read from server: 1 bytes read"
6194
6195run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
6196 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6197 "$P_CLI force_version=tls1_2 \
6198 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6199 0 \
6200 -c "Read from server: 1 bytes read"
6201
6202requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6203run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
6204 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6205 "$P_CLI force_version=tls1_2 \
6206 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6207 0 \
6208 -c "Read from server: 1 bytes read"
6209
6210requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6211run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6212 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6213 "$P_CLI force_version=tls1_2 \
6214 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6215 0 \
6216 -c "Read from server: 1 bytes read"
6217
6218run_test "Small server packet TLS 1.2 AEAD" \
6219 "$P_SRV response_size=1" \
6220 "$P_CLI force_version=tls1_2 \
6221 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6222 0 \
6223 -c "Read from server: 1 bytes read"
6224
6225run_test "Small server packet TLS 1.2 AEAD shorter tag" \
6226 "$P_SRV response_size=1" \
6227 "$P_CLI force_version=tls1_2 \
6228 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6229 0 \
6230 -c "Read from server: 1 bytes read"
6231
6232# Tests for small server packets in DTLS
6233
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6234run_test "Small server packet DTLS 1.0" \
6235 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
6236 "$P_CLI dtls=1 \
6237 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6238 0 \
6239 -c "Read from server: 1 bytes read"
6240
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6241run_test "Small server packet DTLS 1.0, without EtM" \
6242 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
6243 "$P_CLI dtls=1 \
6244 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6245 0 \
6246 -c "Read from server: 1 bytes read"
6247
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6248requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6249run_test "Small server packet DTLS 1.0, truncated hmac" \
6250 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
6251 "$P_CLI dtls=1 trunc_hmac=1 \
6252 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6253 0 \
6254 -c "Read from server: 1 bytes read"
6255
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6256requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6257run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
6258 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
6259 "$P_CLI dtls=1 \
6260 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
6261 0 \
6262 -c "Read from server: 1 bytes read"
6263
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6264run_test "Small server packet DTLS 1.2" \
6265 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
6266 "$P_CLI dtls=1 \
6267 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6268 0 \
6269 -c "Read from server: 1 bytes read"
6270
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6271run_test "Small server packet DTLS 1.2, without EtM" \
6272 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
6273 "$P_CLI dtls=1 \
6274 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6275 0 \
6276 -c "Read from server: 1 bytes read"
6277
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6278requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6279run_test "Small server packet DTLS 1.2, truncated hmac" \
6280 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
6281 "$P_CLI dtls=1 \
6282 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6283 0 \
6284 -c "Read from server: 1 bytes read"
6285
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6286requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6287run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
6288 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
6289 "$P_CLI dtls=1 \
6290 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
6291 0 \
6292 -c "Read from server: 1 bytes read"
6293
Jarno Lamsac40184b2019-10-28 14:16:12 +0200[diff] [blame]6294run_test "Small server packet DTLS, ECDHE-ECDSA" \
6295 "$P_SRV dtls=1 response_size=1" \
6296 "$P_CLI dtls=1 \
6297 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
6298 0 \
6299 -c "Read from server: 1 bytes read"
6300
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]6301# A test for extensions in SSLv3
6302
6303requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6304run_test "SSLv3 with extensions, server side" \
6305 "$P_SRV min_version=ssl3 debug_level=3" \
6306 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
6307 0 \
6308 -S "dumping 'client hello extensions'" \
6309 -S "server hello, total extension length:"
6310
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6311# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6312
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6313# How many fragments do we expect to write $1 bytes?
6314fragments_for_write() {
6315 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
6316}
6317
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6318requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6319run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]6320 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6321 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6322 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6323 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6324 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6325 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6326
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6327requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6328run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6329 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6330 "$P_CLI request_size=16384 force_version=ssl3 \
6331 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6332 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6333 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6334 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6335
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6336run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6337 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6338 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6339 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6340 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6341 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6342 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6343
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6344run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6345 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6346 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
6347 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6348 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6349 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6350
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6351requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6352run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6353 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6354 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6355 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6356 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6357 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6358 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6359
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6360requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6361run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6362 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6363 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6364 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6365 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6366 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6367
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6368run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6369 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6370 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6371 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6372 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6373 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6374
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6375run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6376 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6377 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6378 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6379 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6380 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6381
6382requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6383run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6384 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6385 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6386 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6387 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6388 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6389
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6390requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6391run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6392 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6393 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6394 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6395 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6396 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6397 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6398
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6399run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6400 "$P_SRV" \
6401 "$P_CLI request_size=16384 force_version=tls1_1 \
6402 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6403 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6404 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6405 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6406
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6407run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6408 "$P_SRV" \
6409 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
6410 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6411 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6412 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6413
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6414requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6415run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6416 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6417 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6418 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6419 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6420 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6421
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6422requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6423run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6424 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6425 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6426 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6427 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6428 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6429
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6430run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6431 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6432 "$P_CLI request_size=16384 force_version=tls1_1 \
6433 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6434 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6435 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6436 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6437
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6438run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6439 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6440 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6441 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6442 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6443 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6444 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6445
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6446requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6447run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6448 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6449 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6450 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6451 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6452 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6453
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6454requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6455run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6456 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6457 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6458 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6459 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6460 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6461 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6462
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6463run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6464 "$P_SRV" \
6465 "$P_CLI request_size=16384 force_version=tls1_2 \
6466 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6467 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6468 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6469 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6470
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6471run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6472 "$P_SRV" \
6473 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
6474 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6475 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6476 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6477
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6478run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6479 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6480 "$P_CLI request_size=16384 force_version=tls1_2 \
6481 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6482 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6483 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6484 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6485
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6486requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6487run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6488 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6489 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6490 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6491 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6492 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6493
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6494requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6495run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6496 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6497 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6498 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6499 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6500 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6501 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6502
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6503run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6504 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6505 "$P_CLI request_size=16384 force_version=tls1_2 \
6506 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6507 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6508 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6509 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6510
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6511run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6512 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6513 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6514 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6515 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6516 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6517
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6518requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6519run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6520 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6521 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6522 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6523 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6524 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6525
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6526requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6527run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6528 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6529 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6530 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6531 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6532 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6533 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6534
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6535run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6536 "$P_SRV" \
6537 "$P_CLI request_size=16384 force_version=tls1_2 \
6538 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6539 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6540 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6541 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6542
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6543run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6544 "$P_SRV" \
6545 "$P_CLI request_size=16384 force_version=tls1_2 \
6546 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6547 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6548 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6549 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6550
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6551# Test for large server packets
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6552requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6553run_test "Large server packet SSLv3 StreamCipher" \
6554 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6555 "$P_CLI force_version=ssl3 \
6556 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6557 0 \
6558 -c "Read from server: 16384 bytes read"
6559
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]6560# Checking next 4 tests logs for 1n-1 split against BEAST too
6561requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6562run_test "Large server packet SSLv3 BlockCipher" \
6563 "$P_SRV response_size=16384 min_version=ssl3" \
6564 "$P_CLI force_version=ssl3 recsplit=0 \
6565 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6566 0 \
6567 -c "Read from server: 1 bytes read"\
6568 -c "16383 bytes read"\
6569 -C "Read from server: 16384 bytes read"
6570
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6571run_test "Large server packet TLS 1.0 BlockCipher" \
6572 "$P_SRV response_size=16384" \
6573 "$P_CLI force_version=tls1 recsplit=0 \
6574 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6575 0 \
6576 -c "Read from server: 1 bytes read"\
6577 -c "16383 bytes read"\
6578 -C "Read from server: 16384 bytes read"
6579
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6580run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
6581 "$P_SRV response_size=16384" \
6582 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
6583 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6584 0 \
6585 -c "Read from server: 1 bytes read"\
6586 -c "16383 bytes read"\
6587 -C "Read from server: 16384 bytes read"
6588
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6589requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6590run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
6591 "$P_SRV response_size=16384" \
6592 "$P_CLI force_version=tls1 recsplit=0 \
6593 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6594 trunc_hmac=1" \
6595 0 \
6596 -c "Read from server: 1 bytes read"\
6597 -c "16383 bytes read"\
6598 -C "Read from server: 16384 bytes read"
6599
6600requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6601run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
6602 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6603 "$P_CLI force_version=tls1 \
6604 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6605 trunc_hmac=1" \
6606 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6607 -s "16384 bytes written in 1 fragments" \
6608 -c "Read from server: 16384 bytes read"
6609
6610run_test "Large server packet TLS 1.0 StreamCipher" \
6611 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6612 "$P_CLI force_version=tls1 \
6613 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6614 0 \
6615 -s "16384 bytes written in 1 fragments" \
6616 -c "Read from server: 16384 bytes read"
6617
6618run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
6619 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6620 "$P_CLI force_version=tls1 \
6621 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6622 0 \
6623 -s "16384 bytes written in 1 fragments" \
6624 -c "Read from server: 16384 bytes read"
6625
6626requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6627run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
6628 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6629 "$P_CLI force_version=tls1 \
6630 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6631 0 \
6632 -s "16384 bytes written in 1 fragments" \
6633 -c "Read from server: 16384 bytes read"
6634
6635requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6636run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6637 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6638 "$P_CLI force_version=tls1 \
6639 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6640 0 \
6641 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6642 -c "Read from server: 16384 bytes read"
6643
6644run_test "Large server packet TLS 1.1 BlockCipher" \
6645 "$P_SRV response_size=16384" \
6646 "$P_CLI force_version=tls1_1 \
6647 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6648 0 \
6649 -c "Read from server: 16384 bytes read"
6650
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6651run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
6652 "$P_SRV response_size=16384" \
6653 "$P_CLI force_version=tls1_1 etm=0 \
6654 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6655 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6656 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6657 -c "Read from server: 16384 bytes read"
6658
6659requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6660run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
6661 "$P_SRV response_size=16384" \
6662 "$P_CLI force_version=tls1_1 \
6663 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6664 trunc_hmac=1" \
6665 0 \
6666 -c "Read from server: 16384 bytes read"
6667
6668requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6669run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6670 "$P_SRV response_size=16384 trunc_hmac=1" \
6671 "$P_CLI force_version=tls1_1 \
6672 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6673 0 \
6674 -s "16384 bytes written in 1 fragments" \
6675 -c "Read from server: 16384 bytes read"
6676
6677run_test "Large server packet TLS 1.1 StreamCipher" \
6678 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6679 "$P_CLI force_version=tls1_1 \
6680 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6681 0 \
6682 -c "Read from server: 16384 bytes read"
6683
6684run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
6685 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6686 "$P_CLI force_version=tls1_1 \
6687 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6688 0 \
6689 -s "16384 bytes written in 1 fragments" \
6690 -c "Read from server: 16384 bytes read"
6691
6692requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6693run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
6694 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6695 "$P_CLI force_version=tls1_1 \
6696 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6697 trunc_hmac=1" \
6698 0 \
6699 -c "Read from server: 16384 bytes read"
6700
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6701run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6702 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6703 "$P_CLI force_version=tls1_1 \
6704 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6705 0 \
6706 -s "16384 bytes written in 1 fragments" \
6707 -c "Read from server: 16384 bytes read"
6708
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6709run_test "Large server packet TLS 1.2 BlockCipher" \
6710 "$P_SRV response_size=16384" \
6711 "$P_CLI force_version=tls1_2 \
6712 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6713 0 \
6714 -c "Read from server: 16384 bytes read"
6715
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6716run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
6717 "$P_SRV response_size=16384" \
6718 "$P_CLI force_version=tls1_2 etm=0 \
6719 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6720 0 \
6721 -s "16384 bytes written in 1 fragments" \
6722 -c "Read from server: 16384 bytes read"
6723
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6724run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
6725 "$P_SRV response_size=16384" \
6726 "$P_CLI force_version=tls1_2 \
6727 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6728 0 \
6729 -c "Read from server: 16384 bytes read"
6730
6731requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6732run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
6733 "$P_SRV response_size=16384" \
6734 "$P_CLI force_version=tls1_2 \
6735 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6736 trunc_hmac=1" \
6737 0 \
6738 -c "Read from server: 16384 bytes read"
6739
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6740run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6741 "$P_SRV response_size=16384 trunc_hmac=1" \
6742 "$P_CLI force_version=tls1_2 \
6743 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6744 0 \
6745 -s "16384 bytes written in 1 fragments" \
6746 -c "Read from server: 16384 bytes read"
6747
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6748run_test "Large server packet TLS 1.2 StreamCipher" \
6749 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6750 "$P_CLI force_version=tls1_2 \
6751 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6752 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6753 -s "16384 bytes written in 1 fragments" \
6754 -c "Read from server: 16384 bytes read"
6755
6756run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
6757 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6758 "$P_CLI force_version=tls1_2 \
6759 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6760 0 \
6761 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6762 -c "Read from server: 16384 bytes read"
6763
6764requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6765run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
6766 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6767 "$P_CLI force_version=tls1_2 \
6768 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6769 trunc_hmac=1" \
6770 0 \
6771 -c "Read from server: 16384 bytes read"
6772
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6773requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6774run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6775 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6776 "$P_CLI force_version=tls1_2 \
6777 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6778 0 \
6779 -s "16384 bytes written in 1 fragments" \
6780 -c "Read from server: 16384 bytes read"
6781
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6782run_test "Large server packet TLS 1.2 AEAD" \
6783 "$P_SRV response_size=16384" \
6784 "$P_CLI force_version=tls1_2 \
6785 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6786 0 \
6787 -c "Read from server: 16384 bytes read"
6788
6789run_test "Large server packet TLS 1.2 AEAD shorter tag" \
6790 "$P_SRV response_size=16384" \
6791 "$P_CLI force_version=tls1_2 \
6792 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6793 0 \
6794 -c "Read from server: 16384 bytes read"
6795
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6796# Tests for restartable ECC
6797
6798requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6799run_test "EC restart: TLS, default" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6800 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6801 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6802 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6803 debug_level=1" \
6804 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6805 -C "x509_verify_cert.*4b00" \
6806 -C "mbedtls_pk_verify.*4b00" \
6807 -C "mbedtls_ecdh_make_public.*4b00" \
6808 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6809
6810requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6811run_test "EC restart: TLS, max_ops=0" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6812 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6813 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6814 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6815 debug_level=1 ec_max_ops=0" \
6816 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6817 -C "x509_verify_cert.*4b00" \
6818 -C "mbedtls_pk_verify.*4b00" \
6819 -C "mbedtls_ecdh_make_public.*4b00" \
6820 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6821
6822requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6823run_test "EC restart: TLS, max_ops=65535" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6824 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6825 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6826 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6827 debug_level=1 ec_max_ops=65535" \
6828 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6829 -C "x509_verify_cert.*4b00" \
6830 -C "mbedtls_pk_verify.*4b00" \
6831 -C "mbedtls_ecdh_make_public.*4b00" \
6832 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6833
6834requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6835run_test "EC restart: TLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6836 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6837 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6838 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6839 debug_level=1 ec_max_ops=1000" \
6840 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6841 -c "x509_verify_cert.*4b00" \
6842 -c "mbedtls_pk_verify.*4b00" \
6843 -c "mbedtls_ecdh_make_public.*4b00" \
6844 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6845
6846requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6847requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6848run_test "EC restart: TLS, max_ops=1000, badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6849 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6850 crt_file=data_files/server5-badsign.crt \
6851 key_file=data_files/server5.key" \
6852 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6853 key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \
6854 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6855 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6856 -c "x509_verify_cert.*4b00" \
Hanno Becker03d77462019-08-27 16:24:56 +0100[diff] [blame]6857 -c "mbedtls_pk_verify.*4b00" \
6858 -c "mbedtls_ecdh_make_public.*4b00" \
6859 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6860 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6861
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6862requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6863requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6864run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6865 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6866 crt_file=data_files/server5-badsign.crt \
6867 key_file=data_files/server5.key" \
6868 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6869 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6870 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6871 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6872 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6873 -c "x509_verify_cert.*4b00" \
6874 -c "mbedtls_pk_verify.*4b00" \
6875 -c "mbedtls_ecdh_make_public.*4b00" \
6876 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6877 -c "! The certificate is not correctly signed by the trusted CA" \
6878 -C "! mbedtls_ssl_handshake returned" \
6879 -C "X509 - Certificate verification failed"
6880
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]6881requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6882requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6883requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6884run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6885 "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6886 crt_file=data_files/server5-badsign.crt \
6887 key_file=data_files/server5.key" \
6888 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6889 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6890 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6891 debug_level=1 ec_max_ops=1000 auth_mode=none" \
6892 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6893 -C "x509_verify_cert.*4b00" \
6894 -c "mbedtls_pk_verify.*4b00" \
6895 -c "mbedtls_ecdh_make_public.*4b00" \
6896 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6897 -C "! The certificate is not correctly signed by the trusted CA" \
6898 -C "! mbedtls_ssl_handshake returned" \
6899 -C "X509 - Certificate verification failed"
6900
6901requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6902run_test "EC restart: DTLS, max_ops=1000" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]6903 "$P_SRV auth_mode=required dtls=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6904 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6905 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6906 dtls=1 debug_level=1 ec_max_ops=1000" \
6907 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6908 -c "x509_verify_cert.*4b00" \
6909 -c "mbedtls_pk_verify.*4b00" \
6910 -c "mbedtls_ecdh_make_public.*4b00" \
6911 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6912
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6913requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6914run_test "EC restart: TLS, max_ops=1000 no client auth" \
6915 "$P_SRV" \
6916 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6917 debug_level=1 ec_max_ops=1000" \
6918 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6919 -c "x509_verify_cert.*4b00" \
6920 -c "mbedtls_pk_verify.*4b00" \
6921 -c "mbedtls_ecdh_make_public.*4b00" \
6922 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6923
6924requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6925run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
6926 "$P_SRV psk=abc123" \
6927 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
6928 psk=abc123 debug_level=1 ec_max_ops=1000" \
6929 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6930 -C "x509_verify_cert.*4b00" \
6931 -C "mbedtls_pk_verify.*4b00" \
6932 -C "mbedtls_ecdh_make_public.*4b00" \
6933 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6934
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6935# Tests of asynchronous private key support in SSL
6936
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6937requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6938run_test "SSL async private: sign, delay=0" \
6939 "$P_SRV \
6940 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6941 "$P_CLI" \
6942 0 \
6943 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6944 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6945
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6946requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6947run_test "SSL async private: sign, delay=1" \
6948 "$P_SRV \
6949 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6950 "$P_CLI" \
6951 0 \
6952 -s "Async sign callback: using key slot " \
6953 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6954 -s "Async resume (slot [0-9]): sign done, status=0"
6955
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]6956requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6957run_test "SSL async private: sign, delay=2" \
6958 "$P_SRV \
6959 async_operations=s async_private_delay1=2 async_private_delay2=2" \
6960 "$P_CLI" \
6961 0 \
6962 -s "Async sign callback: using key slot " \
6963 -U "Async sign callback: using key slot " \
6964 -s "Async resume (slot [0-9]): call 1 more times." \
6965 -s "Async resume (slot [0-9]): call 0 more times." \
6966 -s "Async resume (slot [0-9]): sign done, status=0"
6967
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]6968# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
6969# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
6970requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6971requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6972run_test "SSL async private: sign, RSA, TLS 1.1" \
6973 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
6974 async_operations=s async_private_delay1=0 async_private_delay2=0" \
6975 "$P_CLI force_version=tls1_1" \
6976 0 \
6977 -s "Async sign callback: using key slot " \
6978 -s "Async resume (slot [0-9]): sign done, status=0"
6979
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6980requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Hanno Beckerb2c63832019-06-17 08:35:16 +0100[diff] [blame]6981requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Teppo Järvelin4009d8f2019-08-19 14:48:09 +0300[diff] [blame]6982requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]6983requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]6984run_test "SSL async private: sign, SNI" \
6985 "$P_SRV debug_level=3 \
6986 async_operations=s async_private_delay1=0 async_private_delay2=0 \
6987 crt_file=data_files/server5.crt key_file=data_files/server5.key \
6988 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
6989 "$P_CLI server_name=polarssl.example" \
6990 0 \
6991 -s "Async sign callback: using key slot " \
6992 -s "Async resume (slot [0-9]): sign done, status=0" \
6993 -s "parse ServerName extension" \
6994 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6995 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
6996
6997requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6998run_test "SSL async private: decrypt, delay=0" \
6999 "$P_SRV \
7000 async_operations=d async_private_delay1=0 async_private_delay2=0" \
7001 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7002 0 \
7003 -s "Async decrypt callback: using key slot " \
7004 -s "Async resume (slot [0-9]): decrypt done, status=0"
7005
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7006requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7007run_test "SSL async private: decrypt, delay=1" \
7008 "$P_SRV \
7009 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7010 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7011 0 \
7012 -s "Async decrypt callback: using key slot " \
7013 -s "Async resume (slot [0-9]): call 0 more times." \
7014 -s "Async resume (slot [0-9]): decrypt done, status=0"
7015
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7016requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7017run_test "SSL async private: decrypt RSA-PSK, delay=0" \
7018 "$P_SRV psk=abc123 \
7019 async_operations=d async_private_delay1=0 async_private_delay2=0" \
7020 "$P_CLI psk=abc123 \
7021 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
7022 0 \
7023 -s "Async decrypt callback: using key slot " \
7024 -s "Async resume (slot [0-9]): decrypt done, status=0"
7025
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7026requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7027run_test "SSL async private: decrypt RSA-PSK, delay=1" \
7028 "$P_SRV psk=abc123 \
7029 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7030 "$P_CLI psk=abc123 \
7031 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
7032 0 \
7033 -s "Async decrypt callback: using key slot " \
7034 -s "Async resume (slot [0-9]): call 0 more times." \
7035 -s "Async resume (slot [0-9]): decrypt done, status=0"
7036
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7037requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7038run_test "SSL async private: sign callback not present" \
7039 "$P_SRV \
7040 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7041 "$P_CLI; [ \$? -eq 1 ] &&
7042 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7043 0 \
7044 -S "Async sign callback" \
7045 -s "! mbedtls_ssl_handshake returned" \
7046 -s "The own private key or pre-shared key is not set, but needed" \
7047 -s "Async resume (slot [0-9]): decrypt done, status=0" \
7048 -s "Successful connection"
7049
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7050requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7051run_test "SSL async private: decrypt callback not present" \
7052 "$P_SRV debug_level=1 \
7053 async_operations=s async_private_delay1=1 async_private_delay2=1" \
7054 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
7055 [ \$? -eq 1 ] && $P_CLI" \
7056 0 \
7057 -S "Async decrypt callback" \
7058 -s "! mbedtls_ssl_handshake returned" \
7059 -s "got no RSA private key" \
7060 -s "Async resume (slot [0-9]): sign done, status=0" \
7061 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7062
7063# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7064requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7065run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7066 "$P_SRV \
7067 async_operations=s async_private_delay1=1 \
7068 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7069 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7070 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ca_file=data_files/test-ca2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7071 0 \
7072 -s "Async sign callback: using key slot 0," \
7073 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7074 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7075
7076# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7077requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7078run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7079 "$P_SRV \
7080 async_operations=s async_private_delay2=1 \
7081 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7082 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7083 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7084 0 \
7085 -s "Async sign callback: using key slot 0," \
7086 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7087 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7088
7089# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7090requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]7091run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7092 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]7093 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7094 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7095 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7096 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7097 0 \
7098 -s "Async sign callback: using key slot 1," \
7099 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7100 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7101
7102# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7103requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7104run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7105 "$P_SRV \
7106 async_operations=s async_private_delay1=1 \
7107 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7108 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7109 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7110 0 \
7111 -s "Async sign callback: no key matches this certificate."
7112
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7113requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7114run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7115 "$P_SRV \
7116 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7117 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7118 "$P_CLI" \
7119 1 \
7120 -s "Async sign callback: injected error" \
7121 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]7122 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7123 -s "! mbedtls_ssl_handshake returned"
7124
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7125requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7126run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7127 "$P_SRV \
7128 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7129 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7130 "$P_CLI" \
7131 1 \
7132 -s "Async sign callback: using key slot " \
7133 -S "Async resume" \
7134 -s "Async cancel"
7135
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7136requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7137run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7138 "$P_SRV \
7139 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7140 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7141 "$P_CLI" \
7142 1 \
7143 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7144 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]7145 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7146 -s "! mbedtls_ssl_handshake returned"
7147
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7148requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7149run_test "SSL async private: decrypt, error in start" \
7150 "$P_SRV \
7151 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7152 async_private_error=1" \
7153 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7154 1 \
7155 -s "Async decrypt callback: injected error" \
7156 -S "Async resume" \
7157 -S "Async cancel" \
7158 -s "! mbedtls_ssl_handshake returned"
7159
7160requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7161run_test "SSL async private: decrypt, cancel after start" \
7162 "$P_SRV \
7163 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7164 async_private_error=2" \
7165 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7166 1 \
7167 -s "Async decrypt callback: using key slot " \
7168 -S "Async resume" \
7169 -s "Async cancel"
7170
7171requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7172run_test "SSL async private: decrypt, error in resume" \
7173 "$P_SRV \
7174 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7175 async_private_error=3" \
7176 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7177 1 \
7178 -s "Async decrypt callback: using key slot " \
7179 -s "Async resume callback: decrypt done but injected error" \
7180 -S "Async cancel" \
7181 -s "! mbedtls_ssl_handshake returned"
7182
7183requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7184run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7185 "$P_SRV \
7186 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7187 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7188 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
7189 0 \
7190 -s "Async cancel" \
7191 -s "! mbedtls_ssl_handshake returned" \
7192 -s "Async resume" \
7193 -s "Successful connection"
7194
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7195requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7196run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7197 "$P_SRV \
7198 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7199 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7200 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
7201 0 \
7202 -s "! mbedtls_ssl_handshake returned" \
7203 -s "Async resume" \
7204 -s "Successful connection"
7205
7206# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7207requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7208run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7209 "$P_SRV \
7210 async_operations=s async_private_delay1=1 async_private_error=-2 \
7211 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7212 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7213 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
7214 [ \$? -eq 1 ] &&
7215 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7216 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]7217 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7218 -S "Async resume" \
7219 -s "Async cancel" \
7220 -s "! mbedtls_ssl_handshake returned" \
7221 -s "Async sign callback: no key matches this certificate." \
7222 -s "Successful connection"
7223
7224# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7225requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7226run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7227 "$P_SRV \
7228 async_operations=s async_private_delay1=1 async_private_error=-3 \
7229 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7230 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7231 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
7232 [ \$? -eq 1 ] &&
7233 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7234 0 \
7235 -s "Async resume" \
7236 -s "! mbedtls_ssl_handshake returned" \
7237 -s "Async sign callback: no key matches this certificate." \
7238 -s "Successful connection"
7239
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7240requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7241requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7242run_test "SSL async private: renegotiation: client-initiated; sign" \
7243 "$P_SRV \
7244 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7245 exchanges=2 renegotiation=1" \
7246 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
7247 0 \
7248 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7249 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7250
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7251requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7252requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7253run_test "SSL async private: renegotiation: server-initiated; sign" \
7254 "$P_SRV \
7255 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7256 exchanges=2 renegotiation=1 renegotiate=1" \
7257 "$P_CLI exchanges=2 renegotiation=1" \
7258 0 \
7259 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7260 -s "Async resume (slot [0-9]): sign done, status=0"
7261
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7262requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7263requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7264run_test "SSL async private: renegotiation: client-initiated; decrypt" \
7265 "$P_SRV \
7266 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7267 exchanges=2 renegotiation=1" \
7268 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
7269 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7270 0 \
7271 -s "Async decrypt callback: using key slot " \
7272 -s "Async resume (slot [0-9]): decrypt done, status=0"
7273
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7274requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7275requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7276run_test "SSL async private: renegotiation: server-initiated; decrypt" \
7277 "$P_SRV \
7278 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7279 exchanges=2 renegotiation=1 renegotiate=1" \
7280 "$P_CLI exchanges=2 renegotiation=1 \
7281 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7282 0 \
7283 -s "Async decrypt callback: using key slot " \
7284 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7285
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7286# Tests for ECC extensions (rfc 4492)
7287
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7288requires_config_enabled MBEDTLS_AES_C
7289requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7290requires_config_enabled MBEDTLS_SHA256_C
7291requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7292run_test "Force a non ECC ciphersuite in the client side" \
7293 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7294 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7295 0 \
7296 -C "client hello, adding supported_elliptic_curves extension" \
7297 -C "client hello, adding supported_point_formats extension" \
7298 -S "found supported elliptic curves extension" \
7299 -S "found supported point formats extension"
7300
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7301requires_config_enabled MBEDTLS_AES_C
7302requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7303requires_config_enabled MBEDTLS_SHA256_C
7304requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7305run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7306 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7307 "$P_CLI debug_level=3" \
7308 0 \
7309 -C "found supported_point_formats extension" \
7310 -S "server hello, supported_point_formats extension"
7311
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7312requires_config_enabled MBEDTLS_AES_C
7313requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7314requires_config_enabled MBEDTLS_SHA256_C
7315requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7316run_test "Force an ECC ciphersuite in the client side" \
7317 "$P_SRV debug_level=3" \
7318 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
7319 0 \
7320 -c "client hello, adding supported_elliptic_curves extension" \
7321 -c "client hello, adding supported_point_formats extension" \
7322 -s "found supported elliptic curves extension" \
7323 -s "found supported point formats extension"
7324
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7325requires_config_enabled MBEDTLS_AES_C
7326requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7327requires_config_enabled MBEDTLS_SHA256_C
7328requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7329run_test "Force an ECC ciphersuite in the server side" \
7330 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
7331 "$P_CLI debug_level=3" \
7332 0 \
7333 -c "found supported_point_formats extension" \
7334 -s "server hello, supported_point_formats extension"
7335
Jarno Lamsa2e2fa5e2019-10-30 15:08:26 +0200[diff] [blame]7336requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
Jarno Lamsad3428052019-10-28 14:36:37 +0200[diff] [blame]7337run_test "Force an ECC ciphersuite with CCM in the client side" \
7338 "$P_SRV dtls=1 debug_level=3" \
7339 "$P_CLI dtls=1 debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
7340 0 \
7341 -c "client hello, adding supported_elliptic_curves extension" \
7342 -c "client hello, adding supported_point_formats extension" \
7343 -s "found supported elliptic curves extension" \
7344 -s "found supported point formats extension"
7345
Jarno Lamsa2e2fa5e2019-10-30 15:08:26 +0200[diff] [blame]7346requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
Jarno Lamsad3428052019-10-28 14:36:37 +0200[diff] [blame]7347run_test "Force an ECC ciphersuite with CCM in the server side" \
7348 "$P_SRV dtls=1 debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
7349 "$P_CLI dtls=1 debug_level=3" \
7350 0 \
7351 -c "found supported_point_formats extension" \
7352 -s "server hello, supported_point_formats extension"
7353
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7354# Tests for DTLS HelloVerifyRequest
7355
7356run_test "DTLS cookie: enabled" \
7357 "$P_SRV dtls=1 debug_level=2" \
7358 "$P_CLI dtls=1 debug_level=2" \
7359 0 \
7360 -s "cookie verification failed" \
7361 -s "cookie verification passed" \
7362 -S "cookie verification skipped" \
7363 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7364 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7365 -S "SSL - The requested feature is not available"
7366
7367run_test "DTLS cookie: disabled" \
7368 "$P_SRV dtls=1 debug_level=2 cookies=0" \
7369 "$P_CLI dtls=1 debug_level=2" \
7370 0 \
7371 -S "cookie verification failed" \
7372 -S "cookie verification passed" \
7373 -s "cookie verification skipped" \
7374 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7375 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7376 -S "SSL - The requested feature is not available"
7377
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7378run_test "DTLS cookie: default (failing)" \
7379 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
7380 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
7381 1 \
7382 -s "cookie verification failed" \
7383 -S "cookie verification passed" \
7384 -S "cookie verification skipped" \
7385 -C "received hello verify request" \
Jarno Lamsab514cd32019-10-28 14:37:51 +0200[diff] [blame]7386 -S "hello verification requested"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7387
7388requires_ipv6
7389run_test "DTLS cookie: enabled, IPv6" \
7390 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
7391 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
7392 0 \
7393 -s "cookie verification failed" \
7394 -s "cookie verification passed" \
7395 -S "cookie verification skipped" \
7396 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7397 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7398 -S "SSL - The requested feature is not available"
7399
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]7400run_test "DTLS cookie: enabled, nbio" \
7401 "$P_SRV dtls=1 nbio=2 debug_level=2" \
7402 "$P_CLI dtls=1 nbio=2 debug_level=2" \
7403 0 \
7404 -s "cookie verification failed" \
7405 -s "cookie verification passed" \
7406 -S "cookie verification skipped" \
7407 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7408 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]7409 -S "SSL - The requested feature is not available"
7410
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7411# Tests for client reconnecting from the same port with DTLS
7412
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7413not_with_valgrind # spurious resend
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]7414requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnard731d7c02020-04-01 09:58:39 +0200[diff] [blame]7415requires_config_enabled MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7416run_test "DTLS client reconnect from same port: reference" \
Andrzej Kurek7ad75b62021-01-14 06:17:40 -0500[diff] [blame]7417 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=15000-25000" \
7418 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=15000-25000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7419 0 \
7420 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7421 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7422 -S "Client initiated reconnection from same port"
7423
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7424not_with_valgrind # spurious resend
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]7425requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnard731d7c02020-04-01 09:58:39 +0200[diff] [blame]7426requires_config_enabled MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7427run_test "DTLS client reconnect from same port: reconnect" \
Andrzej Kurek7ad75b62021-01-14 06:17:40 -0500[diff] [blame]7428 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=15000-25000" \
Andrzej Kurek95b87f32021-01-12 07:47:01 -0500[diff] [blame]7429 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=15000-25000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7430 0 \
7431 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7432 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7433 -s "Client initiated reconnection from same port"
7434
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7435not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]7436requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnard731d7c02020-04-01 09:58:39 +0200[diff] [blame]7437requires_config_enabled MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7438run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7439 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
7440 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7441 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7442 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7443 -s "Client initiated reconnection from same port"
7444
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7445only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]7446requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnard731d7c02020-04-01 09:58:39 +0200[diff] [blame]7447requires_config_enabled MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7448run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
7449 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
7450 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
7451 0 \
7452 -S "The operation timed out" \
7453 -s "Client initiated reconnection from same port"
7454
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]7455requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnard731d7c02020-04-01 09:58:39 +0200[diff] [blame]7456requires_config_enabled MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7457run_test "DTLS client reconnect from same port: no cookies" \
7458 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]7459 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
7460 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7461 -s "The operation timed out" \
7462 -S "Client initiated reconnection from same port"
7463
Manuel Pégourié-Gonnard731d7c02020-04-01 09:58:39 +0200[diff] [blame]7464requires_config_enabled MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]7465run_test "DTLS client reconnect from same port: attacker-injected" \
7466 -p "$P_PXY inject_clihlo=1" \
7467 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
7468 "$P_CLI dtls=1 exchanges=2" \
7469 0 \
7470 -s "possible client reconnect from the same port" \
7471 -S "Client initiated reconnection from same port"
7472
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7473# Tests for various cases of client authentication with DTLS
7474# (focused on handshake flows and message parsing)
7475
7476run_test "DTLS client auth: required" \
7477 "$P_SRV dtls=1 auth_mode=required" \
7478 "$P_CLI dtls=1" \
7479 0 \
7480 -s "Verifying peer X.509 certificate... ok"
7481
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7482requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7483requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7484run_test "DTLS client auth: optional, client has no cert" \
7485 "$P_SRV dtls=1 auth_mode=optional" \
7486 "$P_CLI dtls=1 crt_file=none key_file=none" \
7487 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7488 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7489
Hanno Becker4a156fc2019-06-14 17:07:06 +0100[diff] [blame]7490requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Hanno Becker9ec3fe02019-07-01 17:36:12 +0100[diff] [blame]7491requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7492run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7493 "$P_SRV dtls=1 auth_mode=none" \
7494 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
7495 0 \
7496 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7497 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7498
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]7499requires_ciphersuite_enabled TLS-PSK-WITH-AES-128-GCM-SHA256
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]7500run_test "DTLS wrong PSK: badmac alert" \
7501 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
7502 "$P_CLI dtls=1 psk=abc124" \
7503 1 \
7504 -s "SSL - Verification of the message MAC failed" \
7505 -c "SSL - A fatal alert message was received from our peer"
7506
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7507# Tests for receiving fragmented handshake messages with DTLS
7508
7509requires_gnutls
7510run_test "DTLS reassembly: no fragmentation (gnutls server)" \
7511 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7512 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7513 0 \
7514 -C "found fragmented DTLS handshake message" \
7515 -C "error"
7516
7517requires_gnutls
7518run_test "DTLS reassembly: some fragmentation (gnutls server)" \
7519 "$G_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7520 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7521 0 \
7522 -c "found fragmented DTLS handshake message" \
7523 -C "error"
7524
7525requires_gnutls
7526run_test "DTLS reassembly: more fragmentation (gnutls server)" \
7527 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7528 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7529 0 \
7530 -c "found fragmented DTLS handshake message" \
7531 -C "error"
7532
7533requires_gnutls
7534run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
7535 "$G_SRV -u --mtu 128" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7536 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7537 0 \
7538 -c "found fragmented DTLS handshake message" \
7539 -C "error"
7540
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7541requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7542requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7543run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
7544 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7545 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7546 0 \
7547 -c "found fragmented DTLS handshake message" \
7548 -c "client hello, adding renegotiation extension" \
7549 -c "found renegotiation extension" \
7550 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7551 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7552 -C "error" \
7553 -s "Extra-header:"
7554
7555requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7556requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7557run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
7558 "$G_SRV -u --mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7559 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7560 0 \
7561 -c "found fragmented DTLS handshake message" \
7562 -c "client hello, adding renegotiation extension" \
7563 -c "found renegotiation extension" \
7564 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7565 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7566 -C "error" \
7567 -s "Extra-header:"
7568
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7569run_test "DTLS reassembly: no fragmentation (openssl server)" \
7570 "$O_SRV -dtls1 -mtu 2048" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7571 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7572 0 \
7573 -C "found fragmented DTLS handshake message" \
7574 -C "error"
7575
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7576run_test "DTLS reassembly: some fragmentation (openssl server)" \
7577 "$O_SRV -dtls1 -mtu 768" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7578 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7579 0 \
7580 -c "found fragmented DTLS handshake message" \
7581 -C "error"
7582
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7583run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7584 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7585 "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7586 0 \
7587 -c "found fragmented DTLS handshake message" \
7588 -C "error"
7589
7590run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
7591 "$O_SRV -dtls1 -mtu 256" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7592 "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7593 0 \
7594 -c "found fragmented DTLS handshake message" \
7595 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7596
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7597# Tests for sending fragmented handshake messages with DTLS
7598#
7599# Use client auth when we need the client to send large messages,
7600# and use large cert chains on both sides too (the long chains we have all use
7601# both RSA and ECDSA, but ideally we should have long chains with either).
7602# Sizes reached (UDP payload):
7603# - 2037B for server certificate
7604# - 1542B for client certificate
7605# - 1013B for newsessionticket
7606# - all others below 512B
7607# All those tests assume MAX_CONTENT_LEN is at least 2048
7608
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7609requires_config_enabled MBEDTLS_RSA_C
7610requires_config_enabled MBEDTLS_ECDSA_C
7611requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7612run_test "DTLS fragmenting: none (for reference)" \
7613 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7614 crt_file=data_files/server7_int-ca.crt \
7615 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7616 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7617 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7618 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7619 "$P_CLI dtls=1 debug_level=2 \
7620 crt_file=data_files/server8_int-ca2.crt \
7621 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7622 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7623 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7624 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7625 0 \
7626 -S "found fragmented DTLS handshake message" \
7627 -C "found fragmented DTLS handshake message" \
7628 -C "error"
7629
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7630requires_config_enabled MBEDTLS_RSA_C
7631requires_config_enabled MBEDTLS_ECDSA_C
7632requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7633run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7634 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7635 crt_file=data_files/server7_int-ca.crt \
7636 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7637 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7638 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7639 max_frag_len=1024" \
7640 "$P_CLI dtls=1 debug_level=2 \
7641 crt_file=data_files/server8_int-ca2.crt \
7642 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7643 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7644 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7645 max_frag_len=2048" \
7646 0 \
7647 -S "found fragmented DTLS handshake message" \
7648 -c "found fragmented DTLS handshake message" \
7649 -C "error"
7650
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7651# With the MFL extension, the server has no way of forcing
7652# the client to not exceed a certain MTU; hence, the following
7653# test can't be replicated with an MTU proxy such as the one
7654# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7655requires_config_enabled MBEDTLS_RSA_C
7656requires_config_enabled MBEDTLS_ECDSA_C
7657requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7658run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7659 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7660 crt_file=data_files/server7_int-ca.crt \
7661 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7662 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7663 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7664 max_frag_len=512" \
7665 "$P_CLI dtls=1 debug_level=2 \
7666 crt_file=data_files/server8_int-ca2.crt \
7667 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7668 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7669 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7670 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7671 0 \
7672 -S "found fragmented DTLS handshake message" \
7673 -c "found fragmented DTLS handshake message" \
7674 -C "error"
7675
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7676requires_config_enabled MBEDTLS_RSA_C
7677requires_config_enabled MBEDTLS_ECDSA_C
7678requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7679run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7680 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7681 crt_file=data_files/server7_int-ca.crt \
7682 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7683 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7684 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7685 max_frag_len=2048" \
7686 "$P_CLI dtls=1 debug_level=2 \
7687 crt_file=data_files/server8_int-ca2.crt \
7688 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7689 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7690 hs_timeout=2500-60000 \
7691 max_frag_len=1024" \
7692 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7693 -S "found fragmented DTLS handshake message" \
7694 -c "found fragmented DTLS handshake message" \
7695 -C "error"
7696
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7697# While not required by the standard defining the MFL extension
7698# (according to which it only applies to records, not to datagrams),
7699# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7700# as otherwise there wouldn't be any means to communicate MTU restrictions
7701# to the peer.
7702# The next test checks that no datagrams significantly larger than the
7703# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7704requires_config_enabled MBEDTLS_RSA_C
7705requires_config_enabled MBEDTLS_ECDSA_C
7706requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7707run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7708 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7709 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7710 crt_file=data_files/server7_int-ca.crt \
7711 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7712 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7713 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7714 max_frag_len=2048" \
7715 "$P_CLI dtls=1 debug_level=2 \
7716 crt_file=data_files/server8_int-ca2.crt \
7717 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7718 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7719 hs_timeout=2500-60000 \
7720 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7721 0 \
7722 -S "found fragmented DTLS handshake message" \
7723 -c "found fragmented DTLS handshake message" \
7724 -C "error"
7725
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7726requires_config_enabled MBEDTLS_RSA_C
7727requires_config_enabled MBEDTLS_ECDSA_C
7728requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7729run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7730 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7731 crt_file=data_files/server7_int-ca.crt \
7732 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7733 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7734 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7735 max_frag_len=2048" \
7736 "$P_CLI dtls=1 debug_level=2 \
7737 crt_file=data_files/server8_int-ca2.crt \
7738 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7739 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7740 hs_timeout=2500-60000 \
7741 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7742 0 \
7743 -s "found fragmented DTLS handshake message" \
7744 -c "found fragmented DTLS handshake message" \
7745 -C "error"
7746
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7747# While not required by the standard defining the MFL extension
7748# (according to which it only applies to records, not to datagrams),
7749# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7750# as otherwise there wouldn't be any means to communicate MTU restrictions
7751# to the peer.
7752# The next test checks that no datagrams significantly larger than the
7753# negotiated MFL are sent.
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7754requires_config_enabled MBEDTLS_RSA_C
7755requires_config_enabled MBEDTLS_ECDSA_C
7756requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7757run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7758 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7759 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7760 crt_file=data_files/server7_int-ca.crt \
7761 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7762 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7763 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7764 max_frag_len=2048" \
7765 "$P_CLI dtls=1 debug_level=2 \
7766 crt_file=data_files/server8_int-ca2.crt \
7767 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7768 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7769 hs_timeout=2500-60000 \
7770 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7771 0 \
7772 -s "found fragmented DTLS handshake message" \
7773 -c "found fragmented DTLS handshake message" \
7774 -C "error"
7775
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7776requires_config_enabled MBEDTLS_RSA_C
7777requires_config_enabled MBEDTLS_ECDSA_C
7778run_test "DTLS fragmenting: none (for reference) (MTU)" \
7779 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7780 crt_file=data_files/server7_int-ca.crt \
7781 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7782 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7783 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7784 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7785 "$P_CLI dtls=1 debug_level=2 \
7786 crt_file=data_files/server8_int-ca2.crt \
7787 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7788 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7789 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7790 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7791 0 \
7792 -S "found fragmented DTLS handshake message" \
7793 -C "found fragmented DTLS handshake message" \
7794 -C "error"
7795
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7796requires_config_enabled MBEDTLS_RSA_C
7797requires_config_enabled MBEDTLS_ECDSA_C
7798run_test "DTLS fragmenting: client (MTU)" \
7799 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7800 crt_file=data_files/server7_int-ca.crt \
7801 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7802 ca_file=data_files/test-ca.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7803 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7804 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7805 "$P_CLI dtls=1 debug_level=2 \
7806 crt_file=data_files/server8_int-ca2.crt \
7807 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7808 ca_file=data_files/test-ca2.crt \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7809 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7810 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7811 0 \
7812 -s "found fragmented DTLS handshake message" \
7813 -C "found fragmented DTLS handshake message" \
7814 -C "error"
7815
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7816requires_config_enabled MBEDTLS_RSA_C
7817requires_config_enabled MBEDTLS_ECDSA_C
7818run_test "DTLS fragmenting: server (MTU)" \
7819 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7820 crt_file=data_files/server7_int-ca.crt \
7821 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7822 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7823 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7824 mtu=512" \
7825 "$P_CLI dtls=1 debug_level=2 \
7826 crt_file=data_files/server8_int-ca2.crt \
7827 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7828 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7829 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7830 mtu=2048" \
7831 0 \
7832 -S "found fragmented DTLS handshake message" \
7833 -c "found fragmented DTLS handshake message" \
7834 -C "error"
7835
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7836requires_config_enabled MBEDTLS_RSA_C
7837requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7838run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7839 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7840 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7841 crt_file=data_files/server7_int-ca.crt \
7842 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7843 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7844 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]7845 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7846 "$P_CLI dtls=1 debug_level=2 \
7847 crt_file=data_files/server8_int-ca2.crt \
7848 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7849 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7850 hs_timeout=2500-60000 \
7851 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7852 0 \
7853 -s "found fragmented DTLS handshake message" \
7854 -c "found fragmented DTLS handshake message" \
7855 -C "error"
7856
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7857# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7858requires_config_enabled MBEDTLS_RSA_C
7859requires_config_enabled MBEDTLS_ECDSA_C
7860requires_config_enabled MBEDTLS_SHA256_C
7861requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7862requires_config_enabled MBEDTLS_AES_C
7863requires_config_enabled MBEDTLS_GCM_C
7864run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]7865 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7866 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7867 crt_file=data_files/server7_int-ca.crt \
7868 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7869 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7870 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7871 mtu=512" \
7872 "$P_CLI dtls=1 debug_level=2 \
7873 crt_file=data_files/server8_int-ca2.crt \
7874 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7875 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7876 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7877 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7878 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]7879 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]7880 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7881 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7882 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]7883
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7884# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7885# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7886# The ratio of max/min timeout should ideally equal 4 to accept two
7887# retransmissions, but in some cases (like both the server and client using
7888# fragmentation and auto-reduction) an extra retransmission might occur,
7889# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]7890not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7891requires_config_enabled MBEDTLS_RSA_C
7892requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7893requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7894requires_config_enabled MBEDTLS_AES_C
7895requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7896run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7897 -p "$P_PXY mtu=508" \
7898 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7899 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7900 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7901 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7902 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7903 "$P_CLI dtls=1 debug_level=2 \
7904 crt_file=data_files/server8_int-ca2.crt \
7905 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7906 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7907 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7908 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7909 0 \
7910 -s "found fragmented DTLS handshake message" \
7911 -c "found fragmented DTLS handshake message" \
7912 -C "error"
7913
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7914# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7915only_with_valgrind
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7916requires_config_enabled MBEDTLS_RSA_C
7917requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7918requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7919requires_config_enabled MBEDTLS_AES_C
7920requires_config_enabled MBEDTLS_GCM_C
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7921run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7922 -p "$P_PXY mtu=508" \
7923 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7924 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7925 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7926 ca_file=data_files/test-ca.crt \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7927 hs_timeout=250-10000" \
7928 "$P_CLI dtls=1 debug_level=2 \
7929 crt_file=data_files/server8_int-ca2.crt \
7930 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7931 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7932 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7933 hs_timeout=250-10000" \
7934 0 \
7935 -s "found fragmented DTLS handshake message" \
7936 -c "found fragmented DTLS handshake message" \
7937 -C "error"
7938
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7939# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]7940# OTOH the client might resend if the server is to slow to reset after sending
7941# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7942not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7943requires_config_enabled MBEDTLS_RSA_C
7944requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7945run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7946 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7947 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7948 crt_file=data_files/server7_int-ca.crt \
7949 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7950 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7951 hs_timeout=10000-60000 \
7952 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7953 "$P_CLI dtls=1 debug_level=2 \
7954 crt_file=data_files/server8_int-ca2.crt \
7955 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7956 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7957 hs_timeout=10000-60000 \
7958 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7959 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7960 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7961 -s "found fragmented DTLS handshake message" \
7962 -c "found fragmented DTLS handshake message" \
7963 -C "error"
7964
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7965# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7966# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
7967# OTOH the client might resend if the server is to slow to reset after sending
7968# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7969not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7970requires_config_enabled MBEDTLS_RSA_C
7971requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7972requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7973requires_config_enabled MBEDTLS_AES_C
7974requires_config_enabled MBEDTLS_GCM_C
7975run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7976 -p "$P_PXY mtu=512" \
7977 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7978 crt_file=data_files/server7_int-ca.crt \
7979 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7980 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7981 hs_timeout=10000-60000 \
7982 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7983 "$P_CLI dtls=1 debug_level=2 \
7984 crt_file=data_files/server8_int-ca2.crt \
7985 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]7986 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7987 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7988 hs_timeout=10000-60000 \
7989 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7990 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7991 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7992 -s "found fragmented DTLS handshake message" \
7993 -c "found fragmented DTLS handshake message" \
7994 -C "error"
7995
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7996not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7997requires_config_enabled MBEDTLS_RSA_C
7998requires_config_enabled MBEDTLS_ECDSA_C
7999run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8000 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8001 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8002 crt_file=data_files/server7_int-ca.crt \
8003 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8004 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8005 hs_timeout=10000-60000 \
8006 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8007 "$P_CLI dtls=1 debug_level=2 \
8008 crt_file=data_files/server8_int-ca2.crt \
8009 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8010 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8011 hs_timeout=10000-60000 \
8012 mtu=1024 nbio=2" \
8013 0 \
8014 -S "autoreduction" \
8015 -s "found fragmented DTLS handshake message" \
8016 -c "found fragmented DTLS handshake message" \
8017 -C "error"
8018
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8019# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8020not_with_valgrind # spurious autoreduction due to timeout
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8021requires_config_enabled MBEDTLS_RSA_C
8022requires_config_enabled MBEDTLS_ECDSA_C
8023requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8024requires_config_enabled MBEDTLS_AES_C
8025requires_config_enabled MBEDTLS_GCM_C
8026run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
8027 -p "$P_PXY mtu=512" \
8028 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8029 crt_file=data_files/server7_int-ca.crt \
8030 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8031 ca_file=data_files/test-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8032 hs_timeout=10000-60000 \
8033 mtu=512 nbio=2" \
8034 "$P_CLI dtls=1 debug_level=2 \
8035 crt_file=data_files/server8_int-ca2.crt \
8036 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8037 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8038 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8039 hs_timeout=10000-60000 \
8040 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8041 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8042 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8043 -s "found fragmented DTLS handshake message" \
8044 -c "found fragmented DTLS handshake message" \
8045 -C "error"
8046
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8047# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]8048# This ensures things still work after session_reset().
8049# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8050# Since we don't support reading fragmented ClientHello yet,
8051# up the MTU to 1450 (larger than ClientHello with session ticket,
8052# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8053# An autoreduction on the client-side might happen if the server is
8054# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]8055# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8056# resumed listening, which would result in a spurious autoreduction.
8057not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8058requires_config_enabled MBEDTLS_RSA_C
8059requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8060requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8061requires_config_enabled MBEDTLS_AES_C
8062requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8063run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
8064 -p "$P_PXY mtu=1450" \
8065 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8066 crt_file=data_files/server7_int-ca.crt \
8067 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8068 ca_file=data_files/test-ca.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8069 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8070 mtu=1450" \
8071 "$P_CLI dtls=1 debug_level=2 \
8072 crt_file=data_files/server8_int-ca2.crt \
8073 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8074 ca_file=data_files/test-ca2.crt \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8075 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8076 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]8077 mtu=1450 reconnect=1 skip_close_notify=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8078 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8079 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8080 -s "found fragmented DTLS handshake message" \
8081 -c "found fragmented DTLS handshake message" \
8082 -C "error"
8083
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8084# An autoreduction on the client-side might happen if the server is
8085# slow to reset, therefore omitting '-C "autoreduction"' below.
8086not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8087requires_config_enabled MBEDTLS_RSA_C
8088requires_config_enabled MBEDTLS_ECDSA_C
8089requires_config_enabled MBEDTLS_SHA256_C
8090requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8091requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8092requires_config_enabled MBEDTLS_CHACHAPOLY_C
8093run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
8094 -p "$P_PXY mtu=512" \
8095 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8096 crt_file=data_files/server7_int-ca.crt \
8097 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8098 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8099 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8100 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8101 mtu=512" \
8102 "$P_CLI dtls=1 debug_level=2 \
8103 crt_file=data_files/server8_int-ca2.crt \
8104 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8105 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8106 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8107 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8108 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8109 mtu=512" \
8110 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8111 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8112 -s "found fragmented DTLS handshake message" \
8113 -c "found fragmented DTLS handshake message" \
8114 -C "error"
8115
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8116# An autoreduction on the client-side might happen if the server is
8117# slow to reset, therefore omitting '-C "autoreduction"' below.
8118not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8119requires_config_enabled MBEDTLS_RSA_C
8120requires_config_enabled MBEDTLS_ECDSA_C
8121requires_config_enabled MBEDTLS_SHA256_C
8122requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8123requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8124requires_config_enabled MBEDTLS_AES_C
8125requires_config_enabled MBEDTLS_GCM_C
8126run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
8127 -p "$P_PXY mtu=512" \
8128 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8129 crt_file=data_files/server7_int-ca.crt \
8130 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8131 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8132 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8133 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8134 mtu=512" \
8135 "$P_CLI dtls=1 debug_level=2 \
8136 crt_file=data_files/server8_int-ca2.crt \
8137 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8138 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8139 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8140 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8141 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8142 mtu=512" \
8143 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8144 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8145 -s "found fragmented DTLS handshake message" \
8146 -c "found fragmented DTLS handshake message" \
8147 -C "error"
8148
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8149# An autoreduction on the client-side might happen if the server is
8150# slow to reset, therefore omitting '-C "autoreduction"' below.
8151not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8152requires_config_enabled MBEDTLS_RSA_C
8153requires_config_enabled MBEDTLS_ECDSA_C
8154requires_config_enabled MBEDTLS_SHA256_C
8155requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8156requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8157requires_config_enabled MBEDTLS_AES_C
8158requires_config_enabled MBEDTLS_CCM_C
8159run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8160 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8161 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8162 crt_file=data_files/server7_int-ca.crt \
8163 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8164 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8165 exchanges=2 renegotiation=1 \
8166 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8167 hs_timeout=10000-60000 \
8168 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8169 "$P_CLI dtls=1 debug_level=2 \
8170 crt_file=data_files/server8_int-ca2.crt \
8171 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8172 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8173 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8174 hs_timeout=10000-60000 \
8175 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8176 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8177 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8178 -s "found fragmented DTLS handshake message" \
8179 -c "found fragmented DTLS handshake message" \
8180 -C "error"
8181
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8182# An autoreduction on the client-side might happen if the server is
8183# slow to reset, therefore omitting '-C "autoreduction"' below.
8184not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8185requires_config_enabled MBEDTLS_RSA_C
8186requires_config_enabled MBEDTLS_ECDSA_C
8187requires_config_enabled MBEDTLS_SHA256_C
8188requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8189requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8190requires_config_enabled MBEDTLS_AES_C
8191requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
8192requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
8193run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8194 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8195 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8196 crt_file=data_files/server7_int-ca.crt \
8197 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8198 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8199 exchanges=2 renegotiation=1 \
8200 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8201 hs_timeout=10000-60000 \
8202 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8203 "$P_CLI dtls=1 debug_level=2 \
8204 crt_file=data_files/server8_int-ca2.crt \
8205 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8206 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8207 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8208 hs_timeout=10000-60000 \
8209 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8210 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8211 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8212 -s "found fragmented DTLS handshake message" \
8213 -c "found fragmented DTLS handshake message" \
8214 -C "error"
8215
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8216# An autoreduction on the client-side might happen if the server is
8217# slow to reset, therefore omitting '-C "autoreduction"' below.
8218not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8219requires_config_enabled MBEDTLS_RSA_C
8220requires_config_enabled MBEDTLS_ECDSA_C
8221requires_config_enabled MBEDTLS_SHA256_C
8222requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8223requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8224requires_config_enabled MBEDTLS_AES_C
8225requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
8226run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8227 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8228 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8229 crt_file=data_files/server7_int-ca.crt \
8230 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8231 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8232 exchanges=2 renegotiation=1 \
8233 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8234 hs_timeout=10000-60000 \
8235 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8236 "$P_CLI dtls=1 debug_level=2 \
8237 crt_file=data_files/server8_int-ca2.crt \
8238 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8239 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8240 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8241 hs_timeout=10000-60000 \
8242 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8243 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8244 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8245 -s "found fragmented DTLS handshake message" \
8246 -c "found fragmented DTLS handshake message" \
8247 -C "error"
8248
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8249# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8250requires_config_enabled MBEDTLS_RSA_C
8251requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8252requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8253requires_config_enabled MBEDTLS_AES_C
8254requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8255client_needs_more_time 2
8256run_test "DTLS fragmenting: proxy MTU + 3d" \
8257 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8258 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8259 crt_file=data_files/server7_int-ca.crt \
8260 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8261 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8262 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8263 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8264 crt_file=data_files/server8_int-ca2.crt \
8265 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8266 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8267 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8268 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8269 0 \
8270 -s "found fragmented DTLS handshake message" \
8271 -c "found fragmented DTLS handshake message" \
8272 -C "error"
8273
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8274# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8275requires_config_enabled MBEDTLS_RSA_C
8276requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8277requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
8278requires_config_enabled MBEDTLS_AES_C
8279requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8280client_needs_more_time 2
8281run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
8282 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
8283 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8284 crt_file=data_files/server7_int-ca.crt \
8285 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8286 ca_file=data_files/test-ca.crt \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8287 hs_timeout=250-10000 mtu=512 nbio=2" \
8288 "$P_CLI dtls=1 debug_level=2 \
8289 crt_file=data_files/server8_int-ca2.crt \
8290 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8291 ca_file=data_files/test-ca2.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8292 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8293 hs_timeout=250-10000 mtu=512 nbio=2" \
8294 0 \
8295 -s "found fragmented DTLS handshake message" \
8296 -c "found fragmented DTLS handshake message" \
8297 -C "error"
8298
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8299# interop tests for DTLS fragmentating with reliable connection
8300#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8301# here and below we just want to test that the we fragment in a way that
8302# pleases other implementations, so we don't need the peer to fragment
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8303requires_config_enabled MBEDTLS_RSA_C
8304requires_config_enabled MBEDTLS_ECDSA_C
8305requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8306requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8307run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
8308 "$G_SRV -u" \
8309 "$P_CLI dtls=1 debug_level=2 \
8310 crt_file=data_files/server8_int-ca2.crt \
8311 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8312 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8313 mtu=512 force_version=dtls1_2" \
8314 0 \
8315 -c "fragmenting handshake message" \
8316 -C "error"
8317
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8318requires_config_enabled MBEDTLS_RSA_C
8319requires_config_enabled MBEDTLS_ECDSA_C
8320requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8321requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8322run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
8323 "$G_SRV -u" \
8324 "$P_CLI dtls=1 debug_level=2 \
8325 crt_file=data_files/server8_int-ca2.crt \
8326 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8327 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8328 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8329 0 \
8330 -c "fragmenting handshake message" \
8331 -C "error"
8332
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]8333# We use --insecure for the GnuTLS client because it expects
8334# the hostname / IP it connects to to be the name used in the
8335# certificate obtained from the server. Here, however, it
8336# connects to 127.0.0.1 while our test certificates use 'localhost'
8337# as the server name in the certificate. This will make the
8338# certifiate validation fail, but passing --insecure makes
8339# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8340requires_config_enabled MBEDTLS_RSA_C
8341requires_config_enabled MBEDTLS_ECDSA_C
8342requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8343requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]8344requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8345run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8346 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8347 crt_file=data_files/server7_int-ca.crt \
8348 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8349 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8350 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8351 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8352 0 \
8353 -s "fragmenting handshake message"
8354
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]8355# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8356requires_config_enabled MBEDTLS_RSA_C
8357requires_config_enabled MBEDTLS_ECDSA_C
8358requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8359requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]8360requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8361run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8362 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8363 crt_file=data_files/server7_int-ca.crt \
8364 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8365 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8366 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8367 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8368 0 \
8369 -s "fragmenting handshake message"
8370
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8371requires_config_enabled MBEDTLS_RSA_C
8372requires_config_enabled MBEDTLS_ECDSA_C
8373requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8374run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
8375 "$O_SRV -dtls1_2 -verify 10" \
8376 "$P_CLI dtls=1 debug_level=2 \
8377 crt_file=data_files/server8_int-ca2.crt \
8378 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8379 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8380 mtu=512 force_version=dtls1_2" \
8381 0 \
8382 -c "fragmenting handshake message" \
8383 -C "error"
8384
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8385requires_config_enabled MBEDTLS_RSA_C
8386requires_config_enabled MBEDTLS_ECDSA_C
8387requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8388run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
8389 "$O_SRV -dtls1 -verify 10" \
8390 "$P_CLI dtls=1 debug_level=2 \
8391 crt_file=data_files/server8_int-ca2.crt \
8392 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8393 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8394 mtu=512 force_version=dtls1" \
8395 0 \
8396 -c "fragmenting handshake message" \
8397 -C "error"
8398
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8399requires_config_enabled MBEDTLS_RSA_C
8400requires_config_enabled MBEDTLS_ECDSA_C
8401requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8402run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
8403 "$P_SRV dtls=1 debug_level=2 \
8404 crt_file=data_files/server7_int-ca.crt \
8405 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8406 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8407 mtu=512 force_version=dtls1_2" \
8408 "$O_CLI -dtls1_2" \
8409 0 \
8410 -s "fragmenting handshake message"
8411
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8412requires_config_enabled MBEDTLS_RSA_C
8413requires_config_enabled MBEDTLS_ECDSA_C
8414requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8415run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
8416 "$P_SRV dtls=1 debug_level=2 \
8417 crt_file=data_files/server7_int-ca.crt \
8418 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8419 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8420 mtu=512 force_version=dtls1" \
8421 "$O_CLI -dtls1" \
8422 0 \
8423 -s "fragmenting handshake message"
8424
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8425# interop tests for DTLS fragmentating with unreliable connection
8426#
8427# again we just want to test that the we fragment in a way that
8428# pleases other implementations, so we don't need the peer to fragment
8429requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8430requires_config_enabled MBEDTLS_RSA_C
8431requires_config_enabled MBEDTLS_ECDSA_C
8432requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8433client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8434run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
8435 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8436 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8437 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8438 crt_file=data_files/server8_int-ca2.crt \
8439 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8440 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8441 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8442 0 \
8443 -c "fragmenting handshake message" \
8444 -C "error"
8445
8446requires_gnutls_next
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8447requires_config_enabled MBEDTLS_RSA_C
8448requires_config_enabled MBEDTLS_ECDSA_C
8449requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8450client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8451run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
8452 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8453 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8454 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8455 crt_file=data_files/server8_int-ca2.crt \
8456 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8457 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8458 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8459 0 \
8460 -c "fragmenting handshake message" \
8461 -C "error"
8462
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8463requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8464requires_config_enabled MBEDTLS_RSA_C
8465requires_config_enabled MBEDTLS_ECDSA_C
8466requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8467client_needs_more_time 4
8468run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
8469 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8470 "$P_SRV dtls=1 debug_level=2 \
8471 crt_file=data_files/server7_int-ca.crt \
8472 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8473 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8474 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8475 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8476 0 \
8477 -s "fragmenting handshake message"
8478
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8479requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8480requires_config_enabled MBEDTLS_RSA_C
8481requires_config_enabled MBEDTLS_ECDSA_C
8482requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8483client_needs_more_time 4
8484run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
8485 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8486 "$P_SRV dtls=1 debug_level=2 \
8487 crt_file=data_files/server7_int-ca.crt \
8488 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8489 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8490 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]8491 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8492 0 \
8493 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8494
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8495## Interop test with OpenSSL might trigger a bug in recent versions (including
8496## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8497## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8498## They should be re-enabled once a fixed version of OpenSSL is available
8499## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8500skip_next_test
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8501requires_config_enabled MBEDTLS_RSA_C
8502requires_config_enabled MBEDTLS_ECDSA_C
8503requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8504client_needs_more_time 4
8505run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
8506 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8507 "$O_SRV -dtls1_2 -verify 10" \
8508 "$P_CLI dtls=1 debug_level=2 \
8509 crt_file=data_files/server8_int-ca2.crt \
8510 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8511 ca_file=data_files/test-ca2.crt \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8512 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8513 0 \
8514 -c "fragmenting handshake message" \
8515 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8516
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8517skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8518requires_config_enabled MBEDTLS_RSA_C
8519requires_config_enabled MBEDTLS_ECDSA_C
8520requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8521client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8522run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
8523 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8524 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8525 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8526 crt_file=data_files/server8_int-ca2.crt \
8527 key_file=data_files/server8.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8528 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8529 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8530 0 \
8531 -c "fragmenting handshake message" \
8532 -C "error"
8533
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8534skip_next_test
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8535requires_config_enabled MBEDTLS_RSA_C
8536requires_config_enabled MBEDTLS_ECDSA_C
8537requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8538client_needs_more_time 4
8539run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
8540 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8541 "$P_SRV dtls=1 debug_level=2 \
8542 crt_file=data_files/server7_int-ca.crt \
8543 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8544 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8545 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8546 "$O_CLI -dtls1_2" \
8547 0 \
8548 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8549
8550# -nbio is added to prevent s_client from blocking in case of duplicated
8551# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8552skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8553requires_config_enabled MBEDTLS_RSA_C
8554requires_config_enabled MBEDTLS_ECDSA_C
8555requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8556client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8557run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
8558 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8559 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8560 crt_file=data_files/server7_int-ca.crt \
8561 key_file=data_files/server7.key \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]8562 ca_file=data_files/test-ca2.crt \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8563 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8564 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8565 0 \
8566 -s "fragmenting handshake message"
8567
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8568# Tests for specific things with "unreliable" UDP connection
8569
8570not_with_valgrind # spurious resend due to timeout
8571run_test "DTLS proxy: reference" \
8572 -p "$P_PXY" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]8573 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
8574 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8575 0 \
8576 -C "replayed record" \
8577 -S "replayed record" \
Hanno Beckere03eb7b2019-07-19 15:43:09 +0100[diff] [blame]8578 -C "Buffer record from epoch" \
8579 -S "Buffer record from epoch" \
8580 -C "ssl_buffer_message" \
8581 -S "ssl_buffer_message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8582 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8583 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8584 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8585 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]8586 -c "HTTP/1.0 200 OK"
8587
8588not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8589run_test "DTLS proxy: duplicate every packet" \
8590 -p "$P_PXY duplicate=1" \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]8591 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=1 hs_timeout=10000-20000" \
8592 "$P_CLI dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]8593 0 \
8594 -c "replayed record" \
8595 -s "replayed record" \
8596 -c "record from another epoch" \
8597 -s "record from another epoch" \
8598 -S "resend" \
8599 -s "Extra-header:" \
8600 -c "HTTP/1.0 200 OK"
8601
8602run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
8603 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8604 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
8605 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8606 0 \
8607 -c "replayed record" \
8608 -S "replayed record" \
8609 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8610 -s "record from another epoch" \
8611 -c "resend" \
8612 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8613 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8614 -c "HTTP/1.0 200 OK"
8615
8616run_test "DTLS proxy: multiple records in same datagram" \
8617 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8618 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8619 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8620 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8621 -c "next record in same datagram" \
8622 -s "next record in same datagram"
8623
8624run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
8625 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8626 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8627 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8628 0 \
8629 -c "next record in same datagram" \
8630 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8631
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]8632requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8633run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
8634 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8635 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
8636 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8637 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8638 -c "discarding invalid record (mac)" \
8639 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8640 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8641 -c "HTTP/1.0 200 OK" \
8642 -S "too many records with bad MAC" \
8643 -S "Verification of the message MAC failed"
8644
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]8645requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8646run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
8647 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8648 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
8649 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8650 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8651 -C "discarding invalid record (mac)" \
8652 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8653 -S "Extra-header:" \
8654 -C "HTTP/1.0 200 OK" \
8655 -s "too many records with bad MAC" \
8656 -s "Verification of the message MAC failed"
8657
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]8658requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8659run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
8660 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8661 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
8662 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8663 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8664 -c "discarding invalid record (mac)" \
8665 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8666 -s "Extra-header:" \
8667 -c "HTTP/1.0 200 OK" \
8668 -S "too many records with bad MAC" \
8669 -S "Verification of the message MAC failed"
8670
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]8671requires_config_disabled MBEDTLS_SSL_CONF_READ_TIMEOUT
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8672run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
8673 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8674 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
8675 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8676 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8677 -c "discarding invalid record (mac)" \
8678 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8679 -s "Extra-header:" \
8680 -c "HTTP/1.0 200 OK" \
8681 -s "too many records with bad MAC" \
8682 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8683
8684run_test "DTLS proxy: delay ChangeCipherSpec" \
8685 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]8686 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
8687 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8688 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8689 -c "record from another epoch" \
8690 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8691 -s "Extra-header:" \
8692 -c "HTTP/1.0 200 OK"
8693
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8694# Tests for reordering support with DTLS
8695
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8696run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
8697 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8698 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8699 hs_timeout=2500-60000" \
8700 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8701 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8702 0 \
8703 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8704 -c "Next handshake message has been buffered - load"\
8705 -S "Buffering HS message" \
8706 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8707 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8708 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8709 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8710 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8711
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8712run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
8713 -p "$P_PXY delay_srv=ServerHello" \
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]8714 "$P_SRV mtu=256 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8715 hs_timeout=2500-60000" \
8716 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8717 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8718 0 \
8719 -c "Buffering HS message" \
8720 -c "found fragmented DTLS handshake message"\
8721 -c "Next handshake message 1 not or only partially bufffered" \
8722 -c "Next handshake message has been buffered - load"\
8723 -S "Buffering HS message" \
8724 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8725 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8726 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8727 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8728 -S "Remember CCS message"
8729
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8730# The client buffers the ServerKeyExchange before receiving the fragmented
8731# Certificate message; at the time of writing, together these are aroudn 1200b
8732# in size, so that the bound below ensures that the certificate can be reassembled
8733# while keeping the ServerKeyExchange.
8734requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
8735run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8736 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8737 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8738 hs_timeout=2500-60000" \
8739 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8740 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8741 0 \
8742 -c "Buffering HS message" \
8743 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8744 -C "attempt to make space by freeing buffered messages" \
8745 -S "Buffering HS message" \
8746 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8747 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8748 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8749 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8750 -S "Remember CCS message"
8751
8752# The size constraints ensure that the delayed certificate message can't
8753# be reassembled while keeping the ServerKeyExchange message, but it can
8754# when dropping it first.
8755requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
8756requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
8757run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
8758 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8759 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8760 hs_timeout=2500-60000" \
8761 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8762 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8763 0 \
8764 -c "Buffering HS message" \
8765 -c "attempt to make space by freeing buffered future messages" \
8766 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8767 -S "Buffering HS message" \
8768 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8769 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8770 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8771 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8772 -S "Remember CCS message"
8773
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8774run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
8775 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8776 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
8777 hs_timeout=2500-60000" \
8778 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8779 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8780 0 \
8781 -C "Buffering HS message" \
8782 -C "Next handshake message has been buffered - load"\
8783 -s "Buffering HS message" \
8784 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8785 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8786 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8787 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8788 -S "Remember CCS message"
8789
Manuel Pégourié-Gonnardf1c6ad42019-07-01 10:13:04 +0200[diff] [blame]8790# This needs session tickets; otherwise CCS is the first message in its flight
8791requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8792run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
8793 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8794 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8795 hs_timeout=2500-60000" \
8796 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8797 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8798 0 \
8799 -C "Buffering HS message" \
8800 -C "Next handshake message has been buffered - load"\
8801 -S "Buffering HS message" \
8802 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8803 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8804 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8805 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8806 -S "Remember CCS message"
8807
Jarno Lamsa33281d52019-10-18 10:54:35 +0300[diff] [blame]8808# This needs session tickets; otherwise CCS is the first message in its flight
8809requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8810run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
8811 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8812 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8813 hs_timeout=2500-60000" \
8814 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8815 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8816 0 \
8817 -C "Buffering HS message" \
8818 -C "Next handshake message has been buffered - load"\
8819 -S "Buffering HS message" \
8820 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8821 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8822 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8823 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8824 -s "Remember CCS message"
8825
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8826run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8827 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8828 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8829 hs_timeout=2500-60000" \
8830 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8831 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]8832 0 \
8833 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8834 -s "Found buffered record from current epoch - load" \
8835 -c "Buffer record from epoch 1" \
8836 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8837
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8838# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
8839# from the server are delayed, so that the encrypted Finished message
8840# is received and buffered. When the fragmented NewSessionTicket comes
8841# in afterwards, the encrypted Finished message must be freed in order
8842# to make space for the NewSessionTicket to be reassembled.
8843# This works only in very particular circumstances:
8844# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
8845# of the NewSessionTicket, but small enough to also allow buffering of
8846# the encrypted Finished message.
8847# - The MTU setting on the server must be so small that the NewSessionTicket
8848# needs to be fragmented.
8849# - All messages sent by the server must be small enough to be either sent
8850# without fragmentation or be reassembled within the bounds of
8851# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
8852# handshake, omitting CRTs.
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8853requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
8854requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8855run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
8856 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
Manuel Pégourié-Gonnardf8c355a2019-05-28 10:21:30 +0200[diff] [blame]8857 "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8858 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
8859 0 \
8860 -s "Buffer record from epoch 1" \
8861 -s "Found buffered record from current epoch - load" \
8862 -c "Buffer record from epoch 1" \
8863 -C "Found buffered record from current epoch - load" \
8864 -c "Enough space available after freeing future epoch record"
8865
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]8866# Tests for "randomly unreliable connection": try a variety of flows and peers
8867
8868client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8869run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
8870 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8871 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8872 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8873 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8874 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8875 0 \
8876 -s "Extra-header:" \
8877 -c "HTTP/1.0 200 OK"
8878
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8879client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8880run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
8881 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8882 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8883 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8884 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
8885 0 \
8886 -s "Extra-header:" \
8887 -c "HTTP/1.0 200 OK"
8888
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8889client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8890run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
8891 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8892 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8893 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8894 0 \
8895 -s "Extra-header:" \
8896 -c "HTTP/1.0 200 OK"
8897
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8898client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8899run_test "DTLS proxy: 3d, FS, client auth" \
8900 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8901 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
8902 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8903 0 \
8904 -s "Extra-header:" \
8905 -c "HTTP/1.0 200 OK"
8906
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8907client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8908run_test "DTLS proxy: 3d, FS, ticket" \
8909 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8910 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
8911 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8912 0 \
8913 -s "Extra-header:" \
8914 -c "HTTP/1.0 200 OK"
8915
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8916client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8917run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
8918 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8919 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
8920 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8921 0 \
8922 -s "Extra-header:" \
8923 -c "HTTP/1.0 200 OK"
8924
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8925client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8926run_test "DTLS proxy: 3d, max handshake, nbio" \
8927 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8928 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8929 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8930 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8931 0 \
8932 -s "Extra-header:" \
8933 -c "HTTP/1.0 200 OK"
8934
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8935client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8936requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8937requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8938requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8939run_test "DTLS proxy: 3d, min handshake, resumption" \
8940 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8941 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8942 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8943 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]8944 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8945 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8946 0 \
8947 -s "a session has been resumed" \
8948 -c "a session has been resumed" \
8949 -s "Extra-header:" \
8950 -c "HTTP/1.0 200 OK"
8951
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8952client_needs_more_time 4
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8953requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION
Jarno Lamsa5b52b272019-06-19 10:21:37 +0300[diff] [blame]8954requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Jarno Lamsa29f2dd02019-06-20 15:31:52 +0300[diff] [blame]8955requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8956run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
8957 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8958 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8959 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8960 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Andrzej Kurek825ebd42020-05-18 11:47:25 -0400[diff] [blame]8961 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8962 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
8963 0 \
8964 -s "a session has been resumed" \
8965 -c "a session has been resumed" \
8966 -s "Extra-header:" \
8967 -c "HTTP/1.0 200 OK"
8968
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8969client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8970requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8971run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8972 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8973 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8974 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8975 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8976 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8977 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8978 0 \
8979 -c "=> renegotiate" \
8980 -s "=> renegotiate" \
8981 -s "Extra-header:" \
8982 -c "HTTP/1.0 200 OK"
8983
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8984client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8985requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8986run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
8987 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8988 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8989 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8990 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8991 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8992 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8993 0 \
8994 -c "=> renegotiate" \
8995 -s "=> renegotiate" \
8996 -s "Extra-header:" \
8997 -c "HTTP/1.0 200 OK"
8998
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8999client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9000requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9001run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9002 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9003 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9004 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9005 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9006 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9007 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9008 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9009 0 \
9010 -c "=> renegotiate" \
9011 -s "=> renegotiate" \
9012 -s "Extra-header:" \
9013 -c "HTTP/1.0 200 OK"
9014
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9015client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9016requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9017run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9018 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9019 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9020 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9021 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9022 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9023 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9024 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9025 0 \
9026 -c "=> renegotiate" \
9027 -s "=> renegotiate" \
9028 -s "Extra-header:" \
9029 -c "HTTP/1.0 200 OK"
9030
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]9031## Interop tests with OpenSSL might trigger a bug in recent versions (including
9032## all versions installed on the CI machines), reported here:
9033## Bug report: https://github.com/openssl/openssl/issues/6902
9034## They should be re-enabled once a fixed version of OpenSSL is available
9035## (this should happen in some 1.1.1_ release according to the ticket).
9036skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9037client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]9038not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]9039run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]9040 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
9041 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9042 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]9043 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]9044 -c "HTTP/1.0 200 OK"
9045
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]9046skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9047client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]9048not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]9049run_test "DTLS proxy: 3d, openssl server, fragmentation" \
9050 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
9051 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9052 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]9053 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]9054 -c "HTTP/1.0 200 OK"
9055
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]9056skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9057client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]9058not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9059run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
9060 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
9061 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9062 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9063 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9064 -c "HTTP/1.0 200 OK"
9065
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]9066requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9067client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]9068not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]9069run_test "DTLS proxy: 3d, gnutls server" \
9070 -p "$P_PXY drop=5 delay=5 duplicate=5" \
9071 "$G_SRV -u --mtu 2048 -a" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]9072 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]9073 0 \
9074 -s "Extra-header:" \
9075 -c "Extra-header:"
9076
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]9077requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9078client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]9079not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]9080run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
9081 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]9082 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]9083 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]9084 0 \
9085 -s "Extra-header:" \
9086 -c "Extra-header:"
9087
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]9088requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9089client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]9090not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9091run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
9092 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiakabb843e2019-02-18 16:14:03 +0100[diff] [blame]9093 "$G_NEXT_SRV -u --mtu 512" \
Hanno Becker843f5bb2019-08-23 17:17:09 +0100[diff] [blame]9094 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 ca_file=data_files/test-ca2.crt" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9095 0 \
9096 -s "Extra-header:" \
9097 -c "Extra-header:"
9098
Andrzej Kurekf3844952020-10-16 23:03:01 +0200[diff] [blame]9099# Test heap memory usage after handshake
9100requires_config_enabled MBEDTLS_MEMORY_DEBUG
9101requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C
9102requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
9103run_tests_memory_after_hanshake
9104
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]9105# Final report
9106
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]9107echo "------------------------------------------------------------------------"
9108
9109if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]9110 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]9111else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]9112 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]9113fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]9114PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]9115echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]9116
9117exit $FAILS