TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 1d7399351e8e3685c5811d0008f9e80d0aac7ad7 / . / tests / ssl-opt.sh
blob: 92b7686eda10f44723f1932557e747ccb33c2ff5 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]24if cd $( dirname $0 ); then :; else
25 echo "cd $( dirname $0 ) failed" >&2
26 exit 1
27fi
28
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]29# default values, can be overriden by the environment
30: ${P_SRV:=../programs/ssl/ssl_server2}
31: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]32: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]33: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]34: ${GNUTLS_CLI:=gnutls-cli}
35: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]36: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]37
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]38O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]39O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]40G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]41G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]42TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]43
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]44TESTS=0
45FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]46SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]47
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]48CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]49
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]50MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]51FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]52EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]53
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]54SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]55RUN_TEST_NUMBER=''
56
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]57PRESERVE_LOGS=0
58
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]59# Pick a "unique" server port in the range 10000-19999, and a proxy
60# port which is this plus 10000. Each port number may be independently
61# overridden by a command line option.
62SRV_PORT=$(($$ % 10000 + 10000))
63PXY_PORT=$((SRV_PORT + 10000))
64
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]65print_usage() {
66 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]67 printf " -h|--help\tPrint this help.\n"
68 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
70 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]71 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]72 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]73 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]74 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
75 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]76 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]77}
78
79get_options() {
80 while [ $# -gt 0 ]; do
81 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]82 -f|--filter)
83 shift; FILTER=$1
84 ;;
85 -e|--exclude)
86 shift; EXCLUDE=$1
87 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]88 -m|--memcheck)
89 MEMCHECK=1
90 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]91 -n|--number)
92 shift; RUN_TEST_NUMBER=$1
93 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]94 -s|--show-numbers)
95 SHOW_TEST_NUMBER=1
96 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]97 -p|--preserve-logs)
98 PRESERVE_LOGS=1
99 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]100 --port)
101 shift; SRV_PORT=$1
102 ;;
103 --proxy-port)
104 shift; PXY_PORT=$1
105 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]106 --seed)
107 shift; SEED="$1"
108 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]109 -h|--help)
110 print_usage
111 exit 0
112 ;;
113 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]114 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]115 print_usage
116 exit 1
117 ;;
118 esac
119 shift
120 done
121}
122
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]123# skip next test if the flag is not enabled in config.h
124requires_config_enabled() {
125 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
126 SKIP_NEXT="YES"
127 fi
128}
129
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]130# skip next test if the flag is enabled in config.h
131requires_config_disabled() {
132 if grep "^#define $1" $CONFIG_H > /dev/null; then
133 SKIP_NEXT="YES"
134 fi
135}
136
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]137# skip next test if OpenSSL doesn't support FALLBACK_SCSV
138requires_openssl_with_fallback_scsv() {
139 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
140 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
141 then
142 OPENSSL_HAS_FBSCSV="YES"
143 else
144 OPENSSL_HAS_FBSCSV="NO"
145 fi
146 fi
147 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
148 SKIP_NEXT="YES"
149 fi
150}
151
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]152# skip next test if GnuTLS isn't available
153requires_gnutls() {
154 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]155 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]156 GNUTLS_AVAILABLE="YES"
157 else
158 GNUTLS_AVAILABLE="NO"
159 fi
160 fi
161 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
162 SKIP_NEXT="YES"
163 fi
164}
165
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]166# skip next test if IPv6 isn't available on this host
167requires_ipv6() {
168 if [ -z "${HAS_IPV6:-}" ]; then
169 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
170 SRV_PID=$!
171 sleep 1
172 kill $SRV_PID >/dev/null 2>&1
173 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
174 HAS_IPV6="NO"
175 else
176 HAS_IPV6="YES"
177 fi
178 rm -r $SRV_OUT
179 fi
180
181 if [ "$HAS_IPV6" = "NO" ]; then
182 SKIP_NEXT="YES"
183 fi
184}
185
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]186# Calculate the input & output maximum content lengths set in the config
187MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
188MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
189MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
190
191if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
192 MAX_CONTENT_LEN="$MAX_IN_LEN"
193fi
194if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
195 MAX_CONTENT_LEN="$MAX_OUT_LEN"
196fi
197
198# skip the next test if the SSL output buffer is less than 16KB
199requires_full_size_output_buffer() {
200 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
201 SKIP_NEXT="YES"
202 fi
203}
204
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]205# skip the next test if valgrind is in use
206not_with_valgrind() {
207 if [ "$MEMCHECK" -gt 0 ]; then
208 SKIP_NEXT="YES"
209 fi
210}
211
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]212# skip the next test if valgrind is NOT in use
213only_with_valgrind() {
214 if [ "$MEMCHECK" -eq 0 ]; then
215 SKIP_NEXT="YES"
216 fi
217}
218
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]219# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]220client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]221 CLI_DELAY_FACTOR=$1
222}
223
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]224# wait for the given seconds after the client finished in the next test
225server_needs_more_time() {
226 SRV_DELAY_SECONDS=$1
227}
228
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]229# print_name <name>
230print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]231 TESTS=$(( $TESTS + 1 ))
232 LINE=""
233
234 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
235 LINE="$TESTS "
236 fi
237
238 LINE="$LINE$1"
239 printf "$LINE "
240 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]241 for i in `seq 1 $LEN`; do printf '.'; done
242 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]243
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]244}
245
246# fail <message>
247fail() {
248 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]249 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]250
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]251 mv $SRV_OUT o-srv-${TESTS}.log
252 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]253 if [ -n "$PXY_CMD" ]; then
254 mv $PXY_OUT o-pxy-${TESTS}.log
255 fi
256 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]257
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]258 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]259 echo " ! server output:"
260 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]261 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]262 echo " ! client output:"
263 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]264 if [ -n "$PXY_CMD" ]; then
265 echo " ! ========================================================"
266 echo " ! proxy output:"
267 cat o-pxy-${TESTS}.log
268 fi
269 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]270 fi
271
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]272 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]273}
274
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]275# is_polar <cmd_line>
276is_polar() {
277 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
278}
279
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]280# openssl s_server doesn't have -www with DTLS
281check_osrv_dtls() {
282 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
283 NEEDS_INPUT=1
284 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
285 else
286 NEEDS_INPUT=0
287 fi
288}
289
290# provide input to commands that need it
291provide_input() {
292 if [ $NEEDS_INPUT -eq 0 ]; then
293 return
294 fi
295
296 while true; do
297 echo "HTTP/1.0 200 OK"
298 sleep 1
299 done
300}
301
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]302# has_mem_err <log_file_name>
303has_mem_err() {
304 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
305 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
306 then
307 return 1 # false: does not have errors
308 else
309 return 0 # true: has errors
310 fi
311}
312
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]313# Wait for process $2 to be listening on port $1
314if type lsof >/dev/null 2>/dev/null; then
315 wait_server_start() {
316 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]317 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]318 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]319 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]320 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]321 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]322 # Make a tight loop, server normally takes less than 1s to start.
323 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
324 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
325 echo "SERVERSTART TIMEOUT"
326 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
327 break
328 fi
329 # Linux and *BSD support decimal arguments to sleep. On other
330 # OSes this may be a tight loop.
331 sleep 0.1 2>/dev/null || true
332 done
333 }
334else
Gilles Peskinea9312652018-06-29 15:48:13 +0200[diff] [blame]335 echo "Warning: lsof not available, wait_server_start = sleep"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]336 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]337 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]338 }
339fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]340
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]341# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]342# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]343# acceptable bounds
344check_server_hello_time() {
345 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]346 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]347 # Get the Unix timestamp for now
348 CUR_TIME=$(date +'%s')
349 THRESHOLD_IN_SECS=300
350
351 # Check if the ServerHello time was printed
352 if [ -z "$SERVER_HELLO_TIME" ]; then
353 return 1
354 fi
355
356 # Check the time in ServerHello is within acceptable bounds
357 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
358 # The time in ServerHello is at least 5 minutes before now
359 return 1
360 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]361 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]362 return 1
363 else
364 return 0
365 fi
366}
367
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]368# wait for client to terminate and set CLI_EXIT
369# must be called right after starting the client
370wait_client_done() {
371 CLI_PID=$!
372
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]373 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
374 CLI_DELAY_FACTOR=1
375
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]376 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]377 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]378
379 wait $CLI_PID
380 CLI_EXIT=$?
381
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]382 kill $DOG_PID >/dev/null 2>&1
383 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]384
385 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]386
387 sleep $SRV_DELAY_SECONDS
388 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]389}
390
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]391# check if the given command uses dtls and sets global variable DTLS
392detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]393 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]394 DTLS=1
395 else
396 DTLS=0
397 fi
398}
399
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]400# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]401# Options: -s pattern pattern that must be present in server output
402# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]403# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]404# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]405# -S pattern pattern that must be absent in server output
406# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]407# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]408# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]409run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]410 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]411 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]412
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]413 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
414 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]415 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]416 return
417 fi
418
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]419 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]420
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]421 # Do we only run numbered tests?
422 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
423 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
424 else
425 SKIP_NEXT="YES"
426 fi
427
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]428 # should we skip?
429 if [ "X$SKIP_NEXT" = "XYES" ]; then
430 SKIP_NEXT="NO"
431 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]432 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]433 return
434 fi
435
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]436 # does this test use a proxy?
437 if [ "X$1" = "X-p" ]; then
438 PXY_CMD="$2"
439 shift 2
440 else
441 PXY_CMD=""
442 fi
443
444 # get commands and client output
445 SRV_CMD="$1"
446 CLI_CMD="$2"
447 CLI_EXPECT="$3"
448 shift 3
449
450 # fix client port
451 if [ -n "$PXY_CMD" ]; then
452 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
453 else
454 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
455 fi
456
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]457 # update DTLS variable
458 detect_dtls "$SRV_CMD"
459
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]460 # prepend valgrind to our commands if active
461 if [ "$MEMCHECK" -gt 0 ]; then
462 if is_polar "$SRV_CMD"; then
463 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
464 fi
465 if is_polar "$CLI_CMD"; then
466 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
467 fi
468 fi
469
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]470 TIMES_LEFT=2
471 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]472 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]473
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]474 # run the commands
475 if [ -n "$PXY_CMD" ]; then
476 echo "$PXY_CMD" > $PXY_OUT
477 $PXY_CMD >> $PXY_OUT 2>&1 &
478 PXY_PID=$!
479 # assume proxy starts faster than server
480 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]481
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]482 check_osrv_dtls
483 echo "$SRV_CMD" > $SRV_OUT
484 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
485 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]486 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]487
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]488 echo "$CLI_CMD" > $CLI_OUT
489 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
490 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]491
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]492 sleep 0.05
493
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]494 # terminate the server (and the proxy)
495 kill $SRV_PID
496 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]497
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]498 if [ -n "$PXY_CMD" ]; then
499 kill $PXY_PID >/dev/null 2>&1
500 wait $PXY_PID
501 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]502
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]503 # retry only on timeouts
504 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
505 printf "RETRY "
506 else
507 TIMES_LEFT=0
508 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]509 done
510
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]511 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]512 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]513 # expected client exit to incorrectly succeed in case of catastrophic
514 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]515 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]516 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]517 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]518 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]519 return
520 fi
521 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]522 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]523 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]524 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]525 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]526 return
527 fi
528 fi
529
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]530 # check server exit code
531 if [ $? != 0 ]; then
532 fail "server fail"
533 return
534 fi
535
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]536 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]537 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
538 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]539 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]540 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]541 return
542 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]543
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]544 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]545 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]546 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]547 while [ $# -gt 0 ]
548 do
549 case $1 in
550 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]551 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]552 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]553 return
554 fi
555 ;;
556
557 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]558 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]559 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]560 return
561 fi
562 ;;
563
564 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]565 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]566 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]567 return
568 fi
569 ;;
570
571 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]572 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]573 fail "pattern '$2' MUST NOT be present in the Client output"
574 return
575 fi
576 ;;
577
578 # The filtering in the following two options (-u and -U) do the following
579 # - ignore valgrind output
580 # - filter out everything but lines right after the pattern occurances
581 # - keep one of each non-unique line
582 # - count how many lines remain
583 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
584 # if there were no duplicates.
585 "-U")
586 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
587 fail "lines following pattern '$2' must be unique in Server output"
588 return
589 fi
590 ;;
591
592 "-u")
593 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
594 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]595 return
596 fi
597 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]598 "-F")
599 if ! $2 "$SRV_OUT"; then
600 fail "function call to '$2' failed on Server output"
601 return
602 fi
603 ;;
604 "-f")
605 if ! $2 "$CLI_OUT"; then
606 fail "function call to '$2' failed on Client output"
607 return
608 fi
609 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]610
611 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]612 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]613 exit 1
614 esac
615 shift 2
616 done
617
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]618 # check valgrind's results
619 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]620 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]621 fail "Server has memory errors"
622 return
623 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]624 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]625 fail "Client has memory errors"
626 return
627 fi
628 fi
629
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]630 # if we're here, everything is ok
631 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]632 if [ "$PRESERVE_LOGS" -gt 0 ]; then
633 mv $SRV_OUT o-srv-${TESTS}.log
634 mv $CLI_OUT o-cli-${TESTS}.log
635 fi
636
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]637 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]638}
639
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]640cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]641 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]642 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
643 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
644 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
645 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]646 exit 1
647}
648
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]649#
650# MAIN
651#
652
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]653get_options "$@"
654
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]655# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]656P_SRV_BIN="${P_SRV%%[ ]*}"
657P_CLI_BIN="${P_CLI%%[ ]*}"
658P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]659if [ ! -x "$P_SRV_BIN" ]; then
660 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]661 exit 1
662fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]663if [ ! -x "$P_CLI_BIN" ]; then
664 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]665 exit 1
666fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]667if [ ! -x "$P_PXY_BIN" ]; then
668 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]669 exit 1
670fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]671if [ "$MEMCHECK" -gt 0 ]; then
672 if which valgrind >/dev/null 2>&1; then :; else
673 echo "Memcheck not possible. Valgrind not found"
674 exit 1
675 fi
676fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]677if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
678 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]679 exit 1
680fi
681
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]682# used by watchdog
683MAIN_PID="$$"
684
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]685# We use somewhat arbitrary delays for tests:
686# - how long do we wait for the server to start (when lsof not available)?
687# - how long do we allow for the client to finish?
688# (not to check performance, just to avoid waiting indefinitely)
689# Things are slower with valgrind, so give extra time here.
690#
691# Note: without lsof, there is a trade-off between the running time of this
692# script and the risk of spurious errors because we didn't wait long enough.
693# The watchdog delay on the other hand doesn't affect normal running time of
694# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]695if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]696 START_DELAY=6
697 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]698else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]699 START_DELAY=2
700 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]701fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]702
703# some particular tests need more time:
704# - for the client, we multiply the usual watchdog limit by a factor
705# - for the server, we sleep for a number of seconds after the client exits
706# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]707CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]708SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]709
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]710# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]711# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]712P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
713P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]714P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]715O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]716O_CLI="$O_CLI -connect localhost:+SRV_PORT"
717G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]718G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]719
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]720# Allow SHA-1, because many of our test certificates use it
721P_SRV="$P_SRV allow_sha1=1"
722P_CLI="$P_CLI allow_sha1=1"
723
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]724# Also pick a unique name for intermediate files
725SRV_OUT="srv_out.$$"
726CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]727PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]728SESSION="session.$$"
729
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]730SKIP_NEXT="NO"
731
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]732trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]733
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]734# Basic test
735
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]736# Checks that:
737# - things work with all ciphersuites active (used with config-full in all.sh)
738# - the expected (highest security) parameters are selected
739# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]740run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]741 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]742 "$P_CLI" \
743 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]744 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]745 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]746 -s "client hello v3, signature_algorithm ext: 6" \
747 -s "ECDHE curve: secp521r1" \
748 -S "error" \
749 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]750
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]751run_test "Default, DTLS" \
752 "$P_SRV dtls=1" \
753 "$P_CLI dtls=1" \
754 0 \
755 -s "Protocol is DTLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]756 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]757
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]758# Test current time in ServerHello
759requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]760run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]761 "$P_SRV debug_level=3" \
762 "$P_CLI debug_level=3" \
763 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]764 -f "check_server_hello_time" \
765 -F "check_server_hello_time"
766
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]767# Test for uniqueness of IVs in AEAD ciphersuites
768run_test "Unique IV in GCM" \
769 "$P_SRV exchanges=20 debug_level=4" \
770 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
771 0 \
772 -u "IV used" \
773 -U "IV used"
774
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]775# Tests for rc4 option
776
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]777requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]778run_test "RC4: server disabled, client enabled" \
779 "$P_SRV" \
780 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
781 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]782 -s "SSL - The server has no ciphersuites in common"
783
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]784requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]785run_test "RC4: server half, client enabled" \
786 "$P_SRV arc4=1" \
787 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
788 1 \
789 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]790
791run_test "RC4: server enabled, client disabled" \
792 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
793 "$P_CLI" \
794 1 \
795 -s "SSL - The server has no ciphersuites in common"
796
797run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]798 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]799 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
800 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]801 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]802 -S "SSL - The server has no ciphersuites in common"
803
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]804# Tests for SHA-1 support
805
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]806requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]807run_test "SHA-1 forbidden by default in server certificate" \
808 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
809 "$P_CLI debug_level=2 allow_sha1=0" \
810 1 \
811 -c "The certificate is signed with an unacceptable hash"
812
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]813requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
814run_test "SHA-1 forbidden by default in server certificate" \
815 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
816 "$P_CLI debug_level=2 allow_sha1=0" \
817 0
818
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]819run_test "SHA-1 explicitly allowed in server certificate" \
820 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
821 "$P_CLI allow_sha1=1" \
822 0
823
824run_test "SHA-256 allowed by default in server certificate" \
825 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
826 "$P_CLI allow_sha1=0" \
827 0
828
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]829requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]830run_test "SHA-1 forbidden by default in client certificate" \
831 "$P_SRV auth_mode=required allow_sha1=0" \
832 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
833 1 \
834 -s "The certificate is signed with an unacceptable hash"
835
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]836requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
837run_test "SHA-1 forbidden by default in client certificate" \
838 "$P_SRV auth_mode=required allow_sha1=0" \
839 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
840 0
841
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]842run_test "SHA-1 explicitly allowed in client certificate" \
843 "$P_SRV auth_mode=required allow_sha1=1" \
844 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
845 0
846
847run_test "SHA-256 allowed by default in client certificate" \
848 "$P_SRV auth_mode=required allow_sha1=0" \
849 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
850 0
851
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]852# Tests for Truncated HMAC extension
853
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]854run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]855 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]856 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]857 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]858 -s "dumping 'expected mac' (20 bytes)" \
859 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]860
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]861requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]862run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]863 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]864 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]865 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]866 -s "dumping 'expected mac' (20 bytes)" \
867 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]868
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]869requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]870run_test "Truncated HMAC: client enabled, server default" \
871 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]872 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]873 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]874 -s "dumping 'expected mac' (20 bytes)" \
875 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]876
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]877requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]878run_test "Truncated HMAC: client enabled, server disabled" \
879 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]880 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]881 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]882 -s "dumping 'expected mac' (20 bytes)" \
883 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]884
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]885requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]886run_test "Truncated HMAC: client disabled, server enabled" \
887 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]888 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]889 0 \
890 -s "dumping 'expected mac' (20 bytes)" \
891 -S "dumping 'expected mac' (10 bytes)"
892
893requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]894run_test "Truncated HMAC: client enabled, server enabled" \
895 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]896 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]897 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]898 -S "dumping 'expected mac' (20 bytes)" \
899 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]900
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]901run_test "Truncated HMAC, DTLS: client default, server default" \
902 "$P_SRV dtls=1 debug_level=4" \
903 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
904 0 \
905 -s "dumping 'expected mac' (20 bytes)" \
906 -S "dumping 'expected mac' (10 bytes)"
907
908requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
909run_test "Truncated HMAC, DTLS: client disabled, server default" \
910 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]911 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]912 0 \
913 -s "dumping 'expected mac' (20 bytes)" \
914 -S "dumping 'expected mac' (10 bytes)"
915
916requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
917run_test "Truncated HMAC, DTLS: client enabled, server default" \
918 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]919 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]920 0 \
921 -s "dumping 'expected mac' (20 bytes)" \
922 -S "dumping 'expected mac' (10 bytes)"
923
924requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
925run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
926 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]927 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]928 0 \
929 -s "dumping 'expected mac' (20 bytes)" \
930 -S "dumping 'expected mac' (10 bytes)"
931
932requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
933run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
934 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]935 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]936 0 \
937 -s "dumping 'expected mac' (20 bytes)" \
938 -S "dumping 'expected mac' (10 bytes)"
939
940requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
941run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
942 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]943 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]944 0 \
945 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]946 -s "dumping 'expected mac' (10 bytes)"
947
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]948# Tests for Encrypt-then-MAC extension
949
950run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]951 "$P_SRV debug_level=3 \
952 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]953 "$P_CLI debug_level=3" \
954 0 \
955 -c "client hello, adding encrypt_then_mac extension" \
956 -s "found encrypt then mac extension" \
957 -s "server hello, adding encrypt then mac extension" \
958 -c "found encrypt_then_mac extension" \
959 -c "using encrypt then mac" \
960 -s "using encrypt then mac"
961
962run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]963 "$P_SRV debug_level=3 etm=0 \
964 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]965 "$P_CLI debug_level=3 etm=1" \
966 0 \
967 -c "client hello, adding encrypt_then_mac extension" \
968 -s "found encrypt then mac extension" \
969 -S "server hello, adding encrypt then mac extension" \
970 -C "found encrypt_then_mac extension" \
971 -C "using encrypt then mac" \
972 -S "using encrypt then mac"
973
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]974run_test "Encrypt then MAC: client enabled, aead cipher" \
975 "$P_SRV debug_level=3 etm=1 \
976 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
977 "$P_CLI debug_level=3 etm=1" \
978 0 \
979 -c "client hello, adding encrypt_then_mac extension" \
980 -s "found encrypt then mac extension" \
981 -S "server hello, adding encrypt then mac extension" \
982 -C "found encrypt_then_mac extension" \
983 -C "using encrypt then mac" \
984 -S "using encrypt then mac"
985
986run_test "Encrypt then MAC: client enabled, stream cipher" \
987 "$P_SRV debug_level=3 etm=1 \
988 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]989 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]990 0 \
991 -c "client hello, adding encrypt_then_mac extension" \
992 -s "found encrypt then mac extension" \
993 -S "server hello, adding encrypt then mac extension" \
994 -C "found encrypt_then_mac extension" \
995 -C "using encrypt then mac" \
996 -S "using encrypt then mac"
997
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]998run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]999 "$P_SRV debug_level=3 etm=1 \
1000 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1001 "$P_CLI debug_level=3 etm=0" \
1002 0 \
1003 -C "client hello, adding encrypt_then_mac extension" \
1004 -S "found encrypt then mac extension" \
1005 -S "server hello, adding encrypt then mac extension" \
1006 -C "found encrypt_then_mac extension" \
1007 -C "using encrypt then mac" \
1008 -S "using encrypt then mac"
1009
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1010requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1011run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1012 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1013 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1014 "$P_CLI debug_level=3 force_version=ssl3" \
1015 0 \
1016 -C "client hello, adding encrypt_then_mac extension" \
1017 -S "found encrypt then mac extension" \
1018 -S "server hello, adding encrypt then mac extension" \
1019 -C "found encrypt_then_mac extension" \
1020 -C "using encrypt then mac" \
1021 -S "using encrypt then mac"
1022
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1023requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1024run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1025 "$P_SRV debug_level=3 force_version=ssl3 \
1026 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1027 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1028 0 \
1029 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1030 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1031 -S "server hello, adding encrypt then mac extension" \
1032 -C "found encrypt_then_mac extension" \
1033 -C "using encrypt then mac" \
1034 -S "using encrypt then mac"
1035
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1036# Tests for Extended Master Secret extension
1037
1038run_test "Extended Master Secret: default" \
1039 "$P_SRV debug_level=3" \
1040 "$P_CLI debug_level=3" \
1041 0 \
1042 -c "client hello, adding extended_master_secret extension" \
1043 -s "found extended master secret extension" \
1044 -s "server hello, adding extended master secret extension" \
1045 -c "found extended_master_secret extension" \
1046 -c "using extended master secret" \
1047 -s "using extended master secret"
1048
1049run_test "Extended Master Secret: client enabled, server disabled" \
1050 "$P_SRV debug_level=3 extended_ms=0" \
1051 "$P_CLI debug_level=3 extended_ms=1" \
1052 0 \
1053 -c "client hello, adding extended_master_secret extension" \
1054 -s "found extended master secret extension" \
1055 -S "server hello, adding extended master secret extension" \
1056 -C "found extended_master_secret extension" \
1057 -C "using extended master secret" \
1058 -S "using extended master secret"
1059
1060run_test "Extended Master Secret: client disabled, server enabled" \
1061 "$P_SRV debug_level=3 extended_ms=1" \
1062 "$P_CLI debug_level=3 extended_ms=0" \
1063 0 \
1064 -C "client hello, adding extended_master_secret extension" \
1065 -S "found extended master secret extension" \
1066 -S "server hello, adding extended master secret extension" \
1067 -C "found extended_master_secret extension" \
1068 -C "using extended master secret" \
1069 -S "using extended master secret"
1070
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1071requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1072run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1073 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1074 "$P_CLI debug_level=3 force_version=ssl3" \
1075 0 \
1076 -C "client hello, adding extended_master_secret extension" \
1077 -S "found extended master secret extension" \
1078 -S "server hello, adding extended master secret extension" \
1079 -C "found extended_master_secret extension" \
1080 -C "using extended master secret" \
1081 -S "using extended master secret"
1082
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1083requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1084run_test "Extended Master Secret: client enabled, server SSLv3" \
1085 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1086 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1087 0 \
1088 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1089 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1090 -S "server hello, adding extended master secret extension" \
1091 -C "found extended_master_secret extension" \
1092 -C "using extended master secret" \
1093 -S "using extended master secret"
1094
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1095# Tests for FALLBACK_SCSV
1096
1097run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1098 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1099 "$P_CLI debug_level=3 force_version=tls1_1" \
1100 0 \
1101 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1102 -S "received FALLBACK_SCSV" \
1103 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1104 -C "is a fatal alert message (msg 86)"
1105
1106run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1107 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1108 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1109 0 \
1110 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1111 -S "received FALLBACK_SCSV" \
1112 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1113 -C "is a fatal alert message (msg 86)"
1114
1115run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1116 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1117 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1118 1 \
1119 -c "adding FALLBACK_SCSV" \
1120 -s "received FALLBACK_SCSV" \
1121 -s "inapropriate fallback" \
1122 -c "is a fatal alert message (msg 86)"
1123
1124run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1125 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1126 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1127 0 \
1128 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1129 -s "received FALLBACK_SCSV" \
1130 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1131 -C "is a fatal alert message (msg 86)"
1132
1133requires_openssl_with_fallback_scsv
1134run_test "Fallback SCSV: default, openssl server" \
1135 "$O_SRV" \
1136 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1137 0 \
1138 -C "adding FALLBACK_SCSV" \
1139 -C "is a fatal alert message (msg 86)"
1140
1141requires_openssl_with_fallback_scsv
1142run_test "Fallback SCSV: enabled, openssl server" \
1143 "$O_SRV" \
1144 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1145 1 \
1146 -c "adding FALLBACK_SCSV" \
1147 -c "is a fatal alert message (msg 86)"
1148
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1149requires_openssl_with_fallback_scsv
1150run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1151 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1152 "$O_CLI -tls1_1" \
1153 0 \
1154 -S "received FALLBACK_SCSV" \
1155 -S "inapropriate fallback"
1156
1157requires_openssl_with_fallback_scsv
1158run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1159 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1160 "$O_CLI -tls1_1 -fallback_scsv" \
1161 1 \
1162 -s "received FALLBACK_SCSV" \
1163 -s "inapropriate fallback"
1164
1165requires_openssl_with_fallback_scsv
1166run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1167 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1168 "$O_CLI -fallback_scsv" \
1169 0 \
1170 -s "received FALLBACK_SCSV" \
1171 -S "inapropriate fallback"
1172
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]1173# Test sending and receiving empty application data records
1174
1175run_test "Encrypt then MAC: empty application data record" \
1176 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1177 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1178 0 \
1179 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1180 -s "dumping 'input payload after decrypt' (0 bytes)" \
1181 -c "0 bytes written in 1 fragments"
1182
1183run_test "Default, no Encrypt then MAC: empty application data record" \
1184 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1185 "$P_CLI auth_mode=none etm=0 request_size=0" \
1186 0 \
1187 -s "dumping 'input payload after decrypt' (0 bytes)" \
1188 -c "0 bytes written in 1 fragments"
1189
1190run_test "Encrypt then MAC, DTLS: empty application data record" \
1191 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1192 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1193 0 \
1194 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1195 -s "dumping 'input payload after decrypt' (0 bytes)" \
1196 -c "0 bytes written in 1 fragments"
1197
1198run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
1199 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1200 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1201 0 \
1202 -s "dumping 'input payload after decrypt' (0 bytes)" \
1203 -c "0 bytes written in 1 fragments"
1204
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1205## ClientHello generated with
1206## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1207## then manually twiddling the ciphersuite list.
1208## The ClientHello content is spelled out below as a hex string as
1209## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1210## The expected response is an inappropriate_fallback alert.
1211requires_openssl_with_fallback_scsv
1212run_test "Fallback SCSV: beginning of list" \
1213 "$P_SRV debug_level=2" \
1214 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1215 0 \
1216 -s "received FALLBACK_SCSV" \
1217 -s "inapropriate fallback"
1218
1219requires_openssl_with_fallback_scsv
1220run_test "Fallback SCSV: end of list" \
1221 "$P_SRV debug_level=2" \
1222 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1223 0 \
1224 -s "received FALLBACK_SCSV" \
1225 -s "inapropriate fallback"
1226
1227## Here the expected response is a valid ServerHello prefix, up to the random.
1228requires_openssl_with_fallback_scsv
1229run_test "Fallback SCSV: not in list" \
1230 "$P_SRV debug_level=2" \
1231 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1232 0 \
1233 -S "received FALLBACK_SCSV" \
1234 -S "inapropriate fallback"
1235
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1236# Tests for CBC 1/n-1 record splitting
1237
1238run_test "CBC Record splitting: TLS 1.2, no splitting" \
1239 "$P_SRV" \
1240 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1241 request_size=123 force_version=tls1_2" \
1242 0 \
1243 -s "Read from client: 123 bytes read" \
1244 -S "Read from client: 1 bytes read" \
1245 -S "122 bytes read"
1246
1247run_test "CBC Record splitting: TLS 1.1, no splitting" \
1248 "$P_SRV" \
1249 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1250 request_size=123 force_version=tls1_1" \
1251 0 \
1252 -s "Read from client: 123 bytes read" \
1253 -S "Read from client: 1 bytes read" \
1254 -S "122 bytes read"
1255
1256run_test "CBC Record splitting: TLS 1.0, splitting" \
1257 "$P_SRV" \
1258 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1259 request_size=123 force_version=tls1" \
1260 0 \
1261 -S "Read from client: 123 bytes read" \
1262 -s "Read from client: 1 bytes read" \
1263 -s "122 bytes read"
1264
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1265requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1266run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1267 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1268 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1269 request_size=123 force_version=ssl3" \
1270 0 \
1271 -S "Read from client: 123 bytes read" \
1272 -s "Read from client: 1 bytes read" \
1273 -s "122 bytes read"
1274
1275run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1276 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1277 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1278 request_size=123 force_version=tls1" \
1279 0 \
1280 -s "Read from client: 123 bytes read" \
1281 -S "Read from client: 1 bytes read" \
1282 -S "122 bytes read"
1283
1284run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1285 "$P_SRV" \
1286 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1287 request_size=123 force_version=tls1 recsplit=0" \
1288 0 \
1289 -s "Read from client: 123 bytes read" \
1290 -S "Read from client: 1 bytes read" \
1291 -S "122 bytes read"
1292
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1293run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1294 "$P_SRV nbio=2" \
1295 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1296 request_size=123 force_version=tls1" \
1297 0 \
1298 -S "Read from client: 123 bytes read" \
1299 -s "Read from client: 1 bytes read" \
1300 -s "122 bytes read"
1301
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1302# Tests for Session Tickets
1303
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1304run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1305 "$P_SRV debug_level=3 tickets=1" \
1306 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1307 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1308 -c "client hello, adding session ticket extension" \
1309 -s "found session ticket extension" \
1310 -s "server hello, adding session ticket extension" \
1311 -c "found session_ticket extension" \
1312 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1313 -S "session successfully restored from cache" \
1314 -s "session successfully restored from ticket" \
1315 -s "a session has been resumed" \
1316 -c "a session has been resumed"
1317
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1318run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1319 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1320 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1321 0 \
1322 -c "client hello, adding session ticket extension" \
1323 -s "found session ticket extension" \
1324 -s "server hello, adding session ticket extension" \
1325 -c "found session_ticket extension" \
1326 -c "parse new session ticket" \
1327 -S "session successfully restored from cache" \
1328 -s "session successfully restored from ticket" \
1329 -s "a session has been resumed" \
1330 -c "a session has been resumed"
1331
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1332run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1333 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1334 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1335 0 \
1336 -c "client hello, adding session ticket extension" \
1337 -s "found session ticket extension" \
1338 -s "server hello, adding session ticket extension" \
1339 -c "found session_ticket extension" \
1340 -c "parse new session ticket" \
1341 -S "session successfully restored from cache" \
1342 -S "session successfully restored from ticket" \
1343 -S "a session has been resumed" \
1344 -C "a session has been resumed"
1345
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1346run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1347 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1348 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1349 0 \
1350 -c "client hello, adding session ticket extension" \
1351 -c "found session_ticket extension" \
1352 -c "parse new session ticket" \
1353 -c "a session has been resumed"
1354
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1355run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1356 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1357 "( $O_CLI -sess_out $SESSION; \
1358 $O_CLI -sess_in $SESSION; \
1359 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1360 0 \
1361 -s "found session ticket extension" \
1362 -s "server hello, adding session ticket extension" \
1363 -S "session successfully restored from cache" \
1364 -s "session successfully restored from ticket" \
1365 -s "a session has been resumed"
1366
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame^]1367# Tests for Session Tickets with DTLS
1368
1369run_test "Session resume using tickets, DTLS: basic" \
1370 "$P_SRV debug_level=3 dtls=1 tickets=1" \
1371 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
1372 0 \
1373 -c "client hello, adding session ticket extension" \
1374 -s "found session ticket extension" \
1375 -s "server hello, adding session ticket extension" \
1376 -c "found session_ticket extension" \
1377 -c "parse new session ticket" \
1378 -S "session successfully restored from cache" \
1379 -s "session successfully restored from ticket" \
1380 -s "a session has been resumed" \
1381 -c "a session has been resumed"
1382
1383run_test "Session resume using tickets, DTLS: cache disabled" \
1384 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
1385 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
1386 0 \
1387 -c "client hello, adding session ticket extension" \
1388 -s "found session ticket extension" \
1389 -s "server hello, adding session ticket extension" \
1390 -c "found session_ticket extension" \
1391 -c "parse new session ticket" \
1392 -S "session successfully restored from cache" \
1393 -s "session successfully restored from ticket" \
1394 -s "a session has been resumed" \
1395 -c "a session has been resumed"
1396
1397run_test "Session resume using tickets, DTLS: timeout" \
1398 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
1399 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
1400 0 \
1401 -c "client hello, adding session ticket extension" \
1402 -s "found session ticket extension" \
1403 -s "server hello, adding session ticket extension" \
1404 -c "found session_ticket extension" \
1405 -c "parse new session ticket" \
1406 -S "session successfully restored from cache" \
1407 -S "session successfully restored from ticket" \
1408 -S "a session has been resumed" \
1409 -C "a session has been resumed"
1410
1411run_test "Session resume using tickets, DTLS: openssl server" \
1412 "$O_SRV -dtls1" \
1413 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1414 0 \
1415 -c "client hello, adding session ticket extension" \
1416 -c "found session_ticket extension" \
1417 -c "parse new session ticket" \
1418 -c "a session has been resumed"
1419
1420run_test "Session resume using tickets, DTLS: openssl client" \
1421 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1422 "( $O_CLI -dtls1 -sess_out $SESSION; \
1423 $O_CLI -dtls1 -sess_in $SESSION; \
1424 rm -f $SESSION )" \
1425 0 \
1426 -s "found session ticket extension" \
1427 -s "server hello, adding session ticket extension" \
1428 -S "session successfully restored from cache" \
1429 -s "session successfully restored from ticket" \
1430 -s "a session has been resumed"
1431
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1432# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1433
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1434run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1435 "$P_SRV debug_level=3 tickets=0" \
1436 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1437 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1438 -c "client hello, adding session ticket extension" \
1439 -s "found session ticket extension" \
1440 -S "server hello, adding session ticket extension" \
1441 -C "found session_ticket extension" \
1442 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1443 -s "session successfully restored from cache" \
1444 -S "session successfully restored from ticket" \
1445 -s "a session has been resumed" \
1446 -c "a session has been resumed"
1447
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1448run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1449 "$P_SRV debug_level=3 tickets=1" \
1450 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1451 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1452 -C "client hello, adding session ticket extension" \
1453 -S "found session ticket extension" \
1454 -S "server hello, adding session ticket extension" \
1455 -C "found session_ticket extension" \
1456 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1457 -s "session successfully restored from cache" \
1458 -S "session successfully restored from ticket" \
1459 -s "a session has been resumed" \
1460 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1461
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1462run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1463 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1464 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1465 0 \
1466 -S "session successfully restored from cache" \
1467 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1468 -S "a session has been resumed" \
1469 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1470
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1471run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1472 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1473 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1474 0 \
1475 -s "session successfully restored from cache" \
1476 -S "session successfully restored from ticket" \
1477 -s "a session has been resumed" \
1478 -c "a session has been resumed"
1479
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1480run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1481 "$P_SRV debug_level=3 tickets=0" \
1482 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1483 0 \
1484 -s "session successfully restored from cache" \
1485 -S "session successfully restored from ticket" \
1486 -s "a session has been resumed" \
1487 -c "a session has been resumed"
1488
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1489run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1490 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1491 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1492 0 \
1493 -S "session successfully restored from cache" \
1494 -S "session successfully restored from ticket" \
1495 -S "a session has been resumed" \
1496 -C "a session has been resumed"
1497
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1498run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1499 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1500 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1501 0 \
1502 -s "session successfully restored from cache" \
1503 -S "session successfully restored from ticket" \
1504 -s "a session has been resumed" \
1505 -c "a session has been resumed"
1506
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1507run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1508 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1509 "( $O_CLI -sess_out $SESSION; \
1510 $O_CLI -sess_in $SESSION; \
1511 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1512 0 \
1513 -s "found session ticket extension" \
1514 -S "server hello, adding session ticket extension" \
1515 -s "session successfully restored from cache" \
1516 -S "session successfully restored from ticket" \
1517 -s "a session has been resumed"
1518
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1519run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1520 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1521 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1522 0 \
1523 -C "found session_ticket extension" \
1524 -C "parse new session ticket" \
1525 -c "a session has been resumed"
1526
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame^]1527# Tests for Session Resume based on session-ID and cache, DTLS
1528
1529run_test "Session resume using cache, DTLS: tickets enabled on client" \
1530 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1531 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1532 0 \
1533 -c "client hello, adding session ticket extension" \
1534 -s "found session ticket extension" \
1535 -S "server hello, adding session ticket extension" \
1536 -C "found session_ticket extension" \
1537 -C "parse new session ticket" \
1538 -s "session successfully restored from cache" \
1539 -S "session successfully restored from ticket" \
1540 -s "a session has been resumed" \
1541 -c "a session has been resumed"
1542
1543run_test "Session resume using cache, DTLS: tickets enabled on server" \
1544 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1545 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1546 0 \
1547 -C "client hello, adding session ticket extension" \
1548 -S "found session ticket extension" \
1549 -S "server hello, adding session ticket extension" \
1550 -C "found session_ticket extension" \
1551 -C "parse new session ticket" \
1552 -s "session successfully restored from cache" \
1553 -S "session successfully restored from ticket" \
1554 -s "a session has been resumed" \
1555 -c "a session has been resumed"
1556
1557run_test "Session resume using cache, DTLS: cache_max=0" \
1558 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
1559 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1560 0 \
1561 -S "session successfully restored from cache" \
1562 -S "session successfully restored from ticket" \
1563 -S "a session has been resumed" \
1564 -C "a session has been resumed"
1565
1566run_test "Session resume using cache, DTLS: cache_max=1" \
1567 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
1568 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1569 0 \
1570 -s "session successfully restored from cache" \
1571 -S "session successfully restored from ticket" \
1572 -s "a session has been resumed" \
1573 -c "a session has been resumed"
1574
1575run_test "Session resume using cache, DTLS: timeout > delay" \
1576 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1577 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
1578 0 \
1579 -s "session successfully restored from cache" \
1580 -S "session successfully restored from ticket" \
1581 -s "a session has been resumed" \
1582 -c "a session has been resumed"
1583
1584run_test "Session resume using cache, DTLS: timeout < delay" \
1585 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
1586 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
1587 0 \
1588 -S "session successfully restored from cache" \
1589 -S "session successfully restored from ticket" \
1590 -S "a session has been resumed" \
1591 -C "a session has been resumed"
1592
1593run_test "Session resume using cache, DTLS: no timeout" \
1594 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
1595 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
1596 0 \
1597 -s "session successfully restored from cache" \
1598 -S "session successfully restored from ticket" \
1599 -s "a session has been resumed" \
1600 -c "a session has been resumed"
1601
1602run_test "Session resume using cache, DTLS: openssl client" \
1603 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1604 "( $O_CLI -dtls1 -sess_out $SESSION; \
1605 $O_CLI -dtls1 -sess_in $SESSION; \
1606 rm -f $SESSION )" \
1607 0 \
1608 -s "found session ticket extension" \
1609 -S "server hello, adding session ticket extension" \
1610 -s "session successfully restored from cache" \
1611 -S "session successfully restored from ticket" \
1612 -s "a session has been resumed"
1613
1614run_test "Session resume using cache, DTLS: openssl server" \
1615 "$O_SRV -dtls1" \
1616 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1617 0 \
1618 -C "found session_ticket extension" \
1619 -C "parse new session ticket" \
1620 -c "a session has been resumed"
1621
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1622# Tests for Max Fragment Length extension
1623
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1624if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
1625 printf "${CONFIG_H} defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n"
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1626 exit 1
1627fi
1628
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1629if [ $MAX_CONTENT_LEN -ne 16384 ]; then
1630 printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
1631fi
1632
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1633requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1634run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1635 "$P_SRV debug_level=3" \
1636 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1637 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1638 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
1639 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1640 -C "client hello, adding max_fragment_length extension" \
1641 -S "found max fragment length extension" \
1642 -S "server hello, max_fragment_length extension" \
1643 -C "found max_fragment_length extension"
1644
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1645requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1646run_test "Max fragment length: enabled, default, larger message" \
1647 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1648 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1649 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1650 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
1651 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1652 -C "client hello, adding max_fragment_length extension" \
1653 -S "found max fragment length extension" \
1654 -S "server hello, max_fragment_length extension" \
1655 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1656 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
1657 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1658 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1659
1660requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1661run_test "Max fragment length, DTLS: enabled, default, larger message" \
1662 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1663 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1664 1 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1665 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
1666 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1667 -C "client hello, adding max_fragment_length extension" \
1668 -S "found max fragment length extension" \
1669 -S "server hello, max_fragment_length extension" \
1670 -C "found max_fragment_length extension" \
1671 -c "fragment larger than.*maximum "
1672
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1673# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
1674# (session fragment length will be 16384 regardless of mbedtls
1675# content length configuration.)
1676
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1677requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1678run_test "Max fragment length: disabled, larger message" \
1679 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1680 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1681 0 \
1682 -C "Maximum fragment length is 16384" \
1683 -S "Maximum fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1684 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
1685 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1686 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1687
1688requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1689run_test "Max fragment length DTLS: disabled, larger message" \
1690 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1691 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1692 1 \
1693 -C "Maximum fragment length is 16384" \
1694 -S "Maximum fragment length is 16384" \
1695 -c "fragment larger than.*maximum "
1696
1697requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1698run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1699 "$P_SRV debug_level=3" \
1700 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1701 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1702 -c "Maximum fragment length is 4096" \
1703 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1704 -c "client hello, adding max_fragment_length extension" \
1705 -s "found max fragment length extension" \
1706 -s "server hello, max_fragment_length extension" \
1707 -c "found max_fragment_length extension"
1708
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1709requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1710run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1711 "$P_SRV debug_level=3 max_frag_len=4096" \
1712 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1713 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]1714 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1715 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1716 -C "client hello, adding max_fragment_length extension" \
1717 -S "found max fragment length extension" \
1718 -S "server hello, max_fragment_length extension" \
1719 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1720
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1721requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1722requires_gnutls
1723run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1724 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1725 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1726 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1727 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1728 -c "client hello, adding max_fragment_length extension" \
1729 -c "found max_fragment_length extension"
1730
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1731requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1732run_test "Max fragment length: client, message just fits" \
1733 "$P_SRV debug_level=3" \
1734 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1735 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1736 -c "Maximum fragment length is 2048" \
1737 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1738 -c "client hello, adding max_fragment_length extension" \
1739 -s "found max fragment length extension" \
1740 -s "server hello, max_fragment_length extension" \
1741 -c "found max_fragment_length extension" \
1742 -c "2048 bytes written in 1 fragments" \
1743 -s "2048 bytes read"
1744
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1745requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1746run_test "Max fragment length: client, larger message" \
1747 "$P_SRV debug_level=3" \
1748 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1749 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1750 -c "Maximum fragment length is 2048" \
1751 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1752 -c "client hello, adding max_fragment_length extension" \
1753 -s "found max fragment length extension" \
1754 -s "server hello, max_fragment_length extension" \
1755 -c "found max_fragment_length extension" \
1756 -c "2345 bytes written in 2 fragments" \
1757 -s "2048 bytes read" \
1758 -s "297 bytes read"
1759
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1760requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1761run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1762 "$P_SRV debug_level=3 dtls=1" \
1763 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1764 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1765 -c "Maximum fragment length is 2048" \
1766 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1767 -c "client hello, adding max_fragment_length extension" \
1768 -s "found max fragment length extension" \
1769 -s "server hello, max_fragment_length extension" \
1770 -c "found max_fragment_length extension" \
1771 -c "fragment larger than.*maximum"
1772
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1773# Tests for renegotiation
1774
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1775# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1776run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1777 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1778 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1779 0 \
1780 -C "client hello, adding renegotiation extension" \
1781 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1782 -S "found renegotiation extension" \
1783 -s "server hello, secure renegotiation extension" \
1784 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1785 -C "=> renegotiate" \
1786 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1787 -S "write hello request"
1788
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1789requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1790run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1791 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1792 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1793 0 \
1794 -c "client hello, adding renegotiation extension" \
1795 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1796 -s "found renegotiation extension" \
1797 -s "server hello, secure renegotiation extension" \
1798 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1799 -c "=> renegotiate" \
1800 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1801 -S "write hello request"
1802
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1803requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1804run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1805 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1806 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1807 0 \
1808 -c "client hello, adding renegotiation extension" \
1809 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1810 -s "found renegotiation extension" \
1811 -s "server hello, secure renegotiation extension" \
1812 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1813 -c "=> renegotiate" \
1814 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1815 -s "write hello request"
1816
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1817# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1818# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1819# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1820requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1821run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1822 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1823 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1824 0 \
1825 -c "client hello, adding renegotiation extension" \
1826 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1827 -s "found renegotiation extension" \
1828 -s "server hello, secure renegotiation extension" \
1829 -c "found renegotiation extension" \
1830 -c "=> renegotiate" \
1831 -s "=> renegotiate" \
1832 -S "write hello request" \
1833 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1834
1835# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1836# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1837# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1838requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1839run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1840 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1841 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1842 0 \
1843 -c "client hello, adding renegotiation extension" \
1844 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1845 -s "found renegotiation extension" \
1846 -s "server hello, secure renegotiation extension" \
1847 -c "found renegotiation extension" \
1848 -c "=> renegotiate" \
1849 -s "=> renegotiate" \
1850 -s "write hello request" \
1851 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1852
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1853requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1854run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1855 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1856 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1857 0 \
1858 -c "client hello, adding renegotiation extension" \
1859 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1860 -s "found renegotiation extension" \
1861 -s "server hello, secure renegotiation extension" \
1862 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1863 -c "=> renegotiate" \
1864 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1865 -s "write hello request"
1866
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1867requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1868run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1869 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1870 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1871 1 \
1872 -c "client hello, adding renegotiation extension" \
1873 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1874 -S "found renegotiation extension" \
1875 -s "server hello, secure renegotiation extension" \
1876 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1877 -c "=> renegotiate" \
1878 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1879 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1880 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1881 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1882
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1883requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1884run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1885 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1886 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1887 0 \
1888 -C "client hello, adding renegotiation extension" \
1889 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1890 -S "found renegotiation extension" \
1891 -s "server hello, secure renegotiation extension" \
1892 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1893 -C "=> renegotiate" \
1894 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1895 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1896 -S "SSL - An unexpected message was received from our peer" \
1897 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1898
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1899requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1900run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1901 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1902 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1903 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1904 0 \
1905 -C "client hello, adding renegotiation extension" \
1906 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1907 -S "found renegotiation extension" \
1908 -s "server hello, secure renegotiation extension" \
1909 -c "found renegotiation extension" \
1910 -C "=> renegotiate" \
1911 -S "=> renegotiate" \
1912 -s "write hello request" \
1913 -S "SSL - An unexpected message was received from our peer" \
1914 -S "failed"
1915
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1916# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1917requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1918run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1919 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1920 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1921 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1922 0 \
1923 -C "client hello, adding renegotiation extension" \
1924 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1925 -S "found renegotiation extension" \
1926 -s "server hello, secure renegotiation extension" \
1927 -c "found renegotiation extension" \
1928 -C "=> renegotiate" \
1929 -S "=> renegotiate" \
1930 -s "write hello request" \
1931 -S "SSL - An unexpected message was received from our peer" \
1932 -S "failed"
1933
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1934requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1935run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1936 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1937 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1938 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1939 0 \
1940 -C "client hello, adding renegotiation extension" \
1941 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1942 -S "found renegotiation extension" \
1943 -s "server hello, secure renegotiation extension" \
1944 -c "found renegotiation extension" \
1945 -C "=> renegotiate" \
1946 -S "=> renegotiate" \
1947 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1948 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1949
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1950requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1951run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1952 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1953 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1954 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1955 0 \
1956 -c "client hello, adding renegotiation extension" \
1957 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1958 -s "found renegotiation extension" \
1959 -s "server hello, secure renegotiation extension" \
1960 -c "found renegotiation extension" \
1961 -c "=> renegotiate" \
1962 -s "=> renegotiate" \
1963 -s "write hello request" \
1964 -S "SSL - An unexpected message was received from our peer" \
1965 -S "failed"
1966
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1967requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1968run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1969 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1970 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1971 0 \
1972 -C "client hello, adding renegotiation extension" \
1973 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1974 -S "found renegotiation extension" \
1975 -s "server hello, secure renegotiation extension" \
1976 -c "found renegotiation extension" \
1977 -S "record counter limit reached: renegotiate" \
1978 -C "=> renegotiate" \
1979 -S "=> renegotiate" \
1980 -S "write hello request" \
1981 -S "SSL - An unexpected message was received from our peer" \
1982 -S "failed"
1983
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1984# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1985requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1986run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1987 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1988 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1989 0 \
1990 -c "client hello, adding renegotiation extension" \
1991 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1992 -s "found renegotiation extension" \
1993 -s "server hello, secure renegotiation extension" \
1994 -c "found renegotiation extension" \
1995 -s "record counter limit reached: renegotiate" \
1996 -c "=> renegotiate" \
1997 -s "=> renegotiate" \
1998 -s "write hello request" \
1999 -S "SSL - An unexpected message was received from our peer" \
2000 -S "failed"
2001
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2002requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2003run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2004 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2005 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2006 0 \
2007 -c "client hello, adding renegotiation extension" \
2008 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2009 -s "found renegotiation extension" \
2010 -s "server hello, secure renegotiation extension" \
2011 -c "found renegotiation extension" \
2012 -s "record counter limit reached: renegotiate" \
2013 -c "=> renegotiate" \
2014 -s "=> renegotiate" \
2015 -s "write hello request" \
2016 -S "SSL - An unexpected message was received from our peer" \
2017 -S "failed"
2018
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2019requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2020run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2021 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2022 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2023 0 \
2024 -C "client hello, adding renegotiation extension" \
2025 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2026 -S "found renegotiation extension" \
2027 -s "server hello, secure renegotiation extension" \
2028 -c "found renegotiation extension" \
2029 -S "record counter limit reached: renegotiate" \
2030 -C "=> renegotiate" \
2031 -S "=> renegotiate" \
2032 -S "write hello request" \
2033 -S "SSL - An unexpected message was received from our peer" \
2034 -S "failed"
2035
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2036requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2037run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2038 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2039 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2040 0 \
2041 -c "client hello, adding renegotiation extension" \
2042 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2043 -s "found renegotiation extension" \
2044 -s "server hello, secure renegotiation extension" \
2045 -c "found renegotiation extension" \
2046 -c "=> renegotiate" \
2047 -s "=> renegotiate" \
2048 -S "write hello request"
2049
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2050requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2051run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2052 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2053 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2054 0 \
2055 -c "client hello, adding renegotiation extension" \
2056 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2057 -s "found renegotiation extension" \
2058 -s "server hello, secure renegotiation extension" \
2059 -c "found renegotiation extension" \
2060 -c "=> renegotiate" \
2061 -s "=> renegotiate" \
2062 -s "write hello request"
2063
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2064requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2065run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2066 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2067 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2068 0 \
2069 -c "client hello, adding renegotiation extension" \
2070 -c "found renegotiation extension" \
2071 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2072 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2073 -C "error" \
2074 -c "HTTP/1.0 200 [Oo][Kk]"
2075
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2076requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2077requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2078run_test "Renegotiation: gnutls server strict, client-initiated" \
2079 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2080 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2081 0 \
2082 -c "client hello, adding renegotiation extension" \
2083 -c "found renegotiation extension" \
2084 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2085 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2086 -C "error" \
2087 -c "HTTP/1.0 200 [Oo][Kk]"
2088
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2089requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2090requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2091run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2092 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2093 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2094 1 \
2095 -c "client hello, adding renegotiation extension" \
2096 -C "found renegotiation extension" \
2097 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2098 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2099 -c "error" \
2100 -C "HTTP/1.0 200 [Oo][Kk]"
2101
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2102requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2103requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2104run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2105 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2106 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2107 allow_legacy=0" \
2108 1 \
2109 -c "client hello, adding renegotiation extension" \
2110 -C "found renegotiation extension" \
2111 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2112 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2113 -c "error" \
2114 -C "HTTP/1.0 200 [Oo][Kk]"
2115
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2116requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2117requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2118run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2119 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2120 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2121 allow_legacy=1" \
2122 0 \
2123 -c "client hello, adding renegotiation extension" \
2124 -C "found renegotiation extension" \
2125 -c "=> renegotiate" \
2126 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2127 -C "error" \
2128 -c "HTTP/1.0 200 [Oo][Kk]"
2129
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2130requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]2131run_test "Renegotiation: DTLS, client-initiated" \
2132 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
2133 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
2134 0 \
2135 -c "client hello, adding renegotiation extension" \
2136 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2137 -s "found renegotiation extension" \
2138 -s "server hello, secure renegotiation extension" \
2139 -c "found renegotiation extension" \
2140 -c "=> renegotiate" \
2141 -s "=> renegotiate" \
2142 -S "write hello request"
2143
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2144requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2145run_test "Renegotiation: DTLS, server-initiated" \
2146 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2147 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2148 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2149 0 \
2150 -c "client hello, adding renegotiation extension" \
2151 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2152 -s "found renegotiation extension" \
2153 -s "server hello, secure renegotiation extension" \
2154 -c "found renegotiation extension" \
2155 -c "=> renegotiate" \
2156 -s "=> renegotiate" \
2157 -s "write hello request"
2158
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2159requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2160run_test "Renegotiation: DTLS, renego_period overflow" \
2161 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2162 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2163 0 \
2164 -c "client hello, adding renegotiation extension" \
2165 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2166 -s "found renegotiation extension" \
2167 -s "server hello, secure renegotiation extension" \
2168 -s "record counter limit reached: renegotiate" \
2169 -c "=> renegotiate" \
2170 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2171 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2172
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2173requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2174requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2175run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2176 "$G_SRV -u --mtu 4096" \
2177 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2178 0 \
2179 -c "client hello, adding renegotiation extension" \
2180 -c "found renegotiation extension" \
2181 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2182 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2183 -C "error" \
2184 -s "Extra-header:"
2185
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2186# Test for the "secure renegotation" extension only (no actual renegotiation)
2187
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2188requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2189run_test "Renego ext: gnutls server strict, client default" \
2190 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2191 "$P_CLI debug_level=3" \
2192 0 \
2193 -c "found renegotiation extension" \
2194 -C "error" \
2195 -c "HTTP/1.0 200 [Oo][Kk]"
2196
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2197requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2198run_test "Renego ext: gnutls server unsafe, client default" \
2199 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2200 "$P_CLI debug_level=3" \
2201 0 \
2202 -C "found renegotiation extension" \
2203 -C "error" \
2204 -c "HTTP/1.0 200 [Oo][Kk]"
2205
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2206requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2207run_test "Renego ext: gnutls server unsafe, client break legacy" \
2208 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2209 "$P_CLI debug_level=3 allow_legacy=-1" \
2210 1 \
2211 -C "found renegotiation extension" \
2212 -c "error" \
2213 -C "HTTP/1.0 200 [Oo][Kk]"
2214
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2215requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2216run_test "Renego ext: gnutls client strict, server default" \
2217 "$P_SRV debug_level=3" \
2218 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2219 0 \
2220 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2221 -s "server hello, secure renegotiation extension"
2222
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2223requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2224run_test "Renego ext: gnutls client unsafe, server default" \
2225 "$P_SRV debug_level=3" \
2226 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2227 0 \
2228 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2229 -S "server hello, secure renegotiation extension"
2230
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2231requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2232run_test "Renego ext: gnutls client unsafe, server break legacy" \
2233 "$P_SRV debug_level=3 allow_legacy=-1" \
2234 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2235 1 \
2236 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2237 -S "server hello, secure renegotiation extension"
2238
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2239# Tests for silently dropping trailing extra bytes in .der certificates
2240
2241requires_gnutls
2242run_test "DER format: no trailing bytes" \
2243 "$P_SRV crt_file=data_files/server5-der0.crt \
2244 key_file=data_files/server5.key" \
2245 "$G_CLI " \
2246 0 \
2247 -c "Handshake was completed" \
2248
2249requires_gnutls
2250run_test "DER format: with a trailing zero byte" \
2251 "$P_SRV crt_file=data_files/server5-der1a.crt \
2252 key_file=data_files/server5.key" \
2253 "$G_CLI " \
2254 0 \
2255 -c "Handshake was completed" \
2256
2257requires_gnutls
2258run_test "DER format: with a trailing random byte" \
2259 "$P_SRV crt_file=data_files/server5-der1b.crt \
2260 key_file=data_files/server5.key" \
2261 "$G_CLI " \
2262 0 \
2263 -c "Handshake was completed" \
2264
2265requires_gnutls
2266run_test "DER format: with 2 trailing random bytes" \
2267 "$P_SRV crt_file=data_files/server5-der2.crt \
2268 key_file=data_files/server5.key" \
2269 "$G_CLI " \
2270 0 \
2271 -c "Handshake was completed" \
2272
2273requires_gnutls
2274run_test "DER format: with 4 trailing random bytes" \
2275 "$P_SRV crt_file=data_files/server5-der4.crt \
2276 key_file=data_files/server5.key" \
2277 "$G_CLI " \
2278 0 \
2279 -c "Handshake was completed" \
2280
2281requires_gnutls
2282run_test "DER format: with 8 trailing random bytes" \
2283 "$P_SRV crt_file=data_files/server5-der8.crt \
2284 key_file=data_files/server5.key" \
2285 "$G_CLI " \
2286 0 \
2287 -c "Handshake was completed" \
2288
2289requires_gnutls
2290run_test "DER format: with 9 trailing random bytes" \
2291 "$P_SRV crt_file=data_files/server5-der9.crt \
2292 key_file=data_files/server5.key" \
2293 "$G_CLI " \
2294 0 \
2295 -c "Handshake was completed" \
2296
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2297# Tests for auth_mode
2298
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2299run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2300 "$P_SRV crt_file=data_files/server5-badsign.crt \
2301 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2302 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2303 1 \
2304 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2305 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2306 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2307 -c "X509 - Certificate verification failed"
2308
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2309run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2310 "$P_SRV crt_file=data_files/server5-badsign.crt \
2311 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2312 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2313 0 \
2314 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2315 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2316 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2317 -C "X509 - Certificate verification failed"
2318
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2319run_test "Authentication: server goodcert, client optional, no trusted CA" \
2320 "$P_SRV" \
2321 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2322 0 \
2323 -c "x509_verify_cert() returned" \
2324 -c "! The certificate is not correctly signed by the trusted CA" \
2325 -c "! Certificate verification flags"\
2326 -C "! mbedtls_ssl_handshake returned" \
2327 -C "X509 - Certificate verification failed" \
2328 -C "SSL - No CA Chain is set, but required to operate"
2329
2330run_test "Authentication: server goodcert, client required, no trusted CA" \
2331 "$P_SRV" \
2332 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2333 1 \
2334 -c "x509_verify_cert() returned" \
2335 -c "! The certificate is not correctly signed by the trusted CA" \
2336 -c "! Certificate verification flags"\
2337 -c "! mbedtls_ssl_handshake returned" \
2338 -c "SSL - No CA Chain is set, but required to operate"
2339
2340# The purpose of the next two tests is to test the client's behaviour when receiving a server
2341# certificate with an unsupported elliptic curve. This should usually not happen because
2342# the client informs the server about the supported curves - it does, though, in the
2343# corner case of a static ECDH suite, because the server doesn't check the curve on that
2344# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2345# different means to have the server ignoring the client's supported curve list.
2346
2347requires_config_enabled MBEDTLS_ECP_C
2348run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2349 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2350 crt_file=data_files/server5.ku-ka.crt" \
2351 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2352 1 \
2353 -c "bad certificate (EC key curve)"\
2354 -c "! Certificate verification flags"\
2355 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2356
2357requires_config_enabled MBEDTLS_ECP_C
2358run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2359 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2360 crt_file=data_files/server5.ku-ka.crt" \
2361 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2362 1 \
2363 -c "bad certificate (EC key curve)"\
2364 -c "! Certificate verification flags"\
2365 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2366
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2367run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2368 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2369 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2370 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2371 0 \
2372 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2373 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2374 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2375 -C "X509 - Certificate verification failed"
2376
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2377run_test "Authentication: client SHA256, server required" \
2378 "$P_SRV auth_mode=required" \
2379 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2380 key_file=data_files/server6.key \
2381 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2382 0 \
2383 -c "Supported Signature Algorithm found: 4," \
2384 -c "Supported Signature Algorithm found: 5,"
2385
2386run_test "Authentication: client SHA384, server required" \
2387 "$P_SRV auth_mode=required" \
2388 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2389 key_file=data_files/server6.key \
2390 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2391 0 \
2392 -c "Supported Signature Algorithm found: 4," \
2393 -c "Supported Signature Algorithm found: 5,"
2394
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2395requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2396run_test "Authentication: client has no cert, server required (SSLv3)" \
2397 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2398 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2399 key_file=data_files/server5.key" \
2400 1 \
2401 -S "skip write certificate request" \
2402 -C "skip parse certificate request" \
2403 -c "got a certificate request" \
2404 -c "got no certificate to send" \
2405 -S "x509_verify_cert() returned" \
2406 -s "client has no certificate" \
2407 -s "! mbedtls_ssl_handshake returned" \
2408 -c "! mbedtls_ssl_handshake returned" \
2409 -s "No client certification received from the client, but required by the authentication mode"
2410
2411run_test "Authentication: client has no cert, server required (TLS)" \
2412 "$P_SRV debug_level=3 auth_mode=required" \
2413 "$P_CLI debug_level=3 crt_file=none \
2414 key_file=data_files/server5.key" \
2415 1 \
2416 -S "skip write certificate request" \
2417 -C "skip parse certificate request" \
2418 -c "got a certificate request" \
2419 -c "= write certificate$" \
2420 -C "skip write certificate$" \
2421 -S "x509_verify_cert() returned" \
2422 -s "client has no certificate" \
2423 -s "! mbedtls_ssl_handshake returned" \
2424 -c "! mbedtls_ssl_handshake returned" \
2425 -s "No client certification received from the client, but required by the authentication mode"
2426
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2427run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2428 "$P_SRV debug_level=3 auth_mode=required" \
2429 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2430 key_file=data_files/server5.key" \
2431 1 \
2432 -S "skip write certificate request" \
2433 -C "skip parse certificate request" \
2434 -c "got a certificate request" \
2435 -C "skip write certificate" \
2436 -C "skip write certificate verify" \
2437 -S "skip parse certificate verify" \
2438 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2439 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2440 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2441 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2442 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2443 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2444# We don't check that the client receives the alert because it might
2445# detect that its write end of the connection is closed and abort
2446# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2447
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2448run_test "Authentication: client cert not trusted, server required" \
2449 "$P_SRV debug_level=3 auth_mode=required" \
2450 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2451 key_file=data_files/server5.key" \
2452 1 \
2453 -S "skip write certificate request" \
2454 -C "skip parse certificate request" \
2455 -c "got a certificate request" \
2456 -C "skip write certificate" \
2457 -C "skip write certificate verify" \
2458 -S "skip parse certificate verify" \
2459 -s "x509_verify_cert() returned" \
2460 -s "! The certificate is not correctly signed by the trusted CA" \
2461 -s "! mbedtls_ssl_handshake returned" \
2462 -c "! mbedtls_ssl_handshake returned" \
2463 -s "X509 - Certificate verification failed"
2464
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2465run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2466 "$P_SRV debug_level=3 auth_mode=optional" \
2467 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2468 key_file=data_files/server5.key" \
2469 0 \
2470 -S "skip write certificate request" \
2471 -C "skip parse certificate request" \
2472 -c "got a certificate request" \
2473 -C "skip write certificate" \
2474 -C "skip write certificate verify" \
2475 -S "skip parse certificate verify" \
2476 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2477 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2478 -S "! mbedtls_ssl_handshake returned" \
2479 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2480 -S "X509 - Certificate verification failed"
2481
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2482run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2483 "$P_SRV debug_level=3 auth_mode=none" \
2484 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2485 key_file=data_files/server5.key" \
2486 0 \
2487 -s "skip write certificate request" \
2488 -C "skip parse certificate request" \
2489 -c "got no certificate request" \
2490 -c "skip write certificate" \
2491 -c "skip write certificate verify" \
2492 -s "skip parse certificate verify" \
2493 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2494 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2495 -S "! mbedtls_ssl_handshake returned" \
2496 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2497 -S "X509 - Certificate verification failed"
2498
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2499run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2500 "$P_SRV debug_level=3 auth_mode=optional" \
2501 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2502 0 \
2503 -S "skip write certificate request" \
2504 -C "skip parse certificate request" \
2505 -c "got a certificate request" \
2506 -C "skip write certificate$" \
2507 -C "got no certificate to send" \
2508 -S "SSLv3 client has no certificate" \
2509 -c "skip write certificate verify" \
2510 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2511 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2512 -S "! mbedtls_ssl_handshake returned" \
2513 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2514 -S "X509 - Certificate verification failed"
2515
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2516run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2517 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2518 "$O_CLI" \
2519 0 \
2520 -S "skip write certificate request" \
2521 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2522 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2523 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2524 -S "X509 - Certificate verification failed"
2525
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2526run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2527 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2528 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2529 0 \
2530 -C "skip parse certificate request" \
2531 -c "got a certificate request" \
2532 -C "skip write certificate$" \
2533 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2534 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2535
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2536run_test "Authentication: client no cert, openssl server required" \
2537 "$O_SRV -Verify 10" \
2538 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2539 1 \
2540 -C "skip parse certificate request" \
2541 -c "got a certificate request" \
2542 -C "skip write certificate$" \
2543 -c "skip write certificate verify" \
2544 -c "! mbedtls_ssl_handshake returned"
2545
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2546requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2547run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2548 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2549 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2550 0 \
2551 -S "skip write certificate request" \
2552 -C "skip parse certificate request" \
2553 -c "got a certificate request" \
2554 -C "skip write certificate$" \
2555 -c "skip write certificate verify" \
2556 -c "got no certificate to send" \
2557 -s "SSLv3 client has no certificate" \
2558 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2559 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2560 -S "! mbedtls_ssl_handshake returned" \
2561 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2562 -S "X509 - Certificate verification failed"
2563
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2564# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2565# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2566
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2567MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2568MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2569
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2570if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2571 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2572 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2573 printf "test value of ${MAX_IM_CA}. \n"
2574 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2575 printf "The tests assume this value and if it changes, the tests in this\n"
2576 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2577 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2578
2579 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2580fi
2581
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2582requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2583run_test "Authentication: server max_int chain, client default" \
2584 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2585 key_file=data_files/dir-maxpath/09.key" \
2586 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2587 0 \
2588 -C "X509 - A fatal error occured"
2589
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2590requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2591run_test "Authentication: server max_int+1 chain, client default" \
2592 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2593 key_file=data_files/dir-maxpath/10.key" \
2594 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2595 1 \
2596 -c "X509 - A fatal error occured"
2597
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2598requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2599run_test "Authentication: server max_int+1 chain, client optional" \
2600 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2601 key_file=data_files/dir-maxpath/10.key" \
2602 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2603 auth_mode=optional" \
2604 1 \
2605 -c "X509 - A fatal error occured"
2606
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2607requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2608run_test "Authentication: server max_int+1 chain, client none" \
2609 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2610 key_file=data_files/dir-maxpath/10.key" \
2611 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2612 auth_mode=none" \
2613 0 \
2614 -C "X509 - A fatal error occured"
2615
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2616requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2617run_test "Authentication: client max_int+1 chain, server default" \
2618 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2619 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2620 key_file=data_files/dir-maxpath/10.key" \
2621 0 \
2622 -S "X509 - A fatal error occured"
2623
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2624requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2625run_test "Authentication: client max_int+1 chain, server optional" \
2626 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2627 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2628 key_file=data_files/dir-maxpath/10.key" \
2629 1 \
2630 -s "X509 - A fatal error occured"
2631
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2632requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2633run_test "Authentication: client max_int+1 chain, server required" \
2634 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2635 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2636 key_file=data_files/dir-maxpath/10.key" \
2637 1 \
2638 -s "X509 - A fatal error occured"
2639
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2640requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2641run_test "Authentication: client max_int chain, server required" \
2642 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2643 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2644 key_file=data_files/dir-maxpath/09.key" \
2645 0 \
2646 -S "X509 - A fatal error occured"
2647
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2648# Tests for CA list in CertificateRequest messages
2649
2650run_test "Authentication: send CA list in CertificateRequest (default)" \
2651 "$P_SRV debug_level=3 auth_mode=required" \
2652 "$P_CLI crt_file=data_files/server6.crt \
2653 key_file=data_files/server6.key" \
2654 0 \
2655 -s "requested DN"
2656
2657run_test "Authentication: do not send CA list in CertificateRequest" \
2658 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2659 "$P_CLI crt_file=data_files/server6.crt \
2660 key_file=data_files/server6.key" \
2661 0 \
2662 -S "requested DN"
2663
2664run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2665 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2666 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2667 key_file=data_files/server5.key" \
2668 1 \
2669 -S "requested DN" \
2670 -s "x509_verify_cert() returned" \
2671 -s "! The certificate is not correctly signed by the trusted CA" \
2672 -s "! mbedtls_ssl_handshake returned" \
2673 -c "! mbedtls_ssl_handshake returned" \
2674 -s "X509 - Certificate verification failed"
2675
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2676# Tests for certificate selection based on SHA verson
2677
2678run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2679 "$P_SRV crt_file=data_files/server5.crt \
2680 key_file=data_files/server5.key \
2681 crt_file2=data_files/server5-sha1.crt \
2682 key_file2=data_files/server5.key" \
2683 "$P_CLI force_version=tls1_2" \
2684 0 \
2685 -c "signed using.*ECDSA with SHA256" \
2686 -C "signed using.*ECDSA with SHA1"
2687
2688run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2689 "$P_SRV crt_file=data_files/server5.crt \
2690 key_file=data_files/server5.key \
2691 crt_file2=data_files/server5-sha1.crt \
2692 key_file2=data_files/server5.key" \
2693 "$P_CLI force_version=tls1_1" \
2694 0 \
2695 -C "signed using.*ECDSA with SHA256" \
2696 -c "signed using.*ECDSA with SHA1"
2697
2698run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2699 "$P_SRV crt_file=data_files/server5.crt \
2700 key_file=data_files/server5.key \
2701 crt_file2=data_files/server5-sha1.crt \
2702 key_file2=data_files/server5.key" \
2703 "$P_CLI force_version=tls1" \
2704 0 \
2705 -C "signed using.*ECDSA with SHA256" \
2706 -c "signed using.*ECDSA with SHA1"
2707
2708run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2709 "$P_SRV crt_file=data_files/server5.crt \
2710 key_file=data_files/server5.key \
2711 crt_file2=data_files/server6.crt \
2712 key_file2=data_files/server6.key" \
2713 "$P_CLI force_version=tls1_1" \
2714 0 \
2715 -c "serial number.*09" \
2716 -c "signed using.*ECDSA with SHA256" \
2717 -C "signed using.*ECDSA with SHA1"
2718
2719run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2720 "$P_SRV crt_file=data_files/server6.crt \
2721 key_file=data_files/server6.key \
2722 crt_file2=data_files/server5.crt \
2723 key_file2=data_files/server5.key" \
2724 "$P_CLI force_version=tls1_1" \
2725 0 \
2726 -c "serial number.*0A" \
2727 -c "signed using.*ECDSA with SHA256" \
2728 -C "signed using.*ECDSA with SHA1"
2729
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2730# tests for SNI
2731
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2732run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2733 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2734 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2735 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2736 0 \
2737 -S "parse ServerName extension" \
2738 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2739 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2740
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2741run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2742 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2743 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2744 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2745 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2746 0 \
2747 -s "parse ServerName extension" \
2748 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2749 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2750
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2751run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2752 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2753 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2754 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2755 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2756 0 \
2757 -s "parse ServerName extension" \
2758 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2759 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2760
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2761run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2762 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2763 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2764 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2765 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2766 1 \
2767 -s "parse ServerName extension" \
2768 -s "ssl_sni_wrapper() returned" \
2769 -s "mbedtls_ssl_handshake returned" \
2770 -c "mbedtls_ssl_handshake returned" \
2771 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2772
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2773run_test "SNI: client auth no override: optional" \
2774 "$P_SRV debug_level=3 auth_mode=optional \
2775 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2776 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2777 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2778 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2779 -S "skip write certificate request" \
2780 -C "skip parse certificate request" \
2781 -c "got a certificate request" \
2782 -C "skip write certificate" \
2783 -C "skip write certificate verify" \
2784 -S "skip parse certificate verify"
2785
2786run_test "SNI: client auth override: none -> optional" \
2787 "$P_SRV debug_level=3 auth_mode=none \
2788 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2789 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2790 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2791 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2792 -S "skip write certificate request" \
2793 -C "skip parse certificate request" \
2794 -c "got a certificate request" \
2795 -C "skip write certificate" \
2796 -C "skip write certificate verify" \
2797 -S "skip parse certificate verify"
2798
2799run_test "SNI: client auth override: optional -> none" \
2800 "$P_SRV debug_level=3 auth_mode=optional \
2801 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2802 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2803 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2804 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2805 -s "skip write certificate request" \
2806 -C "skip parse certificate request" \
2807 -c "got no certificate request" \
2808 -c "skip write certificate" \
2809 -c "skip write certificate verify" \
2810 -s "skip parse certificate verify"
2811
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2812run_test "SNI: CA no override" \
2813 "$P_SRV debug_level=3 auth_mode=optional \
2814 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2815 ca_file=data_files/test-ca.crt \
2816 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2817 "$P_CLI debug_level=3 server_name=localhost \
2818 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2819 1 \
2820 -S "skip write certificate request" \
2821 -C "skip parse certificate request" \
2822 -c "got a certificate request" \
2823 -C "skip write certificate" \
2824 -C "skip write certificate verify" \
2825 -S "skip parse certificate verify" \
2826 -s "x509_verify_cert() returned" \
2827 -s "! The certificate is not correctly signed by the trusted CA" \
2828 -S "The certificate has been revoked (is on a CRL)"
2829
2830run_test "SNI: CA override" \
2831 "$P_SRV debug_level=3 auth_mode=optional \
2832 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2833 ca_file=data_files/test-ca.crt \
2834 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2835 "$P_CLI debug_level=3 server_name=localhost \
2836 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2837 0 \
2838 -S "skip write certificate request" \
2839 -C "skip parse certificate request" \
2840 -c "got a certificate request" \
2841 -C "skip write certificate" \
2842 -C "skip write certificate verify" \
2843 -S "skip parse certificate verify" \
2844 -S "x509_verify_cert() returned" \
2845 -S "! The certificate is not correctly signed by the trusted CA" \
2846 -S "The certificate has been revoked (is on a CRL)"
2847
2848run_test "SNI: CA override with CRL" \
2849 "$P_SRV debug_level=3 auth_mode=optional \
2850 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2851 ca_file=data_files/test-ca.crt \
2852 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2853 "$P_CLI debug_level=3 server_name=localhost \
2854 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2855 1 \
2856 -S "skip write certificate request" \
2857 -C "skip parse certificate request" \
2858 -c "got a certificate request" \
2859 -C "skip write certificate" \
2860 -C "skip write certificate verify" \
2861 -S "skip parse certificate verify" \
2862 -s "x509_verify_cert() returned" \
2863 -S "! The certificate is not correctly signed by the trusted CA" \
2864 -s "The certificate has been revoked (is on a CRL)"
2865
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]2866# Tests for SNI and DTLS
2867
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]2868run_test "SNI: DTLS, no SNI callback" \
2869 "$P_SRV debug_level=3 dtls=1 \
2870 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2871 "$P_CLI server_name=localhost dtls=1" \
2872 0 \
2873 -S "parse ServerName extension" \
2874 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2875 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2876
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]2877run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]2878 "$P_SRV debug_level=3 dtls=1 \
2879 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2880 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2881 "$P_CLI server_name=localhost dtls=1" \
2882 0 \
2883 -s "parse ServerName extension" \
2884 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2885 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2886
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]2887run_test "SNI: DTLS, matching cert 2" \
2888 "$P_SRV debug_level=3 dtls=1 \
2889 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2890 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2891 "$P_CLI server_name=polarssl.example dtls=1" \
2892 0 \
2893 -s "parse ServerName extension" \
2894 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2895 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2896
2897run_test "SNI: DTLS, no matching cert" \
2898 "$P_SRV debug_level=3 dtls=1 \
2899 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2900 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2901 "$P_CLI server_name=nonesuch.example dtls=1" \
2902 1 \
2903 -s "parse ServerName extension" \
2904 -s "ssl_sni_wrapper() returned" \
2905 -s "mbedtls_ssl_handshake returned" \
2906 -c "mbedtls_ssl_handshake returned" \
2907 -c "SSL - A fatal alert message was received from our peer"
2908
2909run_test "SNI: DTLS, client auth no override: optional" \
2910 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2911 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2912 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2913 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2914 0 \
2915 -S "skip write certificate request" \
2916 -C "skip parse certificate request" \
2917 -c "got a certificate request" \
2918 -C "skip write certificate" \
2919 -C "skip write certificate verify" \
2920 -S "skip parse certificate verify"
2921
2922run_test "SNI: DTLS, client auth override: none -> optional" \
2923 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2924 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2925 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2926 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2927 0 \
2928 -S "skip write certificate request" \
2929 -C "skip parse certificate request" \
2930 -c "got a certificate request" \
2931 -C "skip write certificate" \
2932 -C "skip write certificate verify" \
2933 -S "skip parse certificate verify"
2934
2935run_test "SNI: DTLS, client auth override: optional -> none" \
2936 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2937 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2938 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2939 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2940 0 \
2941 -s "skip write certificate request" \
2942 -C "skip parse certificate request" \
2943 -c "got no certificate request" \
2944 -c "skip write certificate" \
2945 -c "skip write certificate verify" \
2946 -s "skip parse certificate verify"
2947
2948run_test "SNI: DTLS, CA no override" \
2949 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2950 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2951 ca_file=data_files/test-ca.crt \
2952 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2953 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2954 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2955 1 \
2956 -S "skip write certificate request" \
2957 -C "skip parse certificate request" \
2958 -c "got a certificate request" \
2959 -C "skip write certificate" \
2960 -C "skip write certificate verify" \
2961 -S "skip parse certificate verify" \
2962 -s "x509_verify_cert() returned" \
2963 -s "! The certificate is not correctly signed by the trusted CA" \
2964 -S "The certificate has been revoked (is on a CRL)"
2965
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]2966run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]2967 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2968 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2969 ca_file=data_files/test-ca.crt \
2970 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2971 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2972 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2973 0 \
2974 -S "skip write certificate request" \
2975 -C "skip parse certificate request" \
2976 -c "got a certificate request" \
2977 -C "skip write certificate" \
2978 -C "skip write certificate verify" \
2979 -S "skip parse certificate verify" \
2980 -S "x509_verify_cert() returned" \
2981 -S "! The certificate is not correctly signed by the trusted CA" \
2982 -S "The certificate has been revoked (is on a CRL)"
2983
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]2984run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]2985 "$P_SRV debug_level=3 auth_mode=optional \
2986 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
2987 ca_file=data_files/test-ca.crt \
2988 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2989 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2990 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2991 1 \
2992 -S "skip write certificate request" \
2993 -C "skip parse certificate request" \
2994 -c "got a certificate request" \
2995 -C "skip write certificate" \
2996 -C "skip write certificate verify" \
2997 -S "skip parse certificate verify" \
2998 -s "x509_verify_cert() returned" \
2999 -S "! The certificate is not correctly signed by the trusted CA" \
3000 -s "The certificate has been revoked (is on a CRL)"
3001
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3002# Tests for non-blocking I/O: exercise a variety of handshake flows
3003
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3004run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3005 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3006 "$P_CLI nbio=2 tickets=0" \
3007 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3008 -S "mbedtls_ssl_handshake returned" \
3009 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3010 -c "Read from server: .* bytes read"
3011
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3012run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3013 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
3014 "$P_CLI nbio=2 tickets=0" \
3015 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3016 -S "mbedtls_ssl_handshake returned" \
3017 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3018 -c "Read from server: .* bytes read"
3019
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3020run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3021 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3022 "$P_CLI nbio=2 tickets=1" \
3023 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3024 -S "mbedtls_ssl_handshake returned" \
3025 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3026 -c "Read from server: .* bytes read"
3027
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3028run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3029 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3030 "$P_CLI nbio=2 tickets=1" \
3031 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3032 -S "mbedtls_ssl_handshake returned" \
3033 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3034 -c "Read from server: .* bytes read"
3035
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3036run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3037 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3038 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3039 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3040 -S "mbedtls_ssl_handshake returned" \
3041 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3042 -c "Read from server: .* bytes read"
3043
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3044run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3045 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3046 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3047 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3048 -S "mbedtls_ssl_handshake returned" \
3049 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3050 -c "Read from server: .* bytes read"
3051
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3052run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3053 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3054 "$P_CLI nbio=2 tickets=0 reconnect=1" \
3055 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3056 -S "mbedtls_ssl_handshake returned" \
3057 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3058 -c "Read from server: .* bytes read"
3059
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]3060# Tests for event-driven I/O: exercise a variety of handshake flows
3061
3062run_test "Event-driven I/O: basic handshake" \
3063 "$P_SRV event=1 tickets=0 auth_mode=none" \
3064 "$P_CLI event=1 tickets=0" \
3065 0 \
3066 -S "mbedtls_ssl_handshake returned" \
3067 -C "mbedtls_ssl_handshake returned" \
3068 -c "Read from server: .* bytes read"
3069
3070run_test "Event-driven I/O: client auth" \
3071 "$P_SRV event=1 tickets=0 auth_mode=required" \
3072 "$P_CLI event=1 tickets=0" \
3073 0 \
3074 -S "mbedtls_ssl_handshake returned" \
3075 -C "mbedtls_ssl_handshake returned" \
3076 -c "Read from server: .* bytes read"
3077
3078run_test "Event-driven I/O: ticket" \
3079 "$P_SRV event=1 tickets=1 auth_mode=none" \
3080 "$P_CLI event=1 tickets=1" \
3081 0 \
3082 -S "mbedtls_ssl_handshake returned" \
3083 -C "mbedtls_ssl_handshake returned" \
3084 -c "Read from server: .* bytes read"
3085
3086run_test "Event-driven I/O: ticket + client auth" \
3087 "$P_SRV event=1 tickets=1 auth_mode=required" \
3088 "$P_CLI event=1 tickets=1" \
3089 0 \
3090 -S "mbedtls_ssl_handshake returned" \
3091 -C "mbedtls_ssl_handshake returned" \
3092 -c "Read from server: .* bytes read"
3093
3094run_test "Event-driven I/O: ticket + client auth + resume" \
3095 "$P_SRV event=1 tickets=1 auth_mode=required" \
3096 "$P_CLI event=1 tickets=1 reconnect=1" \
3097 0 \
3098 -S "mbedtls_ssl_handshake returned" \
3099 -C "mbedtls_ssl_handshake returned" \
3100 -c "Read from server: .* bytes read"
3101
3102run_test "Event-driven I/O: ticket + resume" \
3103 "$P_SRV event=1 tickets=1 auth_mode=none" \
3104 "$P_CLI event=1 tickets=1 reconnect=1" \
3105 0 \
3106 -S "mbedtls_ssl_handshake returned" \
3107 -C "mbedtls_ssl_handshake returned" \
3108 -c "Read from server: .* bytes read"
3109
3110run_test "Event-driven I/O: session-id resume" \
3111 "$P_SRV event=1 tickets=0 auth_mode=none" \
3112 "$P_CLI event=1 tickets=0 reconnect=1" \
3113 0 \
3114 -S "mbedtls_ssl_handshake returned" \
3115 -C "mbedtls_ssl_handshake returned" \
3116 -c "Read from server: .* bytes read"
3117
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]3118run_test "Event-driven I/O, DTLS: basic handshake" \
3119 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
3120 "$P_CLI dtls=1 event=1 tickets=0" \
3121 0 \
3122 -c "Read from server: .* bytes read"
3123
3124run_test "Event-driven I/O, DTLS: client auth" \
3125 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
3126 "$P_CLI dtls=1 event=1 tickets=0" \
3127 0 \
3128 -c "Read from server: .* bytes read"
3129
3130run_test "Event-driven I/O, DTLS: ticket" \
3131 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
3132 "$P_CLI dtls=1 event=1 tickets=1" \
3133 0 \
3134 -c "Read from server: .* bytes read"
3135
3136run_test "Event-driven I/O, DTLS: ticket + client auth" \
3137 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
3138 "$P_CLI dtls=1 event=1 tickets=1" \
3139 0 \
3140 -c "Read from server: .* bytes read"
3141
3142run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
3143 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
3144 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
3145 0 \
3146 -c "Read from server: .* bytes read"
3147
3148run_test "Event-driven I/O, DTLS: ticket + resume" \
3149 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
3150 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
3151 0 \
3152 -c "Read from server: .* bytes read"
3153
3154run_test "Event-driven I/O, DTLS: session-id resume" \
3155 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
3156 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
3157 0 \
3158 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]3159
3160# This test demonstrates the need for the mbedtls_ssl_check_pending function.
3161# During session resumption, the client will send its ApplicationData record
3162# within the same datagram as the Finished messages. In this situation, the
3163# server MUST NOT idle on the underlying transport after handshake completion,
3164# because the ApplicationData request has already been queued internally.
3165run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]3166 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]3167 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
3168 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
3169 0 \
3170 -c "Read from server: .* bytes read"
3171
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3172# Tests for version negotiation
3173
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3174run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3175 "$P_SRV" \
3176 "$P_CLI" \
3177 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3178 -S "mbedtls_ssl_handshake returned" \
3179 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3180 -s "Protocol is TLSv1.2" \
3181 -c "Protocol is TLSv1.2"
3182
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3183run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3184 "$P_SRV" \
3185 "$P_CLI max_version=tls1_1" \
3186 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3187 -S "mbedtls_ssl_handshake returned" \
3188 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3189 -s "Protocol is TLSv1.1" \
3190 -c "Protocol is TLSv1.1"
3191
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3192run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3193 "$P_SRV max_version=tls1_1" \
3194 "$P_CLI" \
3195 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3196 -S "mbedtls_ssl_handshake returned" \
3197 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3198 -s "Protocol is TLSv1.1" \
3199 -c "Protocol is TLSv1.1"
3200
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3201run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3202 "$P_SRV max_version=tls1_1" \
3203 "$P_CLI max_version=tls1_1" \
3204 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3205 -S "mbedtls_ssl_handshake returned" \
3206 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3207 -s "Protocol is TLSv1.1" \
3208 -c "Protocol is TLSv1.1"
3209
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3210run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3211 "$P_SRV min_version=tls1_1" \
3212 "$P_CLI max_version=tls1_1" \
3213 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3214 -S "mbedtls_ssl_handshake returned" \
3215 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3216 -s "Protocol is TLSv1.1" \
3217 -c "Protocol is TLSv1.1"
3218
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3219run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3220 "$P_SRV max_version=tls1_1" \
3221 "$P_CLI min_version=tls1_1" \
3222 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3223 -S "mbedtls_ssl_handshake returned" \
3224 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3225 -s "Protocol is TLSv1.1" \
3226 -c "Protocol is TLSv1.1"
3227
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3228run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3229 "$P_SRV max_version=tls1_1" \
3230 "$P_CLI min_version=tls1_2" \
3231 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3232 -s "mbedtls_ssl_handshake returned" \
3233 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3234 -c "SSL - Handshake protocol not within min/max boundaries"
3235
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3236run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3237 "$P_SRV min_version=tls1_2" \
3238 "$P_CLI max_version=tls1_1" \
3239 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3240 -s "mbedtls_ssl_handshake returned" \
3241 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3242 -s "SSL - Handshake protocol not within min/max boundaries"
3243
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3244# Tests for ALPN extension
3245
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3246run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3247 "$P_SRV debug_level=3" \
3248 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3249 0 \
3250 -C "client hello, adding alpn extension" \
3251 -S "found alpn extension" \
3252 -C "got an alert message, type: \\[2:120]" \
3253 -S "server hello, adding alpn extension" \
3254 -C "found alpn extension " \
3255 -C "Application Layer Protocol is" \
3256 -S "Application Layer Protocol is"
3257
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3258run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3259 "$P_SRV debug_level=3" \
3260 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3261 0 \
3262 -c "client hello, adding alpn extension" \
3263 -s "found alpn extension" \
3264 -C "got an alert message, type: \\[2:120]" \
3265 -S "server hello, adding alpn extension" \
3266 -C "found alpn extension " \
3267 -c "Application Layer Protocol is (none)" \
3268 -S "Application Layer Protocol is"
3269
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3270run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3271 "$P_SRV debug_level=3 alpn=abc,1234" \
3272 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3273 0 \
3274 -C "client hello, adding alpn extension" \
3275 -S "found alpn extension" \
3276 -C "got an alert message, type: \\[2:120]" \
3277 -S "server hello, adding alpn extension" \
3278 -C "found alpn extension " \
3279 -C "Application Layer Protocol is" \
3280 -s "Application Layer Protocol is (none)"
3281
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3282run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3283 "$P_SRV debug_level=3 alpn=abc,1234" \
3284 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3285 0 \
3286 -c "client hello, adding alpn extension" \
3287 -s "found alpn extension" \
3288 -C "got an alert message, type: \\[2:120]" \
3289 -s "server hello, adding alpn extension" \
3290 -c "found alpn extension" \
3291 -c "Application Layer Protocol is abc" \
3292 -s "Application Layer Protocol is abc"
3293
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3294run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3295 "$P_SRV debug_level=3 alpn=abc,1234" \
3296 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3297 0 \
3298 -c "client hello, adding alpn extension" \
3299 -s "found alpn extension" \
3300 -C "got an alert message, type: \\[2:120]" \
3301 -s "server hello, adding alpn extension" \
3302 -c "found alpn extension" \
3303 -c "Application Layer Protocol is abc" \
3304 -s "Application Layer Protocol is abc"
3305
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3306run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3307 "$P_SRV debug_level=3 alpn=abc,1234" \
3308 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3309 0 \
3310 -c "client hello, adding alpn extension" \
3311 -s "found alpn extension" \
3312 -C "got an alert message, type: \\[2:120]" \
3313 -s "server hello, adding alpn extension" \
3314 -c "found alpn extension" \
3315 -c "Application Layer Protocol is 1234" \
3316 -s "Application Layer Protocol is 1234"
3317
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3318run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3319 "$P_SRV debug_level=3 alpn=abc,123" \
3320 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3321 1 \
3322 -c "client hello, adding alpn extension" \
3323 -s "found alpn extension" \
3324 -c "got an alert message, type: \\[2:120]" \
3325 -S "server hello, adding alpn extension" \
3326 -C "found alpn extension" \
3327 -C "Application Layer Protocol is 1234" \
3328 -S "Application Layer Protocol is 1234"
3329
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3330
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3331# Tests for keyUsage in leaf certificates, part 1:
3332# server-side certificate/suite selection
3333
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3334run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3335 "$P_SRV key_file=data_files/server2.key \
3336 crt_file=data_files/server2.ku-ds.crt" \
3337 "$P_CLI" \
3338 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3339 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3340
3341
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3342run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3343 "$P_SRV key_file=data_files/server2.key \
3344 crt_file=data_files/server2.ku-ke.crt" \
3345 "$P_CLI" \
3346 0 \
3347 -c "Ciphersuite is TLS-RSA-WITH-"
3348
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3349run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3350 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3351 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3352 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3353 1 \
3354 -C "Ciphersuite is "
3355
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3356run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3357 "$P_SRV key_file=data_files/server5.key \
3358 crt_file=data_files/server5.ku-ds.crt" \
3359 "$P_CLI" \
3360 0 \
3361 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3362
3363
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3364run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3365 "$P_SRV key_file=data_files/server5.key \
3366 crt_file=data_files/server5.ku-ka.crt" \
3367 "$P_CLI" \
3368 0 \
3369 -c "Ciphersuite is TLS-ECDH-"
3370
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3371run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3372 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3373 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3374 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3375 1 \
3376 -C "Ciphersuite is "
3377
3378# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3379# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3380
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3381run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3382 "$O_SRV -key data_files/server2.key \
3383 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3384 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3385 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3386 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3387 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3388 -C "Processing of the Certificate handshake message failed" \
3389 -c "Ciphersuite is TLS-"
3390
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3391run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3392 "$O_SRV -key data_files/server2.key \
3393 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3394 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3395 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3396 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3397 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3398 -C "Processing of the Certificate handshake message failed" \
3399 -c "Ciphersuite is TLS-"
3400
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3401run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3402 "$O_SRV -key data_files/server2.key \
3403 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3404 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3405 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3406 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3407 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3408 -C "Processing of the Certificate handshake message failed" \
3409 -c "Ciphersuite is TLS-"
3410
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3411run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3412 "$O_SRV -key data_files/server2.key \
3413 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3414 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3415 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3416 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3417 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3418 -c "Processing of the Certificate handshake message failed" \
3419 -C "Ciphersuite is TLS-"
3420
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3421run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3422 "$O_SRV -key data_files/server2.key \
3423 -cert data_files/server2.ku-ke.crt" \
3424 "$P_CLI debug_level=1 auth_mode=optional \
3425 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3426 0 \
3427 -c "bad certificate (usage extensions)" \
3428 -C "Processing of the Certificate handshake message failed" \
3429 -c "Ciphersuite is TLS-" \
3430 -c "! Usage does not match the keyUsage extension"
3431
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3432run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3433 "$O_SRV -key data_files/server2.key \
3434 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3435 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3436 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3437 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3438 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3439 -C "Processing of the Certificate handshake message failed" \
3440 -c "Ciphersuite is TLS-"
3441
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3442run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3443 "$O_SRV -key data_files/server2.key \
3444 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3445 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3446 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3447 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3448 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3449 -c "Processing of the Certificate handshake message failed" \
3450 -C "Ciphersuite is TLS-"
3451
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3452run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3453 "$O_SRV -key data_files/server2.key \
3454 -cert data_files/server2.ku-ds.crt" \
3455 "$P_CLI debug_level=1 auth_mode=optional \
3456 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3457 0 \
3458 -c "bad certificate (usage extensions)" \
3459 -C "Processing of the Certificate handshake message failed" \
3460 -c "Ciphersuite is TLS-" \
3461 -c "! Usage does not match the keyUsage extension"
3462
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3463# Tests for keyUsage in leaf certificates, part 3:
3464# server-side checking of client cert
3465
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3466run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3467 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3468 "$O_CLI -key data_files/server2.key \
3469 -cert data_files/server2.ku-ds.crt" \
3470 0 \
3471 -S "bad certificate (usage extensions)" \
3472 -S "Processing of the Certificate handshake message failed"
3473
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3474run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3475 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3476 "$O_CLI -key data_files/server2.key \
3477 -cert data_files/server2.ku-ke.crt" \
3478 0 \
3479 -s "bad certificate (usage extensions)" \
3480 -S "Processing of the Certificate handshake message failed"
3481
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3482run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3483 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3484 "$O_CLI -key data_files/server2.key \
3485 -cert data_files/server2.ku-ke.crt" \
3486 1 \
3487 -s "bad certificate (usage extensions)" \
3488 -s "Processing of the Certificate handshake message failed"
3489
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3490run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3491 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3492 "$O_CLI -key data_files/server5.key \
3493 -cert data_files/server5.ku-ds.crt" \
3494 0 \
3495 -S "bad certificate (usage extensions)" \
3496 -S "Processing of the Certificate handshake message failed"
3497
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3498run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3499 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3500 "$O_CLI -key data_files/server5.key \
3501 -cert data_files/server5.ku-ka.crt" \
3502 0 \
3503 -s "bad certificate (usage extensions)" \
3504 -S "Processing of the Certificate handshake message failed"
3505
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3506# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3507
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3508run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3509 "$P_SRV key_file=data_files/server5.key \
3510 crt_file=data_files/server5.eku-srv.crt" \
3511 "$P_CLI" \
3512 0
3513
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3514run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3515 "$P_SRV key_file=data_files/server5.key \
3516 crt_file=data_files/server5.eku-srv.crt" \
3517 "$P_CLI" \
3518 0
3519
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3520run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3521 "$P_SRV key_file=data_files/server5.key \
3522 crt_file=data_files/server5.eku-cs_any.crt" \
3523 "$P_CLI" \
3524 0
3525
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3526run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3527 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3528 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3529 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3530 1
3531
3532# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3533
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3534run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3535 "$O_SRV -key data_files/server5.key \
3536 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3537 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3538 0 \
3539 -C "bad certificate (usage extensions)" \
3540 -C "Processing of the Certificate handshake message failed" \
3541 -c "Ciphersuite is TLS-"
3542
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3543run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3544 "$O_SRV -key data_files/server5.key \
3545 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3546 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3547 0 \
3548 -C "bad certificate (usage extensions)" \
3549 -C "Processing of the Certificate handshake message failed" \
3550 -c "Ciphersuite is TLS-"
3551
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3552run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3553 "$O_SRV -key data_files/server5.key \
3554 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3555 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3556 0 \
3557 -C "bad certificate (usage extensions)" \
3558 -C "Processing of the Certificate handshake message failed" \
3559 -c "Ciphersuite is TLS-"
3560
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3561run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3562 "$O_SRV -key data_files/server5.key \
3563 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3564 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3565 1 \
3566 -c "bad certificate (usage extensions)" \
3567 -c "Processing of the Certificate handshake message failed" \
3568 -C "Ciphersuite is TLS-"
3569
3570# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3571
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3572run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3573 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3574 "$O_CLI -key data_files/server5.key \
3575 -cert data_files/server5.eku-cli.crt" \
3576 0 \
3577 -S "bad certificate (usage extensions)" \
3578 -S "Processing of the Certificate handshake message failed"
3579
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3580run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3581 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3582 "$O_CLI -key data_files/server5.key \
3583 -cert data_files/server5.eku-srv_cli.crt" \
3584 0 \
3585 -S "bad certificate (usage extensions)" \
3586 -S "Processing of the Certificate handshake message failed"
3587
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3588run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3589 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3590 "$O_CLI -key data_files/server5.key \
3591 -cert data_files/server5.eku-cs_any.crt" \
3592 0 \
3593 -S "bad certificate (usage extensions)" \
3594 -S "Processing of the Certificate handshake message failed"
3595
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3596run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3597 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3598 "$O_CLI -key data_files/server5.key \
3599 -cert data_files/server5.eku-cs.crt" \
3600 0 \
3601 -s "bad certificate (usage extensions)" \
3602 -S "Processing of the Certificate handshake message failed"
3603
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3604run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3605 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3606 "$O_CLI -key data_files/server5.key \
3607 -cert data_files/server5.eku-cs.crt" \
3608 1 \
3609 -s "bad certificate (usage extensions)" \
3610 -s "Processing of the Certificate handshake message failed"
3611
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3612# Tests for DHM parameters loading
3613
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3614run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3615 "$P_SRV" \
3616 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3617 debug_level=3" \
3618 0 \
3619 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3620 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3621
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3622run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3623 "$P_SRV dhm_file=data_files/dhparams.pem" \
3624 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3625 debug_level=3" \
3626 0 \
3627 -c "value of 'DHM: P ' (1024 bits)" \
3628 -c "value of 'DHM: G ' (2 bits)"
3629
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3630# Tests for DHM client-side size checking
3631
3632run_test "DHM size: server default, client default, OK" \
3633 "$P_SRV" \
3634 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3635 debug_level=1" \
3636 0 \
3637 -C "DHM prime too short:"
3638
3639run_test "DHM size: server default, client 2048, OK" \
3640 "$P_SRV" \
3641 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3642 debug_level=1 dhmlen=2048" \
3643 0 \
3644 -C "DHM prime too short:"
3645
3646run_test "DHM size: server 1024, client default, OK" \
3647 "$P_SRV dhm_file=data_files/dhparams.pem" \
3648 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3649 debug_level=1" \
3650 0 \
3651 -C "DHM prime too short:"
3652
3653run_test "DHM size: server 1000, client default, rejected" \
3654 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3655 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3656 debug_level=1" \
3657 1 \
3658 -c "DHM prime too short:"
3659
3660run_test "DHM size: server default, client 2049, rejected" \
3661 "$P_SRV" \
3662 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3663 debug_level=1 dhmlen=2049" \
3664 1 \
3665 -c "DHM prime too short:"
3666
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3667# Tests for PSK callback
3668
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3669run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3670 "$P_SRV psk=abc123 psk_identity=foo" \
3671 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3672 psk_identity=foo psk=abc123" \
3673 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3674 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3675 -S "SSL - Unknown identity received" \
3676 -S "SSL - Verification of the message MAC failed"
3677
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3678run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3679 "$P_SRV" \
3680 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3681 psk_identity=foo psk=abc123" \
3682 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3683 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3684 -S "SSL - Unknown identity received" \
3685 -S "SSL - Verification of the message MAC failed"
3686
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3687run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3688 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3689 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3690 psk_identity=foo psk=abc123" \
3691 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3692 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3693 -s "SSL - Unknown identity received" \
3694 -S "SSL - Verification of the message MAC failed"
3695
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3696run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3697 "$P_SRV psk_list=abc,dead,def,beef" \
3698 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3699 psk_identity=abc psk=dead" \
3700 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3701 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3702 -S "SSL - Unknown identity received" \
3703 -S "SSL - Verification of the message MAC failed"
3704
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3705run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3706 "$P_SRV psk_list=abc,dead,def,beef" \
3707 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3708 psk_identity=def psk=beef" \
3709 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3710 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3711 -S "SSL - Unknown identity received" \
3712 -S "SSL - Verification of the message MAC failed"
3713
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3714run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3715 "$P_SRV psk_list=abc,dead,def,beef" \
3716 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3717 psk_identity=ghi psk=beef" \
3718 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3719 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3720 -s "SSL - Unknown identity received" \
3721 -S "SSL - Verification of the message MAC failed"
3722
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3723run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3724 "$P_SRV psk_list=abc,dead,def,beef" \
3725 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3726 psk_identity=abc psk=beef" \
3727 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3728 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3729 -S "SSL - Unknown identity received" \
3730 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3731
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3732# Tests for EC J-PAKE
3733
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3734requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3735run_test "ECJPAKE: client not configured" \
3736 "$P_SRV debug_level=3" \
3737 "$P_CLI debug_level=3" \
3738 0 \
3739 -C "add ciphersuite: c0ff" \
3740 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3741 -S "found ecjpake kkpp extension" \
3742 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3743 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3744 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3745 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3746 -S "None of the common ciphersuites is usable"
3747
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3748requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3749run_test "ECJPAKE: server not configured" \
3750 "$P_SRV debug_level=3" \
3751 "$P_CLI debug_level=3 ecjpake_pw=bla \
3752 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3753 1 \
3754 -c "add ciphersuite: c0ff" \
3755 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3756 -s "found ecjpake kkpp extension" \
3757 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3758 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3759 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3760 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3761 -s "None of the common ciphersuites is usable"
3762
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3763requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3764run_test "ECJPAKE: working, TLS" \
3765 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3766 "$P_CLI debug_level=3 ecjpake_pw=bla \
3767 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3768 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3769 -c "add ciphersuite: c0ff" \
3770 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3771 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3772 -s "found ecjpake kkpp extension" \
3773 -S "skip ecjpake kkpp extension" \
3774 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3775 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3776 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3777 -S "None of the common ciphersuites is usable" \
3778 -S "SSL - Verification of the message MAC failed"
3779
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3780server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3781requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3782run_test "ECJPAKE: password mismatch, TLS" \
3783 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3784 "$P_CLI debug_level=3 ecjpake_pw=bad \
3785 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3786 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3787 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3788 -s "SSL - Verification of the message MAC failed"
3789
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3790requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3791run_test "ECJPAKE: working, DTLS" \
3792 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3793 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3794 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3795 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3796 -c "re-using cached ecjpake parameters" \
3797 -S "SSL - Verification of the message MAC failed"
3798
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3799requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3800run_test "ECJPAKE: working, DTLS, no cookie" \
3801 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3802 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3803 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3804 0 \
3805 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3806 -S "SSL - Verification of the message MAC failed"
3807
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3808server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3809requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3810run_test "ECJPAKE: password mismatch, DTLS" \
3811 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3812 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3813 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3814 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3815 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3816 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3817
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3818# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3819requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3820run_test "ECJPAKE: working, DTLS, nolog" \
3821 "$P_SRV dtls=1 ecjpake_pw=bla" \
3822 "$P_CLI dtls=1 ecjpake_pw=bla \
3823 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3824 0
3825
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3826# Tests for ciphersuites per version
3827
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3828requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3829run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3830 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3831 "$P_CLI force_version=ssl3" \
3832 0 \
3833 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3834
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3835run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3836 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3837 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3838 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3839 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3840
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3841run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3842 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3843 "$P_CLI force_version=tls1_1" \
3844 0 \
3845 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3846
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3847run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3848 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3849 "$P_CLI force_version=tls1_2" \
3850 0 \
3851 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3852
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3853# Test for ClientHello without extensions
3854
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3855requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3856run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3857 "$P_SRV debug_level=3" \
3858 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3859 0 \
3860 -s "dumping 'client hello extensions' (0 bytes)"
3861
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3862requires_gnutls
3863run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3864 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3865 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3866 0 \
3867 -s "dumping 'client hello extensions' (0 bytes)"
3868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3869# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3870
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3871run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3872 "$P_SRV" \
3873 "$P_CLI request_size=100" \
3874 0 \
3875 -s "Read from client: 100 bytes read$"
3876
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3877run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3878 "$P_SRV" \
3879 "$P_CLI request_size=500" \
3880 0 \
3881 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3882
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3883# Tests for small packets
3884
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3885requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3886run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3887 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3888 "$P_CLI request_size=1 force_version=ssl3 \
3889 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3890 0 \
3891 -s "Read from client: 1 bytes read"
3892
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3893requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3894run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3895 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3896 "$P_CLI request_size=1 force_version=ssl3 \
3897 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3898 0 \
3899 -s "Read from client: 1 bytes read"
3900
3901run_test "Small packet TLS 1.0 BlockCipher" \
3902 "$P_SRV" \
3903 "$P_CLI request_size=1 force_version=tls1 \
3904 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3905 0 \
3906 -s "Read from client: 1 bytes read"
3907
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3908run_test "Small packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3909 "$P_SRV" \
3910 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3911 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3912 0 \
3913 -s "Read from client: 1 bytes read"
3914
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3915requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3916run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3917 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3918 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3919 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3920 0 \
3921 -s "Read from client: 1 bytes read"
3922
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3923requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3924run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3925 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3926 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3927 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3928 0 \
3929 -s "Read from client: 1 bytes read"
3930
3931run_test "Small packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3932 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3933 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3934 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3935 0 \
3936 -s "Read from client: 1 bytes read"
3937
3938run_test "Small packet TLS 1.0 StreamCipher, without EtM" \
3939 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3940 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3941 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3942 0 \
3943 -s "Read from client: 1 bytes read"
3944
3945requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3946run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3947 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3948 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3949 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3950 0 \
3951 -s "Read from client: 1 bytes read"
3952
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3953requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3954run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3955 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3956 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3957 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3958 0 \
3959 -s "Read from client: 1 bytes read"
3960
3961run_test "Small packet TLS 1.1 BlockCipher" \
3962 "$P_SRV" \
3963 "$P_CLI request_size=1 force_version=tls1_1 \
3964 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3965 0 \
3966 -s "Read from client: 1 bytes read"
3967
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3968run_test "Small packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3969 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3970 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3971 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3972 0 \
3973 -s "Read from client: 1 bytes read"
3974
3975requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3976run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3977 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3978 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3979 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3980 0 \
3981 -s "Read from client: 1 bytes read"
3982
3983requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3984run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3985 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3986 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3987 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3988 0 \
3989 -s "Read from client: 1 bytes read"
3990
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3991run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3992 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3993 "$P_CLI request_size=1 force_version=tls1_1 \
3994 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3995 0 \
3996 -s "Read from client: 1 bytes read"
3997
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3998run_test "Small packet TLS 1.1 StreamCipher, without EtM" \
3999 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4000 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4001 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4002 0 \
4003 -s "Read from client: 1 bytes read"
4004
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4005requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4006run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4007 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4008 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4009 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4010 0 \
4011 -s "Read from client: 1 bytes read"
4012
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4013requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4014run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4015 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4016 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4017 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4018 0 \
4019 -s "Read from client: 1 bytes read"
4020
4021run_test "Small packet TLS 1.2 BlockCipher" \
4022 "$P_SRV" \
4023 "$P_CLI request_size=1 force_version=tls1_2 \
4024 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4025 0 \
4026 -s "Read from client: 1 bytes read"
4027
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4028run_test "Small packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]4029 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4030 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4031 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]4032 0 \
4033 -s "Read from client: 1 bytes read"
4034
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4035run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
4036 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4037 "$P_CLI request_size=1 force_version=tls1_2 \
4038 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4039 0 \
4040 -s "Read from client: 1 bytes read"
4041
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4042requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4043run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4044 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4045 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4046 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4047 0 \
4048 -s "Read from client: 1 bytes read"
4049
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4050requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4051run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4052 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4053 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4054 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4055 0 \
4056 -s "Read from client: 1 bytes read"
4057
4058run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4059 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4060 "$P_CLI request_size=1 force_version=tls1_2 \
4061 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4062 0 \
4063 -s "Read from client: 1 bytes read"
4064
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4065run_test "Small packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4066 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4067 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4068 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4069 0 \
4070 -s "Read from client: 1 bytes read"
4071
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4072requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4073run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4074 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4075 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4076 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4077 0 \
4078 -s "Read from client: 1 bytes read"
4079
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4080requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4081run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4082 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4083 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4084 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4085 0 \
4086 -s "Read from client: 1 bytes read"
4087
4088run_test "Small packet TLS 1.2 AEAD" \
4089 "$P_SRV" \
4090 "$P_CLI request_size=1 force_version=tls1_2 \
4091 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4092 0 \
4093 -s "Read from client: 1 bytes read"
4094
4095run_test "Small packet TLS 1.2 AEAD shorter tag" \
4096 "$P_SRV" \
4097 "$P_CLI request_size=1 force_version=tls1_2 \
4098 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4099 0 \
4100 -s "Read from client: 1 bytes read"
4101
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4102# Tests for small packets in DTLS
4103
4104requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4105run_test "Small packet DTLS 1.0" \
4106 "$P_SRV dtls=1 force_version=dtls1" \
4107 "$P_CLI dtls=1 request_size=1 \
4108 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4109 0 \
4110 -s "Read from client: 1 bytes read"
4111
4112requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4113run_test "Small packet DTLS 1.0, without EtM" \
4114 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
4115 "$P_CLI dtls=1 request_size=1 \
4116 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4117 0 \
4118 -s "Read from client: 1 bytes read"
4119
4120requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4121requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4122run_test "Small packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4123 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
4124 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4125 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4126 0 \
4127 -s "Read from client: 1 bytes read"
4128
4129requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4130requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4131run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4132 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4133 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4134 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4135 0 \
4136 -s "Read from client: 1 bytes read"
4137
4138requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4139run_test "Small packet DTLS 1.2" \
4140 "$P_SRV dtls=1 force_version=dtls1_2" \
4141 "$P_CLI dtls=1 request_size=1 \
4142 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4143 0 \
4144 -s "Read from client: 1 bytes read"
4145
4146requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4147run_test "Small packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4148 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4149 "$P_CLI dtls=1 request_size=1 \
4150 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4151 0 \
4152 -s "Read from client: 1 bytes read"
4153
4154requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4155requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4156run_test "Small packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4157 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4158 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4159 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4160 0 \
4161 -s "Read from client: 1 bytes read"
4162
4163requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4164requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4165run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4166 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4167 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4168 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4169 0 \
4170 -s "Read from client: 1 bytes read"
4171
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]4172# A test for extensions in SSLv3
4173
4174requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4175run_test "SSLv3 with extensions, server side" \
4176 "$P_SRV min_version=ssl3 debug_level=3" \
4177 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
4178 0 \
4179 -S "dumping 'client hello extensions'" \
4180 -S "server hello, total extension length:"
4181
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4182# Test for large packets
4183
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4184# How many fragments do we expect to write $1 bytes?
4185fragments_for_write() {
4186 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
4187}
4188
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4189requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4190run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4191 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4192 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4193 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4194 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4195 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4196 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4197
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4198requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4199run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4200 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4201 "$P_CLI request_size=16384 force_version=ssl3 \
4202 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4203 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4204 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4205 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4206
4207run_test "Large packet TLS 1.0 BlockCipher" \
4208 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4209 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4210 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4211 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4212 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4213 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4214
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4215run_test "Large packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4216 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4217 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
4218 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4219 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4220 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4221
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4222requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4223run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4224 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4225 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4226 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4227 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4228 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4229 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4230
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4231requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4232run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4233 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4234 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4235 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4236 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4237 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4238
4239run_test "Large packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4240 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4241 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4242 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4243 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4244 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4245
4246run_test "Large packet TLS 1.0 StreamCipher, without EtM" \
4247 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4248 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4249 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4250 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4251 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4252
4253requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4254run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4255 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4256 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4257 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4258 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4259 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4260
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4261requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4262run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4263 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4264 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4265 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4266 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4267 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4268 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4269
4270run_test "Large packet TLS 1.1 BlockCipher" \
4271 "$P_SRV" \
4272 "$P_CLI request_size=16384 force_version=tls1_1 \
4273 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4274 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4275 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4276 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4277
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4278run_test "Large packet TLS 1.1 BlockCipher, without EtM" \
4279 "$P_SRV" \
4280 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4281 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4282 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4283 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4284
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4285requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4286run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4287 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4288 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4289 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4290 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4291 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4292
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4293requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4294run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4295 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4296 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4297 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4298 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4299 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4300
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4301run_test "Large packet TLS 1.1 StreamCipher" \
4302 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4303 "$P_CLI request_size=16384 force_version=tls1_1 \
4304 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4305 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4306 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4307 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4308
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4309run_test "Large packet TLS 1.1 StreamCipher, without EtM" \
4310 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4311 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4312 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4313 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4314 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4315 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4316
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4317requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4318run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4319 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4320 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4321 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4322 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4323 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4324
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4325requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4326run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4327 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4328 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4329 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4330 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4331 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4332 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4333
4334run_test "Large packet TLS 1.2 BlockCipher" \
4335 "$P_SRV" \
4336 "$P_CLI request_size=16384 force_version=tls1_2 \
4337 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4338 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4339 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4340 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4341
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4342run_test "Large packet TLS 1.2 BlockCipher, without EtM" \
4343 "$P_SRV" \
4344 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4345 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4346 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4347 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4348
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4349run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
4350 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4351 "$P_CLI request_size=16384 force_version=tls1_2 \
4352 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4353 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4354 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4355 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4356
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4357requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4358run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4359 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4360 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4361 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4362 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4363 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4364
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4365requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4366run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4367 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4368 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4369 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4370 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4371 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4372 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4373
4374run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4375 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4376 "$P_CLI request_size=16384 force_version=tls1_2 \
4377 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4378 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4379 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4380 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4381
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4382run_test "Large packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4383 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4384 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4385 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4386 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4387 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4388
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4389requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4390run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4391 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4392 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4393 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4394 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4395 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4396
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4397requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4398run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4399 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4400 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4401 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4402 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4403 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4404 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4405
4406run_test "Large packet TLS 1.2 AEAD" \
4407 "$P_SRV" \
4408 "$P_CLI request_size=16384 force_version=tls1_2 \
4409 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4410 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4411 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4412 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4413
4414run_test "Large packet TLS 1.2 AEAD shorter tag" \
4415 "$P_SRV" \
4416 "$P_CLI request_size=16384 force_version=tls1_2 \
4417 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4418 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4419 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
4420 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4421
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4422# Tests of asynchronous private key support in SSL
4423
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4424requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4425run_test "SSL async private: sign, delay=0" \
4426 "$P_SRV \
4427 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4428 "$P_CLI" \
4429 0 \
4430 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4431 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4432
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4433requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4434run_test "SSL async private: sign, delay=1" \
4435 "$P_SRV \
4436 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4437 "$P_CLI" \
4438 0 \
4439 -s "Async sign callback: using key slot " \
4440 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4441 -s "Async resume (slot [0-9]): sign done, status=0"
4442
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]4443requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
4444run_test "SSL async private: sign, delay=2" \
4445 "$P_SRV \
4446 async_operations=s async_private_delay1=2 async_private_delay2=2" \
4447 "$P_CLI" \
4448 0 \
4449 -s "Async sign callback: using key slot " \
4450 -U "Async sign callback: using key slot " \
4451 -s "Async resume (slot [0-9]): call 1 more times." \
4452 -s "Async resume (slot [0-9]): call 0 more times." \
4453 -s "Async resume (slot [0-9]): sign done, status=0"
4454
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]4455# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
4456# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
4457requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
4458requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
4459run_test "SSL async private: sign, RSA, TLS 1.1" \
4460 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
4461 async_operations=s async_private_delay1=0 async_private_delay2=0" \
4462 "$P_CLI force_version=tls1_1" \
4463 0 \
4464 -s "Async sign callback: using key slot " \
4465 -s "Async resume (slot [0-9]): sign done, status=0"
4466
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4467requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]4468run_test "SSL async private: sign, SNI" \
4469 "$P_SRV debug_level=3 \
4470 async_operations=s async_private_delay1=0 async_private_delay2=0 \
4471 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4472 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4473 "$P_CLI server_name=polarssl.example" \
4474 0 \
4475 -s "Async sign callback: using key slot " \
4476 -s "Async resume (slot [0-9]): sign done, status=0" \
4477 -s "parse ServerName extension" \
4478 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4479 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4480
4481requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4482run_test "SSL async private: decrypt, delay=0" \
4483 "$P_SRV \
4484 async_operations=d async_private_delay1=0 async_private_delay2=0" \
4485 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4486 0 \
4487 -s "Async decrypt callback: using key slot " \
4488 -s "Async resume (slot [0-9]): decrypt done, status=0"
4489
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4490requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4491run_test "SSL async private: decrypt, delay=1" \
4492 "$P_SRV \
4493 async_operations=d async_private_delay1=1 async_private_delay2=1" \
4494 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4495 0 \
4496 -s "Async decrypt callback: using key slot " \
4497 -s "Async resume (slot [0-9]): call 0 more times." \
4498 -s "Async resume (slot [0-9]): decrypt done, status=0"
4499
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4500requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4501run_test "SSL async private: decrypt RSA-PSK, delay=0" \
4502 "$P_SRV psk=abc123 \
4503 async_operations=d async_private_delay1=0 async_private_delay2=0" \
4504 "$P_CLI psk=abc123 \
4505 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
4506 0 \
4507 -s "Async decrypt callback: using key slot " \
4508 -s "Async resume (slot [0-9]): decrypt done, status=0"
4509
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4510requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4511run_test "SSL async private: decrypt RSA-PSK, delay=1" \
4512 "$P_SRV psk=abc123 \
4513 async_operations=d async_private_delay1=1 async_private_delay2=1" \
4514 "$P_CLI psk=abc123 \
4515 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
4516 0 \
4517 -s "Async decrypt callback: using key slot " \
4518 -s "Async resume (slot [0-9]): call 0 more times." \
4519 -s "Async resume (slot [0-9]): decrypt done, status=0"
4520
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4521requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4522run_test "SSL async private: sign callback not present" \
4523 "$P_SRV \
4524 async_operations=d async_private_delay1=1 async_private_delay2=1" \
4525 "$P_CLI; [ \$? -eq 1 ] &&
4526 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4527 0 \
4528 -S "Async sign callback" \
4529 -s "! mbedtls_ssl_handshake returned" \
4530 -s "The own private key or pre-shared key is not set, but needed" \
4531 -s "Async resume (slot [0-9]): decrypt done, status=0" \
4532 -s "Successful connection"
4533
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4534requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4535run_test "SSL async private: decrypt callback not present" \
4536 "$P_SRV debug_level=1 \
4537 async_operations=s async_private_delay1=1 async_private_delay2=1" \
4538 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
4539 [ \$? -eq 1 ] && $P_CLI" \
4540 0 \
4541 -S "Async decrypt callback" \
4542 -s "! mbedtls_ssl_handshake returned" \
4543 -s "got no RSA private key" \
4544 -s "Async resume (slot [0-9]): sign done, status=0" \
4545 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4546
4547# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4548requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4549run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4550 "$P_SRV \
4551 async_operations=s async_private_delay1=1 \
4552 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4553 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4554 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4555 0 \
4556 -s "Async sign callback: using key slot 0," \
4557 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4558 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4559
4560# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4561requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4562run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4563 "$P_SRV \
4564 async_operations=s async_private_delay2=1 \
4565 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4566 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4567 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4568 0 \
4569 -s "Async sign callback: using key slot 0," \
4570 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4571 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4572
4573# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4574requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]4575run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4576 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]4577 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4578 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4579 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4580 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4581 0 \
4582 -s "Async sign callback: using key slot 1," \
4583 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4584 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4585
4586# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4587requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4588run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4589 "$P_SRV \
4590 async_operations=s async_private_delay1=1 \
4591 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4592 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4593 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4594 0 \
4595 -s "Async sign callback: no key matches this certificate."
4596
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4597requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4598run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4599 "$P_SRV \
4600 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4601 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4602 "$P_CLI" \
4603 1 \
4604 -s "Async sign callback: injected error" \
4605 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]4606 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4607 -s "! mbedtls_ssl_handshake returned"
4608
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4609requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4610run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4611 "$P_SRV \
4612 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4613 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4614 "$P_CLI" \
4615 1 \
4616 -s "Async sign callback: using key slot " \
4617 -S "Async resume" \
4618 -s "Async cancel"
4619
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4620requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4621run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4622 "$P_SRV \
4623 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4624 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4625 "$P_CLI" \
4626 1 \
4627 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4628 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]4629 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4630 -s "! mbedtls_ssl_handshake returned"
4631
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4632requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4633run_test "SSL async private: decrypt, error in start" \
4634 "$P_SRV \
4635 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4636 async_private_error=1" \
4637 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4638 1 \
4639 -s "Async decrypt callback: injected error" \
4640 -S "Async resume" \
4641 -S "Async cancel" \
4642 -s "! mbedtls_ssl_handshake returned"
4643
4644requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
4645run_test "SSL async private: decrypt, cancel after start" \
4646 "$P_SRV \
4647 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4648 async_private_error=2" \
4649 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4650 1 \
4651 -s "Async decrypt callback: using key slot " \
4652 -S "Async resume" \
4653 -s "Async cancel"
4654
4655requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
4656run_test "SSL async private: decrypt, error in resume" \
4657 "$P_SRV \
4658 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4659 async_private_error=3" \
4660 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4661 1 \
4662 -s "Async decrypt callback: using key slot " \
4663 -s "Async resume callback: decrypt done but injected error" \
4664 -S "Async cancel" \
4665 -s "! mbedtls_ssl_handshake returned"
4666
4667requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4668run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4669 "$P_SRV \
4670 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4671 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4672 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
4673 0 \
4674 -s "Async cancel" \
4675 -s "! mbedtls_ssl_handshake returned" \
4676 -s "Async resume" \
4677 -s "Successful connection"
4678
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4679requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4680run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4681 "$P_SRV \
4682 async_operations=s async_private_delay1=1 async_private_delay2=1 \
4683 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4684 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
4685 0 \
4686 -s "! mbedtls_ssl_handshake returned" \
4687 -s "Async resume" \
4688 -s "Successful connection"
4689
4690# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4691requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4692run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4693 "$P_SRV \
4694 async_operations=s async_private_delay1=1 async_private_error=-2 \
4695 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4696 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4697 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
4698 [ \$? -eq 1 ] &&
4699 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4700 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]4701 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4702 -S "Async resume" \
4703 -s "Async cancel" \
4704 -s "! mbedtls_ssl_handshake returned" \
4705 -s "Async sign callback: no key matches this certificate." \
4706 -s "Successful connection"
4707
4708# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4709requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]4710run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4711 "$P_SRV \
4712 async_operations=s async_private_delay1=1 async_private_error=-3 \
4713 key_file=data_files/server5.key crt_file=data_files/server5.crt \
4714 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]4715 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
4716 [ \$? -eq 1 ] &&
4717 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
4718 0 \
4719 -s "Async resume" \
4720 -s "! mbedtls_ssl_handshake returned" \
4721 -s "Async sign callback: no key matches this certificate." \
4722 -s "Successful connection"
4723
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4724requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4725requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4726run_test "SSL async private: renegotiation: client-initiated; sign" \
4727 "$P_SRV \
4728 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4729 exchanges=2 renegotiation=1" \
4730 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
4731 0 \
4732 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4733 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4734
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4735requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4736requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4737run_test "SSL async private: renegotiation: server-initiated; sign" \
4738 "$P_SRV \
4739 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4740 exchanges=2 renegotiation=1 renegotiate=1" \
4741 "$P_CLI exchanges=2 renegotiation=1" \
4742 0 \
4743 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4744 -s "Async resume (slot [0-9]): sign done, status=0"
4745
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4746requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4747requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
4748run_test "SSL async private: renegotiation: client-initiated; decrypt" \
4749 "$P_SRV \
4750 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4751 exchanges=2 renegotiation=1" \
4752 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
4753 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4754 0 \
4755 -s "Async decrypt callback: using key slot " \
4756 -s "Async resume (slot [0-9]): decrypt done, status=0"
4757
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]4758requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]4759requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
4760run_test "SSL async private: renegotiation: server-initiated; decrypt" \
4761 "$P_SRV \
4762 async_operations=d async_private_delay1=1 async_private_delay2=1 \
4763 exchanges=2 renegotiation=1 renegotiate=1" \
4764 "$P_CLI exchanges=2 renegotiation=1 \
4765 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4766 0 \
4767 -s "Async decrypt callback: using key slot " \
4768 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]4769
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]4770# Tests for ECC extensions (rfc 4492)
4771
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]4772requires_config_enabled MBEDTLS_AES_C
4773requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4774requires_config_enabled MBEDTLS_SHA256_C
4775requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]4776run_test "Force a non ECC ciphersuite in the client side" \
4777 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]4778 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]4779 0 \
4780 -C "client hello, adding supported_elliptic_curves extension" \
4781 -C "client hello, adding supported_point_formats extension" \
4782 -S "found supported elliptic curves extension" \
4783 -S "found supported point formats extension"
4784
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]4785requires_config_enabled MBEDTLS_AES_C
4786requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4787requires_config_enabled MBEDTLS_SHA256_C
4788requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]4789run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]4790 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]4791 "$P_CLI debug_level=3" \
4792 0 \
4793 -C "found supported_point_formats extension" \
4794 -S "server hello, supported_point_formats extension"
4795
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]4796requires_config_enabled MBEDTLS_AES_C
4797requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4798requires_config_enabled MBEDTLS_SHA256_C
4799requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]4800run_test "Force an ECC ciphersuite in the client side" \
4801 "$P_SRV debug_level=3" \
4802 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4803 0 \
4804 -c "client hello, adding supported_elliptic_curves extension" \
4805 -c "client hello, adding supported_point_formats extension" \
4806 -s "found supported elliptic curves extension" \
4807 -s "found supported point formats extension"
4808
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]4809requires_config_enabled MBEDTLS_AES_C
4810requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4811requires_config_enabled MBEDTLS_SHA256_C
4812requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]4813run_test "Force an ECC ciphersuite in the server side" \
4814 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4815 "$P_CLI debug_level=3" \
4816 0 \
4817 -c "found supported_point_formats extension" \
4818 -s "server hello, supported_point_formats extension"
4819
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4820# Tests for DTLS HelloVerifyRequest
4821
4822run_test "DTLS cookie: enabled" \
4823 "$P_SRV dtls=1 debug_level=2" \
4824 "$P_CLI dtls=1 debug_level=2" \
4825 0 \
4826 -s "cookie verification failed" \
4827 -s "cookie verification passed" \
4828 -S "cookie verification skipped" \
4829 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4830 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4831 -S "SSL - The requested feature is not available"
4832
4833run_test "DTLS cookie: disabled" \
4834 "$P_SRV dtls=1 debug_level=2 cookies=0" \
4835 "$P_CLI dtls=1 debug_level=2" \
4836 0 \
4837 -S "cookie verification failed" \
4838 -S "cookie verification passed" \
4839 -s "cookie verification skipped" \
4840 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4841 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4842 -S "SSL - The requested feature is not available"
4843
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4844run_test "DTLS cookie: default (failing)" \
4845 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4846 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4847 1 \
4848 -s "cookie verification failed" \
4849 -S "cookie verification passed" \
4850 -S "cookie verification skipped" \
4851 -C "received hello verify request" \
4852 -S "hello verification requested" \
4853 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4854
4855requires_ipv6
4856run_test "DTLS cookie: enabled, IPv6" \
4857 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4858 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
4859 0 \
4860 -s "cookie verification failed" \
4861 -s "cookie verification passed" \
4862 -S "cookie verification skipped" \
4863 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4864 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4865 -S "SSL - The requested feature is not available"
4866
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4867run_test "DTLS cookie: enabled, nbio" \
4868 "$P_SRV dtls=1 nbio=2 debug_level=2" \
4869 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4870 0 \
4871 -s "cookie verification failed" \
4872 -s "cookie verification passed" \
4873 -S "cookie verification skipped" \
4874 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4875 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4876 -S "SSL - The requested feature is not available"
4877
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4878# Tests for client reconnecting from the same port with DTLS
4879
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4880not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4881run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4882 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
4883 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4884 0 \
4885 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4886 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4887 -S "Client initiated reconnection from same port"
4888
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4889not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4890run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4891 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
4892 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4893 0 \
4894 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4895 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4896 -s "Client initiated reconnection from same port"
4897
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]4898not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
4899run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4900 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
4901 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4902 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4903 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4904 -s "Client initiated reconnection from same port"
4905
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]4906only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
4907run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
4908 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
4909 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
4910 0 \
4911 -S "The operation timed out" \
4912 -s "Client initiated reconnection from same port"
4913
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4914run_test "DTLS client reconnect from same port: no cookies" \
4915 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]4916 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
4917 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4918 -s "The operation timed out" \
4919 -S "Client initiated reconnection from same port"
4920
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4921# Tests for various cases of client authentication with DTLS
4922# (focused on handshake flows and message parsing)
4923
4924run_test "DTLS client auth: required" \
4925 "$P_SRV dtls=1 auth_mode=required" \
4926 "$P_CLI dtls=1" \
4927 0 \
4928 -s "Verifying peer X.509 certificate... ok"
4929
4930run_test "DTLS client auth: optional, client has no cert" \
4931 "$P_SRV dtls=1 auth_mode=optional" \
4932 "$P_CLI dtls=1 crt_file=none key_file=none" \
4933 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4934 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4935
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4936run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4937 "$P_SRV dtls=1 auth_mode=none" \
4938 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
4939 0 \
4940 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4941 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4942
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]4943run_test "DTLS wrong PSK: badmac alert" \
4944 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
4945 "$P_CLI dtls=1 psk=abc124" \
4946 1 \
4947 -s "SSL - Verification of the message MAC failed" \
4948 -c "SSL - A fatal alert message was received from our peer"
4949
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]4950# Tests for receiving fragmented handshake messages with DTLS
4951
4952requires_gnutls
4953run_test "DTLS reassembly: no fragmentation (gnutls server)" \
4954 "$G_SRV -u --mtu 2048 -a" \
4955 "$P_CLI dtls=1 debug_level=2" \
4956 0 \
4957 -C "found fragmented DTLS handshake message" \
4958 -C "error"
4959
4960requires_gnutls
4961run_test "DTLS reassembly: some fragmentation (gnutls server)" \
4962 "$G_SRV -u --mtu 512" \
4963 "$P_CLI dtls=1 debug_level=2" \
4964 0 \
4965 -c "found fragmented DTLS handshake message" \
4966 -C "error"
4967
4968requires_gnutls
4969run_test "DTLS reassembly: more fragmentation (gnutls server)" \
4970 "$G_SRV -u --mtu 128" \
4971 "$P_CLI dtls=1 debug_level=2" \
4972 0 \
4973 -c "found fragmented DTLS handshake message" \
4974 -C "error"
4975
4976requires_gnutls
4977run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
4978 "$G_SRV -u --mtu 128" \
4979 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4980 0 \
4981 -c "found fragmented DTLS handshake message" \
4982 -C "error"
4983
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4984requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4985requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4986run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
4987 "$G_SRV -u --mtu 256" \
4988 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
4989 0 \
4990 -c "found fragmented DTLS handshake message" \
4991 -c "client hello, adding renegotiation extension" \
4992 -c "found renegotiation extension" \
4993 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4994 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4995 -C "error" \
4996 -s "Extra-header:"
4997
4998requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4999requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5000run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
5001 "$G_SRV -u --mtu 256" \
5002 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
5003 0 \
5004 -c "found fragmented DTLS handshake message" \
5005 -c "client hello, adding renegotiation extension" \
5006 -c "found renegotiation extension" \
5007 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5008 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5009 -C "error" \
5010 -s "Extra-header:"
5011
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5012run_test "DTLS reassembly: no fragmentation (openssl server)" \
5013 "$O_SRV -dtls1 -mtu 2048" \
5014 "$P_CLI dtls=1 debug_level=2" \
5015 0 \
5016 -C "found fragmented DTLS handshake message" \
5017 -C "error"
5018
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5019run_test "DTLS reassembly: some fragmentation (openssl server)" \
5020 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5021 "$P_CLI dtls=1 debug_level=2" \
5022 0 \
5023 -c "found fragmented DTLS handshake message" \
5024 -C "error"
5025
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5026run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5027 "$O_SRV -dtls1 -mtu 256" \
5028 "$P_CLI dtls=1 debug_level=2" \
5029 0 \
5030 -c "found fragmented DTLS handshake message" \
5031 -C "error"
5032
5033run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
5034 "$O_SRV -dtls1 -mtu 256" \
5035 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5036 0 \
5037 -c "found fragmented DTLS handshake message" \
5038 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5039
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5040# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5041
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5042not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5043run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5044 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5045 "$P_SRV dtls=1 debug_level=2" \
5046 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5047 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5048 -C "replayed record" \
5049 -S "replayed record" \
5050 -C "record from another epoch" \
5051 -S "record from another epoch" \
5052 -C "discarding invalid record" \
5053 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5054 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5055 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5056 -c "HTTP/1.0 200 OK"
5057
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5058not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5059run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5060 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5061 "$P_SRV dtls=1 debug_level=2" \
5062 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5063 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5064 -c "replayed record" \
5065 -s "replayed record" \
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]5066 -c "record from another epoch" \
5067 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5068 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5069 -s "Extra-header:" \
5070 -c "HTTP/1.0 200 OK"
5071
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5072run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
5073 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5074 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
5075 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5076 0 \
5077 -c "replayed record" \
5078 -S "replayed record" \
Hanno Becker52c6dc62017-05-26 16:07:36 +0100[diff] [blame]5079 -c "record from another epoch" \
5080 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5081 -c "resend" \
5082 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5083 -s "Extra-header:" \
5084 -c "HTTP/1.0 200 OK"
5085
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]5086run_test "DTLS proxy: multiple records in same datagram" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]5087 -p "$P_PXY pack=50" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]5088 "$P_SRV dtls=1 debug_level=2" \
5089 "$P_CLI dtls=1 debug_level=2" \
5090 0 \
5091 -c "next record in same datagram" \
5092 -s "next record in same datagram"
5093
5094run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]5095 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]5096 "$P_SRV dtls=1 debug_level=2" \
5097 "$P_CLI dtls=1 debug_level=2" \
5098 0 \
5099 -c "next record in same datagram" \
5100 -s "next record in same datagram"
5101
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5102run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5103 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5104 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5105 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5106 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5107 -c "discarding invalid record (mac)" \
5108 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5109 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5110 -c "HTTP/1.0 200 OK" \
5111 -S "too many records with bad MAC" \
5112 -S "Verification of the message MAC failed"
5113
5114run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
5115 -p "$P_PXY bad_ad=1" \
5116 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
5117 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5118 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5119 -C "discarding invalid record (mac)" \
5120 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5121 -S "Extra-header:" \
5122 -C "HTTP/1.0 200 OK" \
5123 -s "too many records with bad MAC" \
5124 -s "Verification of the message MAC failed"
5125
5126run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
5127 -p "$P_PXY bad_ad=1" \
5128 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
5129 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5130 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5131 -c "discarding invalid record (mac)" \
5132 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5133 -s "Extra-header:" \
5134 -c "HTTP/1.0 200 OK" \
5135 -S "too many records with bad MAC" \
5136 -S "Verification of the message MAC failed"
5137
5138run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
5139 -p "$P_PXY bad_ad=1" \
5140 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
5141 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
5142 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5143 -c "discarding invalid record (mac)" \
5144 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5145 -s "Extra-header:" \
5146 -c "HTTP/1.0 200 OK" \
5147 -s "too many records with bad MAC" \
5148 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5149
5150run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5151 -p "$P_PXY delay_ccs=1" \
5152 "$P_SRV dtls=1 debug_level=1" \
5153 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5154 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5155 -c "record from another epoch" \
5156 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5157 -s "Extra-header:" \
5158 -c "HTTP/1.0 200 OK"
5159
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5160# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5161
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5162client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5163run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5164 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5165 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
5166 psk=abc123" \
5167 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5168 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5169 0 \
5170 -s "Extra-header:" \
5171 -c "HTTP/1.0 200 OK"
5172
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5173client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5174run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
5175 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5176 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
5177 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5178 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5179 0 \
5180 -s "Extra-header:" \
5181 -c "HTTP/1.0 200 OK"
5182
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5183client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5184run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
5185 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5186 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
5187 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5188 0 \
5189 -s "Extra-header:" \
5190 -c "HTTP/1.0 200 OK"
5191
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5192client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5193run_test "DTLS proxy: 3d, FS, client auth" \
5194 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5195 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
5196 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5197 0 \
5198 -s "Extra-header:" \
5199 -c "HTTP/1.0 200 OK"
5200
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5201client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5202run_test "DTLS proxy: 3d, FS, ticket" \
5203 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5204 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
5205 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5206 0 \
5207 -s "Extra-header:" \
5208 -c "HTTP/1.0 200 OK"
5209
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5210client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5211run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
5212 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5213 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
5214 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5215 0 \
5216 -s "Extra-header:" \
5217 -c "HTTP/1.0 200 OK"
5218
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5219client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5220run_test "DTLS proxy: 3d, max handshake, nbio" \
5221 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5222 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
5223 auth_mode=required" \
5224 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5225 0 \
5226 -s "Extra-header:" \
5227 -c "HTTP/1.0 200 OK"
5228
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5229client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5230run_test "DTLS proxy: 3d, min handshake, resumption" \
5231 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5232 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
5233 psk=abc123 debug_level=3" \
5234 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
5235 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
5236 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5237 0 \
5238 -s "a session has been resumed" \
5239 -c "a session has been resumed" \
5240 -s "Extra-header:" \
5241 -c "HTTP/1.0 200 OK"
5242
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5243client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5244run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
5245 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5246 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
5247 psk=abc123 debug_level=3 nbio=2" \
5248 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
5249 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
5250 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
5251 0 \
5252 -s "a session has been resumed" \
5253 -c "a session has been resumed" \
5254 -s "Extra-header:" \
5255 -c "HTTP/1.0 200 OK"
5256
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5257client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5258requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5259run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5260 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5261 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
5262 psk=abc123 renegotiation=1 debug_level=2" \
5263 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
5264 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5265 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5266 0 \
5267 -c "=> renegotiate" \
5268 -s "=> renegotiate" \
5269 -s "Extra-header:" \
5270 -c "HTTP/1.0 200 OK"
5271
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5272client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5273requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5274run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
5275 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5276 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
5277 psk=abc123 renegotiation=1 debug_level=2" \
5278 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
5279 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5280 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5281 0 \
5282 -c "=> renegotiate" \
5283 -s "=> renegotiate" \
5284 -s "Extra-header:" \
5285 -c "HTTP/1.0 200 OK"
5286
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5287client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5288requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5289run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5290 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5291 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5292 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5293 debug_level=2" \
5294 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5295 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5296 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5297 0 \
5298 -c "=> renegotiate" \
5299 -s "=> renegotiate" \
5300 -s "Extra-header:" \
5301 -c "HTTP/1.0 200 OK"
5302
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5303client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5304requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5305run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5306 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5307 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5308 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5309 debug_level=2 nbio=2" \
5310 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5311 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5312 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5313 0 \
5314 -c "=> renegotiate" \
5315 -s "=> renegotiate" \
5316 -s "Extra-header:" \
5317 -c "HTTP/1.0 200 OK"
5318
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5319client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5320not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5321run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5322 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5323 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]5324 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5325 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5326 -c "HTTP/1.0 200 OK"
5327
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5328client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5329not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5330run_test "DTLS proxy: 3d, openssl server, fragmentation" \
5331 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5332 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]5333 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5334 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5335 -c "HTTP/1.0 200 OK"
5336
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5337client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5338not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5339run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
5340 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5341 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]5342 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5343 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5344 -c "HTTP/1.0 200 OK"
5345
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5346requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5347client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5348not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5349run_test "DTLS proxy: 3d, gnutls server" \
5350 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5351 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]5352 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5353 0 \
5354 -s "Extra-header:" \
5355 -c "Extra-header:"
5356
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5357requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5358client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5359not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5360run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
5361 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5362 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]5363 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5364 0 \
5365 -s "Extra-header:" \
5366 -c "Extra-header:"
5367
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5368requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5369client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5370not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5371run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
5372 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5373 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]5374 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5375 0 \
5376 -s "Extra-header:" \
5377 -c "Extra-header:"
5378
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5379# Final report
5380
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5381echo "------------------------------------------------------------------------"
5382
5383if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5384 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5385else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5386 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5387fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]5388PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]5389echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5390
5391exit $FAILS