TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b729e4c474e47becc2791f61b16869ba1c3a9ba3 / . / tests / ssl-opt.sh
blob: 72d0eb8fc8b8b0758eac4e8e7d40f61a54d831aa [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Bence Szépkúti44bfbe32020-08-19 16:54:51 +0200[diff] [blame]5# Copyright The Mbed TLS Contributors
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7#
8# This file is provided under the Apache License 2.0, or the
9# GNU General Public License v2.0 or later.
10#
11# **********
12# Apache License 2.0:
Bence Szépkúti09b4f192020-05-26 01:54:15 +0200[diff] [blame]13#
14# Licensed under the Apache License, Version 2.0 (the "License"); you may
15# not use this file except in compliance with the License.
16# You may obtain a copy of the License at
17#
18# http://www.apache.org/licenses/LICENSE-2.0
19#
20# Unless required by applicable law or agreed to in writing, software
21# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23# See the License for the specific language governing permissions and
24# limitations under the License.
25#
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]26# **********
27#
28# **********
29# GNU General Public License v2.0 or later:
30#
31# This program is free software; you can redistribute it and/or modify
32# it under the terms of the GNU General Public License as published by
33# the Free Software Foundation; either version 2 of the License, or
34# (at your option) any later version.
35#
36# This program is distributed in the hope that it will be useful,
37# but WITHOUT ANY WARRANTY; without even the implied warranty of
38# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
39# GNU General Public License for more details.
40#
41# You should have received a copy of the GNU General Public License along
42# with this program; if not, write to the Free Software Foundation, Inc.,
43# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44#
45# **********
46#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]47# Purpose
48#
49# Executes tests to prove various TLS/SSL options and extensions.
50#
51# The goal is not to cover every ciphersuite/version, but instead to cover
52# specific options (max fragment length, truncated hmac, etc) or procedures
53# (session resumption from cache or ticket, renego, etc).
54#
55# The tests assume a build with default options, with exceptions expressed
56# with a dependency. The tests focus on functionality and do not consider
57# performance.
58#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]59
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]60set -u
61
Jaeden Amero34730912019-07-03 13:51:04 +0100[diff] [blame]62# Limit the size of each log to 10 GiB, in case of failures with this script
63# where it may output seemingly unlimited length error logs.
64ulimit -f 20971520
65
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]66# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]67: ${P_SRV:=../programs/ssl/ssl_server2}
68: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]69: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]70: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]71: ${GNUTLS_CLI:=gnutls-cli}
72: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]73: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]74
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]75O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]76O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]77G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard179c2272020-02-03 15:37:47 +0100[diff] [blame]78G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12u.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]79TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]80
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]81TESTS=0
82FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]83SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]84
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]85CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]86
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]87MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]88FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]89EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]90
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]91SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]92RUN_TEST_NUMBER=''
93
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]94PRESERVE_LOGS=0
95
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]96# Pick a "unique" server port in the range 10000-19999, and a proxy
97# port which is this plus 10000. Each port number may be independently
98# overridden by a command line option.
99SRV_PORT=$(($$ % 10000 + 10000))
100PXY_PORT=$((SRV_PORT + 10000))
101
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]102print_usage() {
103 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]104 printf " -h|--help\tPrint this help.\n"
105 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinee7a9c3a2020-08-26 22:50:38 +0200[diff] [blame]106 printf " -f|--filter\tOnly matching tests are executed (BRE)\n"
107 printf " -e|--exclude\tMatching tests are excluded (BRE)\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]108 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]109 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]110 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]111 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
112 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]113 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]114}
115
116get_options() {
117 while [ $# -gt 0 ]; do
118 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]119 -f|--filter)
120 shift; FILTER=$1
121 ;;
122 -e|--exclude)
123 shift; EXCLUDE=$1
124 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]125 -m|--memcheck)
126 MEMCHECK=1
127 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]128 -n|--number)
129 shift; RUN_TEST_NUMBER=$1
130 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]131 -s|--show-numbers)
132 SHOW_TEST_NUMBER=1
133 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]134 -p|--preserve-logs)
135 PRESERVE_LOGS=1
136 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]137 --port)
138 shift; SRV_PORT=$1
139 ;;
140 --proxy-port)
141 shift; PXY_PORT=$1
142 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]143 --seed)
144 shift; SEED="$1"
145 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]146 -h|--help)
147 print_usage
148 exit 0
149 ;;
150 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]151 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]152 print_usage
153 exit 1
154 ;;
155 esac
156 shift
157 done
158}
159
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]160# skip next test if the flag is not enabled in config.h
161requires_config_enabled() {
162 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
163 SKIP_NEXT="YES"
164 fi
165}
166
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]167# skip next test if the flag is enabled in config.h
168requires_config_disabled() {
169 if grep "^#define $1" $CONFIG_H > /dev/null; then
170 SKIP_NEXT="YES"
171 fi
172}
173
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]174# skip next test if OpenSSL doesn't support FALLBACK_SCSV
175requires_openssl_with_fallback_scsv() {
176 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
177 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
178 then
179 OPENSSL_HAS_FBSCSV="YES"
180 else
181 OPENSSL_HAS_FBSCSV="NO"
182 fi
183 fi
184 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
185 SKIP_NEXT="YES"
186 fi
187}
188
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]189# skip next test if GnuTLS isn't available
190requires_gnutls() {
191 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]192 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]193 GNUTLS_AVAILABLE="YES"
194 else
195 GNUTLS_AVAILABLE="NO"
196 fi
197 fi
198 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
199 SKIP_NEXT="YES"
200 fi
201}
202
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]203# skip next test if IPv6 isn't available on this host
204requires_ipv6() {
205 if [ -z "${HAS_IPV6:-}" ]; then
206 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
207 SRV_PID=$!
208 sleep 1
209 kill $SRV_PID >/dev/null 2>&1
210 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
211 HAS_IPV6="NO"
212 else
213 HAS_IPV6="YES"
214 fi
215 rm -r $SRV_OUT
216 fi
217
218 if [ "$HAS_IPV6" = "NO" ]; then
219 SKIP_NEXT="YES"
220 fi
221}
222
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]223# skip the next test if valgrind is in use
224not_with_valgrind() {
225 if [ "$MEMCHECK" -gt 0 ]; then
226 SKIP_NEXT="YES"
227 fi
228}
229
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]230# skip the next test if valgrind is NOT in use
231only_with_valgrind() {
232 if [ "$MEMCHECK" -eq 0 ]; then
233 SKIP_NEXT="YES"
234 fi
235}
236
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]237# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]238client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]239 CLI_DELAY_FACTOR=$1
240}
241
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]242# wait for the given seconds after the client finished in the next test
243server_needs_more_time() {
244 SRV_DELAY_SECONDS=$1
245}
246
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]247# print_name <name>
248print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]249 TESTS=$(( $TESTS + 1 ))
250 LINE=""
251
252 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
253 LINE="$TESTS "
254 fi
255
256 LINE="$LINE$1"
Gilles Peskine352a7cf2020-08-26 20:05:11 +0200[diff] [blame]257 printf "%s " "$LINE"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]258 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]259 for i in `seq 1 $LEN`; do printf '.'; done
260 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]261
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]262}
263
264# fail <message>
265fail() {
266 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]267 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]268
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]269 mv $SRV_OUT o-srv-${TESTS}.log
270 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]271 if [ -n "$PXY_CMD" ]; then
272 mv $PXY_OUT o-pxy-${TESTS}.log
273 fi
274 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]275
Manuel Pégourié-Gonnardbc079e22020-06-08 11:49:05 +0200[diff] [blame]276 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]277 echo " ! server output:"
278 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]279 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]280 echo " ! client output:"
281 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]282 if [ -n "$PXY_CMD" ]; then
283 echo " ! ========================================================"
284 echo " ! proxy output:"
285 cat o-pxy-${TESTS}.log
286 fi
287 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]288 fi
289
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]290 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]291}
292
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]293# is_polar <cmd_line>
294is_polar() {
295 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
296}
297
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]298# openssl s_server doesn't have -www with DTLS
299check_osrv_dtls() {
300 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
301 NEEDS_INPUT=1
302 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
303 else
304 NEEDS_INPUT=0
305 fi
306}
307
308# provide input to commands that need it
309provide_input() {
310 if [ $NEEDS_INPUT -eq 0 ]; then
311 return
312 fi
313
314 while true; do
315 echo "HTTP/1.0 200 OK"
316 sleep 1
317 done
318}
319
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]320# has_mem_err <log_file_name>
321has_mem_err() {
322 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
323 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
324 then
325 return 1 # false: does not have errors
326 else
327 return 0 # true: has errors
328 fi
329}
330
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]331# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]332if type lsof >/dev/null 2>/dev/null; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]333 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]334 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]335 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]336 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]337 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]338 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]339 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]340 # Make a tight loop, server normally takes less than 1s to start.
341 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
342 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]343 echo "$3 START TIMEOUT"
344 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]345 break
346 fi
347 # Linux and *BSD support decimal arguments to sleep. On other
348 # OSes this may be a tight loop.
349 sleep 0.1 2>/dev/null || true
350 done
351 }
352else
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]353 echo "Warning: lsof not available, wait_app_start = sleep"
354 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]355 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]356 }
357fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]358
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]359# Wait for server process $2 to be listening on port $1.
360wait_server_start() {
361 wait_app_start $1 $2 "SERVER" $SRV_OUT
362}
363
364# Wait for proxy process $2 to be listening on port $1.
365wait_proxy_start() {
366 wait_app_start $1 $2 "PROXY" $PXY_OUT
367}
368
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]369# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]370# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]371# acceptable bounds
372check_server_hello_time() {
373 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]374 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]375 # Get the Unix timestamp for now
376 CUR_TIME=$(date +'%s')
377 THRESHOLD_IN_SECS=300
378
379 # Check if the ServerHello time was printed
380 if [ -z "$SERVER_HELLO_TIME" ]; then
381 return 1
382 fi
383
384 # Check the time in ServerHello is within acceptable bounds
385 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
386 # The time in ServerHello is at least 5 minutes before now
387 return 1
388 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]389 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]390 return 1
391 else
392 return 0
393 fi
394}
395
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]396# wait for client to terminate and set CLI_EXIT
397# must be called right after starting the client
398wait_client_done() {
399 CLI_PID=$!
400
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]401 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
402 CLI_DELAY_FACTOR=1
403
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]404 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]405 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]406
407 wait $CLI_PID
408 CLI_EXIT=$?
409
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]410 kill $DOG_PID >/dev/null 2>&1
411 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]412
413 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]414
415 sleep $SRV_DELAY_SECONDS
416 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]417}
418
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]419# check if the given command uses dtls and sets global variable DTLS
420detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]421 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]422 DTLS=1
423 else
424 DTLS=0
425 fi
426}
427
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]428# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]429# Options: -s pattern pattern that must be present in server output
430# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]431# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]432# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]433# -S pattern pattern that must be absent in server output
434# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]435# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]436# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]437run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]438 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]439 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]440
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]441 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
442 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]443 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]444 return
445 fi
446
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]447 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]448
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]449 # Do we only run numbered tests?
450 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
451 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
452 else
453 SKIP_NEXT="YES"
454 fi
455
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]456 # should we skip?
457 if [ "X$SKIP_NEXT" = "XYES" ]; then
458 SKIP_NEXT="NO"
459 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]460 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]461 return
462 fi
463
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]464 # does this test use a proxy?
465 if [ "X$1" = "X-p" ]; then
466 PXY_CMD="$2"
467 shift 2
468 else
469 PXY_CMD=""
470 fi
471
472 # get commands and client output
473 SRV_CMD="$1"
474 CLI_CMD="$2"
475 CLI_EXPECT="$3"
476 shift 3
477
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]478 # update DTLS variable
479 detect_dtls "$SRV_CMD"
480
Manuel Pégourié-Gonnard1fcb1a12020-06-08 11:40:06 +0200[diff] [blame]481 # if the test uses DTLS but no custom proxy, add a simple proxy
482 # as it provides timing info that's useful to debug failures
Manuel Pégourié-Gonnardc5ae9c82020-06-25 09:54:46 +0200[diff] [blame]483 if [ -z "$PXY_CMD" ] && [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard1fcb1a12020-06-08 11:40:06 +0200[diff] [blame]484 PXY_CMD="$P_PXY"
Manuel Pégourié-Gonnarded0aaf42020-07-16 10:19:32 +0200[diff] [blame]485 case " $SRV_CMD " in
486 *' server_addr=::1 '*)
487 PXY_CMD="$PXY_CMD server_addr=::1 listen_addr=::1";;
488 esac
Manuel Pégourié-Gonnard1fcb1a12020-06-08 11:40:06 +0200[diff] [blame]489 fi
490
Manuel Pégourié-Gonnard57e328e2020-06-25 09:52:54 +0200[diff] [blame]491 # fix client port
492 if [ -n "$PXY_CMD" ]; then
493 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
494 else
495 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
496 fi
497
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]498 # prepend valgrind to our commands if active
499 if [ "$MEMCHECK" -gt 0 ]; then
500 if is_polar "$SRV_CMD"; then
501 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
502 fi
503 if is_polar "$CLI_CMD"; then
504 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
505 fi
506 fi
507
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]508 TIMES_LEFT=2
509 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]510 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]511
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]512 # run the commands
513 if [ -n "$PXY_CMD" ]; then
Manuel Pégourié-Gonnard33659702020-07-27 09:45:32 +0200[diff] [blame]514 printf "# %s\n%s\n" "$NAME" "$PXY_CMD" > $PXY_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]515 $PXY_CMD >> $PXY_OUT 2>&1 &
516 PXY_PID=$!
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]517 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]518 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]519
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]520 check_osrv_dtls
Gilles Peskine352a7cf2020-08-26 20:05:11 +0200[diff] [blame]521 printf '# %s\n%s\n' "$NAME" "$SRV_CMD" > $SRV_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]522 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
523 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]524 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]525
Gilles Peskine352a7cf2020-08-26 20:05:11 +0200[diff] [blame]526 printf '# %s\n%s\n' "$NAME" "$CLI_CMD" > $CLI_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]527 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
528 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]529
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]530 # terminate the server (and the proxy)
531 kill $SRV_PID
532 wait $SRV_PID
533 if [ -n "$PXY_CMD" ]; then
534 kill $PXY_PID >/dev/null 2>&1
535 wait $PXY_PID
536 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]537
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]538 # retry only on timeouts
539 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
540 printf "RETRY "
541 else
542 TIMES_LEFT=0
543 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]544 done
545
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]546 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]547 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]548 # expected client exit to incorrectly succeed in case of catastrophic
549 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]550 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]551 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]552 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]553 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]554 return
555 fi
556 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]557 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]558 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]559 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]560 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]561 return
562 fi
563 fi
564
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]565 # check server exit code
566 if [ $? != 0 ]; then
567 fail "server fail"
568 return
569 fi
570
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]571 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]572 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
573 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]574 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]575 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]576 return
577 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]578
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]579 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]580 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]581 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]582 while [ $# -gt 0 ]
583 do
584 case $1 in
585 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]586 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]587 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]588 return
589 fi
590 ;;
591
592 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]593 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]594 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]595 return
596 fi
597 ;;
598
599 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]600 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]601 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]602 return
603 fi
604 ;;
605
606 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]607 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]608 fail "pattern '$2' MUST NOT be present in the Client output"
609 return
610 fi
611 ;;
612
613 # The filtering in the following two options (-u and -U) do the following
614 # - ignore valgrind output
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]615 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]616 # - keep one of each non-unique line
617 # - count how many lines remain
618 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
619 # if there were no duplicates.
620 "-U")
621 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
622 fail "lines following pattern '$2' must be unique in Server output"
623 return
624 fi
625 ;;
626
627 "-u")
628 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
629 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]630 return
631 fi
632 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]633 "-F")
634 if ! $2 "$SRV_OUT"; then
635 fail "function call to '$2' failed on Server output"
636 return
637 fi
638 ;;
639 "-f")
640 if ! $2 "$CLI_OUT"; then
641 fail "function call to '$2' failed on Client output"
642 return
643 fi
644 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]645
646 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]647 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]648 exit 1
649 esac
650 shift 2
651 done
652
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]653 # check valgrind's results
654 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]655 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]656 fail "Server has memory errors"
657 return
658 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]659 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]660 fail "Client has memory errors"
661 return
662 fi
663 fi
664
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]665 # if we're here, everything is ok
666 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]667 if [ "$PRESERVE_LOGS" -gt 0 ]; then
668 mv $SRV_OUT o-srv-${TESTS}.log
669 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Beckerdc6c0e42018-08-20 12:21:35 +0100[diff] [blame]670 if [ -n "$PXY_CMD" ]; then
671 mv $PXY_OUT o-pxy-${TESTS}.log
672 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]673 fi
674
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]675 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]676}
677
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]678cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]679 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]680 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
681 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
682 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
683 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]684 exit 1
685}
686
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]687#
688# MAIN
689#
690
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]691if cd $( dirname $0 ); then :; else
692 echo "cd $( dirname $0 ) failed" >&2
693 exit 1
694fi
695
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]696get_options "$@"
697
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]698# sanity checks, avoid an avalanche of errors
699if [ ! -x "$P_SRV" ]; then
700 echo "Command '$P_SRV' is not an executable file"
701 exit 1
702fi
703if [ ! -x "$P_CLI" ]; then
704 echo "Command '$P_CLI' is not an executable file"
705 exit 1
706fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]707if [ ! -x "$P_PXY" ]; then
708 echo "Command '$P_PXY' is not an executable file"
709 exit 1
710fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]711if [ "$MEMCHECK" -gt 0 ]; then
712 if which valgrind >/dev/null 2>&1; then :; else
713 echo "Memcheck not possible. Valgrind not found"
714 exit 1
715 fi
716fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]717if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
718 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]719 exit 1
720fi
721
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]722# used by watchdog
723MAIN_PID="$$"
724
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]725# We use somewhat arbitrary delays for tests:
726# - how long do we wait for the server to start (when lsof not available)?
727# - how long do we allow for the client to finish?
728# (not to check performance, just to avoid waiting indefinitely)
729# Things are slower with valgrind, so give extra time here.
730#
731# Note: without lsof, there is a trade-off between the running time of this
732# script and the risk of spurious errors because we didn't wait long enough.
733# The watchdog delay on the other hand doesn't affect normal running time of
734# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]735if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]736 START_DELAY=6
737 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]738else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]739 START_DELAY=2
740 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]741fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]742
743# some particular tests need more time:
744# - for the client, we multiply the usual watchdog limit by a factor
745# - for the server, we sleep for a number of seconds after the client exits
746# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]747CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]748SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]749
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]750# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]751# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]752P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
753P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]754P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]755O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]756O_CLI="$O_CLI -connect localhost:+SRV_PORT"
757G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]758G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]759
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]760# Allow SHA-1, because many of our test certificates use it
761P_SRV="$P_SRV allow_sha1=1"
762P_CLI="$P_CLI allow_sha1=1"
763
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]764# Also pick a unique name for intermediate files
765SRV_OUT="srv_out.$$"
766CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]767PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]768SESSION="session.$$"
769
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]770SKIP_NEXT="NO"
771
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]772trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]773
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]774# Basic test
775
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]776# Checks that:
777# - things work with all ciphersuites active (used with config-full in all.sh)
778# - the expected (highest security) parameters are selected
779# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]780run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]781 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]782 "$P_CLI" \
783 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]784 -s "Protocol is TLSv1.2" \
785 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
786 -s "client hello v3, signature_algorithm ext: 6" \
787 -s "ECDHE curve: secp521r1" \
788 -S "error" \
789 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]790
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]791run_test "Default, DTLS" \
792 "$P_SRV dtls=1" \
793 "$P_CLI dtls=1" \
794 0 \
795 -s "Protocol is DTLSv1.2" \
796 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
797
Manuel Pégourié-Gonnard45575512020-01-02 11:58:00 +0100[diff] [blame]798requires_config_enabled MBEDTLS_ZLIB_SUPPORT
799run_test "Default (compression enabled)" \
800 "$P_SRV debug_level=3" \
801 "$P_CLI debug_level=3" \
802 0 \
803 -s "Allocating compression buffer" \
804 -c "Allocating compression buffer" \
805 -s "Record expansion is unknown (compression)" \
806 -c "Record expansion is unknown (compression)" \
807 -S "error" \
808 -C "error"
809
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]810# Test current time in ServerHello
811requires_config_enabled MBEDTLS_HAVE_TIME
812run_test "Default, ServerHello contains gmt_unix_time" \
813 "$P_SRV debug_level=3" \
814 "$P_CLI debug_level=3" \
815 0 \
816 -s "Protocol is TLSv1.2" \
817 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
818 -s "client hello v3, signature_algorithm ext: 6" \
819 -s "ECDHE curve: secp521r1" \
820 -S "error" \
821 -C "error" \
822 -f "check_server_hello_time" \
823 -F "check_server_hello_time"
824
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]825# Test for uniqueness of IVs in AEAD ciphersuites
826run_test "Unique IV in GCM" \
827 "$P_SRV exchanges=20 debug_level=4" \
828 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
829 0 \
830 -u "IV used" \
831 -U "IV used"
832
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]833# Tests for rc4 option
834
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]835requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]836run_test "RC4: server disabled, client enabled" \
837 "$P_SRV" \
838 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
839 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]840 -s "SSL - The server has no ciphersuites in common"
841
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]842requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]843run_test "RC4: server half, client enabled" \
844 "$P_SRV arc4=1" \
845 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
846 1 \
847 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]848
849run_test "RC4: server enabled, client disabled" \
850 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
851 "$P_CLI" \
852 1 \
853 -s "SSL - The server has no ciphersuites in common"
854
855run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]856 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]857 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
858 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]859 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]860 -S "SSL - The server has no ciphersuites in common"
861
Hanno Becker3a333a52018-08-17 09:54:10 +0100[diff] [blame]862# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
863
864requires_gnutls
865requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
866run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
867 "$G_SRV"\
868 "$P_CLI force_version=tls1_1" \
869 0
870
871requires_gnutls
872requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
873run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
874 "$G_SRV"\
875 "$P_CLI force_version=tls1" \
876 0
877
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]878# Tests for SHA-1 support
879
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]880requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]881run_test "SHA-1 forbidden by default in server certificate" \
882 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
883 "$P_CLI debug_level=2 allow_sha1=0" \
884 1 \
885 -c "The certificate is signed with an unacceptable hash"
886
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]887requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
888run_test "SHA-1 forbidden by default in server certificate" \
889 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
890 "$P_CLI debug_level=2 allow_sha1=0" \
891 0
892
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]893run_test "SHA-1 explicitly allowed in server certificate" \
894 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
895 "$P_CLI allow_sha1=1" \
896 0
897
898run_test "SHA-256 allowed by default in server certificate" \
899 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
900 "$P_CLI allow_sha1=0" \
901 0
902
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]903requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]904run_test "SHA-1 forbidden by default in client certificate" \
905 "$P_SRV auth_mode=required allow_sha1=0" \
906 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
907 1 \
908 -s "The certificate is signed with an unacceptable hash"
909
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]910requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
911run_test "SHA-1 forbidden by default in client certificate" \
912 "$P_SRV auth_mode=required allow_sha1=0" \
913 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
914 0
915
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]916run_test "SHA-1 explicitly allowed in client certificate" \
917 "$P_SRV auth_mode=required allow_sha1=1" \
918 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
919 0
920
921run_test "SHA-256 allowed by default in client certificate" \
922 "$P_SRV auth_mode=required allow_sha1=0" \
923 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
924 0
925
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]926# Tests for Truncated HMAC extension
927
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]928run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]929 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]930 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]931 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]932 -s "dumping 'expected mac' (20 bytes)" \
933 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]934
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]935requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]936run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]937 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]938 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]939 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]940 -s "dumping 'expected mac' (20 bytes)" \
941 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]942
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]943requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]944run_test "Truncated HMAC: client enabled, server default" \
945 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]946 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]947 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]948 -s "dumping 'expected mac' (20 bytes)" \
949 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]950
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]951requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]952run_test "Truncated HMAC: client enabled, server disabled" \
953 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]954 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]955 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]956 -s "dumping 'expected mac' (20 bytes)" \
957 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]958
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]959requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]960run_test "Truncated HMAC: client disabled, server enabled" \
961 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]962 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]963 0 \
964 -s "dumping 'expected mac' (20 bytes)" \
965 -S "dumping 'expected mac' (10 bytes)"
966
967requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]968run_test "Truncated HMAC: client enabled, server enabled" \
969 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]970 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]971 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]972 -S "dumping 'expected mac' (20 bytes)" \
973 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]974
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]975run_test "Truncated HMAC, DTLS: client default, server default" \
976 "$P_SRV dtls=1 debug_level=4" \
977 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
978 0 \
979 -s "dumping 'expected mac' (20 bytes)" \
980 -S "dumping 'expected mac' (10 bytes)"
981
982requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
983run_test "Truncated HMAC, DTLS: client disabled, server default" \
984 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]985 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]986 0 \
987 -s "dumping 'expected mac' (20 bytes)" \
988 -S "dumping 'expected mac' (10 bytes)"
989
990requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
991run_test "Truncated HMAC, DTLS: client enabled, server default" \
992 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]993 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]994 0 \
995 -s "dumping 'expected mac' (20 bytes)" \
996 -S "dumping 'expected mac' (10 bytes)"
997
998requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
999run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1000 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1001 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1002 0 \
1003 -s "dumping 'expected mac' (20 bytes)" \
1004 -S "dumping 'expected mac' (10 bytes)"
1005
1006requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1007run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1008 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1009 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1010 0 \
1011 -s "dumping 'expected mac' (20 bytes)" \
1012 -S "dumping 'expected mac' (10 bytes)"
1013
1014requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1015run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1016 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1017 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1018 0 \
1019 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1020 -s "dumping 'expected mac' (10 bytes)"
1021
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1022# Tests for Encrypt-then-MAC extension
1023
1024run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1025 "$P_SRV debug_level=3 \
1026 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1027 "$P_CLI debug_level=3" \
1028 0 \
1029 -c "client hello, adding encrypt_then_mac extension" \
1030 -s "found encrypt then mac extension" \
1031 -s "server hello, adding encrypt then mac extension" \
1032 -c "found encrypt_then_mac extension" \
1033 -c "using encrypt then mac" \
1034 -s "using encrypt then mac"
1035
1036run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1037 "$P_SRV debug_level=3 etm=0 \
1038 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1039 "$P_CLI debug_level=3 etm=1" \
1040 0 \
1041 -c "client hello, adding encrypt_then_mac extension" \
1042 -s "found encrypt then mac extension" \
1043 -S "server hello, adding encrypt then mac extension" \
1044 -C "found encrypt_then_mac extension" \
1045 -C "using encrypt then mac" \
1046 -S "using encrypt then mac"
1047
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1048run_test "Encrypt then MAC: client enabled, aead cipher" \
1049 "$P_SRV debug_level=3 etm=1 \
1050 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
1051 "$P_CLI debug_level=3 etm=1" \
1052 0 \
1053 -c "client hello, adding encrypt_then_mac extension" \
1054 -s "found encrypt then mac extension" \
1055 -S "server hello, adding encrypt then mac extension" \
1056 -C "found encrypt_then_mac extension" \
1057 -C "using encrypt then mac" \
1058 -S "using encrypt then mac"
1059
1060run_test "Encrypt then MAC: client enabled, stream cipher" \
1061 "$P_SRV debug_level=3 etm=1 \
1062 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1063 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1064 0 \
1065 -c "client hello, adding encrypt_then_mac extension" \
1066 -s "found encrypt then mac extension" \
1067 -S "server hello, adding encrypt then mac extension" \
1068 -C "found encrypt_then_mac extension" \
1069 -C "using encrypt then mac" \
1070 -S "using encrypt then mac"
1071
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1072run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1073 "$P_SRV debug_level=3 etm=1 \
1074 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1075 "$P_CLI debug_level=3 etm=0" \
1076 0 \
1077 -C "client hello, adding encrypt_then_mac extension" \
1078 -S "found encrypt then mac extension" \
1079 -S "server hello, adding encrypt then mac extension" \
1080 -C "found encrypt_then_mac extension" \
1081 -C "using encrypt then mac" \
1082 -S "using encrypt then mac"
1083
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1084requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1085run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1086 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1087 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1088 "$P_CLI debug_level=3 force_version=ssl3" \
1089 0 \
1090 -C "client hello, adding encrypt_then_mac extension" \
1091 -S "found encrypt then mac extension" \
1092 -S "server hello, adding encrypt then mac extension" \
1093 -C "found encrypt_then_mac extension" \
1094 -C "using encrypt then mac" \
1095 -S "using encrypt then mac"
1096
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1097requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1098run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1099 "$P_SRV debug_level=3 force_version=ssl3 \
1100 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1101 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1102 0 \
1103 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1104 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1105 -S "server hello, adding encrypt then mac extension" \
1106 -C "found encrypt_then_mac extension" \
1107 -C "using encrypt then mac" \
1108 -S "using encrypt then mac"
1109
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1110# Tests for Extended Master Secret extension
1111
1112run_test "Extended Master Secret: default" \
1113 "$P_SRV debug_level=3" \
1114 "$P_CLI debug_level=3" \
1115 0 \
1116 -c "client hello, adding extended_master_secret extension" \
1117 -s "found extended master secret extension" \
1118 -s "server hello, adding extended master secret extension" \
1119 -c "found extended_master_secret extension" \
1120 -c "using extended master secret" \
1121 -s "using extended master secret"
1122
1123run_test "Extended Master Secret: client enabled, server disabled" \
1124 "$P_SRV debug_level=3 extended_ms=0" \
1125 "$P_CLI debug_level=3 extended_ms=1" \
1126 0 \
1127 -c "client hello, adding extended_master_secret extension" \
1128 -s "found extended master secret extension" \
1129 -S "server hello, adding extended master secret extension" \
1130 -C "found extended_master_secret extension" \
1131 -C "using extended master secret" \
1132 -S "using extended master secret"
1133
1134run_test "Extended Master Secret: client disabled, server enabled" \
1135 "$P_SRV debug_level=3 extended_ms=1" \
1136 "$P_CLI debug_level=3 extended_ms=0" \
1137 0 \
1138 -C "client hello, adding extended_master_secret extension" \
1139 -S "found extended master secret extension" \
1140 -S "server hello, adding extended master secret extension" \
1141 -C "found extended_master_secret extension" \
1142 -C "using extended master secret" \
1143 -S "using extended master secret"
1144
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1145requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1146run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1147 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1148 "$P_CLI debug_level=3 force_version=ssl3" \
1149 0 \
1150 -C "client hello, adding extended_master_secret extension" \
1151 -S "found extended master secret extension" \
1152 -S "server hello, adding extended master secret extension" \
1153 -C "found extended_master_secret extension" \
1154 -C "using extended master secret" \
1155 -S "using extended master secret"
1156
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1157requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1158run_test "Extended Master Secret: client enabled, server SSLv3" \
1159 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1160 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1161 0 \
1162 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1163 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1164 -S "server hello, adding extended master secret extension" \
1165 -C "found extended_master_secret extension" \
1166 -C "using extended master secret" \
1167 -S "using extended master secret"
1168
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1169# Tests for FALLBACK_SCSV
1170
1171run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1172 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1173 "$P_CLI debug_level=3 force_version=tls1_1" \
1174 0 \
1175 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1176 -S "received FALLBACK_SCSV" \
1177 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1178 -C "is a fatal alert message (msg 86)"
1179
1180run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1181 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1182 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1183 0 \
1184 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1185 -S "received FALLBACK_SCSV" \
1186 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1187 -C "is a fatal alert message (msg 86)"
1188
1189run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1190 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1191 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1192 1 \
1193 -c "adding FALLBACK_SCSV" \
1194 -s "received FALLBACK_SCSV" \
1195 -s "inapropriate fallback" \
1196 -c "is a fatal alert message (msg 86)"
1197
1198run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1199 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1200 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1201 0 \
1202 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1203 -s "received FALLBACK_SCSV" \
1204 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1205 -C "is a fatal alert message (msg 86)"
1206
1207requires_openssl_with_fallback_scsv
1208run_test "Fallback SCSV: default, openssl server" \
1209 "$O_SRV" \
1210 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1211 0 \
1212 -C "adding FALLBACK_SCSV" \
1213 -C "is a fatal alert message (msg 86)"
1214
1215requires_openssl_with_fallback_scsv
1216run_test "Fallback SCSV: enabled, openssl server" \
1217 "$O_SRV" \
1218 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1219 1 \
1220 -c "adding FALLBACK_SCSV" \
1221 -c "is a fatal alert message (msg 86)"
1222
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1223requires_openssl_with_fallback_scsv
1224run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1225 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1226 "$O_CLI -tls1_1" \
1227 0 \
1228 -S "received FALLBACK_SCSV" \
1229 -S "inapropriate fallback"
1230
1231requires_openssl_with_fallback_scsv
1232run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1233 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1234 "$O_CLI -tls1_1 -fallback_scsv" \
1235 1 \
1236 -s "received FALLBACK_SCSV" \
1237 -s "inapropriate fallback"
1238
1239requires_openssl_with_fallback_scsv
1240run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1241 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1242 "$O_CLI -fallback_scsv" \
1243 0 \
1244 -s "received FALLBACK_SCSV" \
1245 -S "inapropriate fallback"
1246
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1247# Test sending and receiving empty application data records
1248
1249run_test "Encrypt then MAC: empty application data record" \
1250 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1251 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1252 0 \
1253 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1254 -s "dumping 'input payload after decrypt' (0 bytes)" \
1255 -c "0 bytes written in 1 fragments"
1256
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1257run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1258 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1259 "$P_CLI auth_mode=none etm=0 request_size=0" \
1260 0 \
1261 -s "dumping 'input payload after decrypt' (0 bytes)" \
1262 -c "0 bytes written in 1 fragments"
1263
1264run_test "Encrypt then MAC, DTLS: empty application data record" \
1265 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1266 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1267 0 \
1268 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1269 -s "dumping 'input payload after decrypt' (0 bytes)" \
1270 -c "0 bytes written in 1 fragments"
1271
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1272run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1273 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1274 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1275 0 \
1276 -s "dumping 'input payload after decrypt' (0 bytes)" \
1277 -c "0 bytes written in 1 fragments"
1278
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1279## ClientHello generated with
1280## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1281## then manually twiddling the ciphersuite list.
1282## The ClientHello content is spelled out below as a hex string as
1283## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1284## The expected response is an inappropriate_fallback alert.
1285requires_openssl_with_fallback_scsv
1286run_test "Fallback SCSV: beginning of list" \
1287 "$P_SRV debug_level=2" \
1288 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1289 0 \
1290 -s "received FALLBACK_SCSV" \
1291 -s "inapropriate fallback"
1292
1293requires_openssl_with_fallback_scsv
1294run_test "Fallback SCSV: end of list" \
1295 "$P_SRV debug_level=2" \
1296 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1297 0 \
1298 -s "received FALLBACK_SCSV" \
1299 -s "inapropriate fallback"
1300
1301## Here the expected response is a valid ServerHello prefix, up to the random.
1302requires_openssl_with_fallback_scsv
1303run_test "Fallback SCSV: not in list" \
1304 "$P_SRV debug_level=2" \
1305 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1306 0 \
1307 -S "received FALLBACK_SCSV" \
1308 -S "inapropriate fallback"
1309
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1310# Tests for CBC 1/n-1 record splitting
1311
1312run_test "CBC Record splitting: TLS 1.2, no splitting" \
1313 "$P_SRV" \
1314 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1315 request_size=123 force_version=tls1_2" \
1316 0 \
1317 -s "Read from client: 123 bytes read" \
1318 -S "Read from client: 1 bytes read" \
1319 -S "122 bytes read"
1320
1321run_test "CBC Record splitting: TLS 1.1, no splitting" \
1322 "$P_SRV" \
1323 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1324 request_size=123 force_version=tls1_1" \
1325 0 \
1326 -s "Read from client: 123 bytes read" \
1327 -S "Read from client: 1 bytes read" \
1328 -S "122 bytes read"
1329
1330run_test "CBC Record splitting: TLS 1.0, splitting" \
1331 "$P_SRV" \
1332 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1333 request_size=123 force_version=tls1" \
1334 0 \
1335 -S "Read from client: 123 bytes read" \
1336 -s "Read from client: 1 bytes read" \
1337 -s "122 bytes read"
1338
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1339requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1340run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1341 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1342 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1343 request_size=123 force_version=ssl3" \
1344 0 \
1345 -S "Read from client: 123 bytes read" \
1346 -s "Read from client: 1 bytes read" \
1347 -s "122 bytes read"
1348
1349run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1350 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1351 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1352 request_size=123 force_version=tls1" \
1353 0 \
1354 -s "Read from client: 123 bytes read" \
1355 -S "Read from client: 1 bytes read" \
1356 -S "122 bytes read"
1357
1358run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1359 "$P_SRV" \
1360 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1361 request_size=123 force_version=tls1 recsplit=0" \
1362 0 \
1363 -s "Read from client: 123 bytes read" \
1364 -S "Read from client: 1 bytes read" \
1365 -S "122 bytes read"
1366
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1367run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1368 "$P_SRV nbio=2" \
1369 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1370 request_size=123 force_version=tls1" \
1371 0 \
1372 -S "Read from client: 123 bytes read" \
1373 -s "Read from client: 1 bytes read" \
1374 -s "122 bytes read"
1375
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1376# Tests for Session Tickets
1377
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1378run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1379 "$P_SRV debug_level=3 tickets=1" \
1380 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1381 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1382 -c "client hello, adding session ticket extension" \
1383 -s "found session ticket extension" \
1384 -s "server hello, adding session ticket extension" \
1385 -c "found session_ticket extension" \
1386 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1387 -S "session successfully restored from cache" \
1388 -s "session successfully restored from ticket" \
1389 -s "a session has been resumed" \
1390 -c "a session has been resumed"
1391
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1392run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1393 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1394 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1395 0 \
1396 -c "client hello, adding session ticket extension" \
1397 -s "found session ticket extension" \
1398 -s "server hello, adding session ticket extension" \
1399 -c "found session_ticket extension" \
1400 -c "parse new session ticket" \
1401 -S "session successfully restored from cache" \
1402 -s "session successfully restored from ticket" \
1403 -s "a session has been resumed" \
1404 -c "a session has been resumed"
1405
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1406run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1407 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1408 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1409 0 \
1410 -c "client hello, adding session ticket extension" \
1411 -s "found session ticket extension" \
1412 -s "server hello, adding session ticket extension" \
1413 -c "found session_ticket extension" \
1414 -c "parse new session ticket" \
1415 -S "session successfully restored from cache" \
1416 -S "session successfully restored from ticket" \
1417 -S "a session has been resumed" \
1418 -C "a session has been resumed"
1419
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1420run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1421 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1422 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1423 0 \
1424 -c "client hello, adding session ticket extension" \
1425 -c "found session_ticket extension" \
1426 -c "parse new session ticket" \
1427 -c "a session has been resumed"
1428
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1429run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1430 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1431 "( $O_CLI -sess_out $SESSION; \
1432 $O_CLI -sess_in $SESSION; \
1433 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1434 0 \
1435 -s "found session ticket extension" \
1436 -s "server hello, adding session ticket extension" \
1437 -S "session successfully restored from cache" \
1438 -s "session successfully restored from ticket" \
1439 -s "a session has been resumed"
1440
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1441# Tests for Session Tickets with DTLS
1442
1443run_test "Session resume using tickets, DTLS: basic" \
1444 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1445 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1446 0 \
1447 -c "client hello, adding session ticket extension" \
1448 -s "found session ticket extension" \
1449 -s "server hello, adding session ticket extension" \
1450 -c "found session_ticket extension" \
1451 -c "parse new session ticket" \
1452 -S "session successfully restored from cache" \
1453 -s "session successfully restored from ticket" \
1454 -s "a session has been resumed" \
1455 -c "a session has been resumed"
1456
1457run_test "Session resume using tickets, DTLS: cache disabled" \
1458 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1459 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1460 0 \
1461 -c "client hello, adding session ticket extension" \
1462 -s "found session ticket extension" \
1463 -s "server hello, adding session ticket extension" \
1464 -c "found session_ticket extension" \
1465 -c "parse new session ticket" \
1466 -S "session successfully restored from cache" \
1467 -s "session successfully restored from ticket" \
1468 -s "a session has been resumed" \
1469 -c "a session has been resumed"
1470
1471run_test "Session resume using tickets, DTLS: timeout" \
1472 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1473 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1474 0 \
1475 -c "client hello, adding session ticket extension" \
1476 -s "found session ticket extension" \
1477 -s "server hello, adding session ticket extension" \
1478 -c "found session_ticket extension" \
1479 -c "parse new session ticket" \
1480 -S "session successfully restored from cache" \
1481 -S "session successfully restored from ticket" \
1482 -S "a session has been resumed" \
1483 -C "a session has been resumed"
1484
1485run_test "Session resume using tickets, DTLS: openssl server" \
1486 "$O_SRV -dtls1" \
1487 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1488 0 \
1489 -c "client hello, adding session ticket extension" \
1490 -c "found session_ticket extension" \
1491 -c "parse new session ticket" \
1492 -c "a session has been resumed"
1493
1494run_test "Session resume using tickets, DTLS: openssl client" \
1495 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1496 "( $O_CLI -dtls1 -sess_out $SESSION; \
1497 $O_CLI -dtls1 -sess_in $SESSION; \
1498 rm -f $SESSION )" \
1499 0 \
1500 -s "found session ticket extension" \
1501 -s "server hello, adding session ticket extension" \
1502 -S "session successfully restored from cache" \
1503 -s "session successfully restored from ticket" \
1504 -s "a session has been resumed"
1505
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1506# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1507
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1508run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1509 "$P_SRV debug_level=3 tickets=0" \
1510 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1511 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1512 -c "client hello, adding session ticket extension" \
1513 -s "found session ticket extension" \
1514 -S "server hello, adding session ticket extension" \
1515 -C "found session_ticket extension" \
1516 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1517 -s "session successfully restored from cache" \
1518 -S "session successfully restored from ticket" \
1519 -s "a session has been resumed" \
1520 -c "a session has been resumed"
1521
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1522run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1523 "$P_SRV debug_level=3 tickets=1" \
1524 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1525 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1526 -C "client hello, adding session ticket extension" \
1527 -S "found session ticket extension" \
1528 -S "server hello, adding session ticket extension" \
1529 -C "found session_ticket extension" \
1530 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1531 -s "session successfully restored from cache" \
1532 -S "session successfully restored from ticket" \
1533 -s "a session has been resumed" \
1534 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1535
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1536run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1537 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1538 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1539 0 \
1540 -S "session successfully restored from cache" \
1541 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1542 -S "a session has been resumed" \
1543 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1544
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1545run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1546 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1547 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1548 0 \
1549 -s "session successfully restored from cache" \
1550 -S "session successfully restored from ticket" \
1551 -s "a session has been resumed" \
1552 -c "a session has been resumed"
1553
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1554run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1555 "$P_SRV debug_level=3 tickets=0" \
1556 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1557 0 \
1558 -s "session successfully restored from cache" \
1559 -S "session successfully restored from ticket" \
1560 -s "a session has been resumed" \
1561 -c "a session has been resumed"
1562
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1563run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1564 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1565 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1566 0 \
1567 -S "session successfully restored from cache" \
1568 -S "session successfully restored from ticket" \
1569 -S "a session has been resumed" \
1570 -C "a session has been resumed"
1571
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1572run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1573 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1574 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1575 0 \
1576 -s "session successfully restored from cache" \
1577 -S "session successfully restored from ticket" \
1578 -s "a session has been resumed" \
1579 -c "a session has been resumed"
1580
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1581run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1582 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1583 "( $O_CLI -sess_out $SESSION; \
1584 $O_CLI -sess_in $SESSION; \
1585 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1586 0 \
1587 -s "found session ticket extension" \
1588 -S "server hello, adding session ticket extension" \
1589 -s "session successfully restored from cache" \
1590 -S "session successfully restored from ticket" \
1591 -s "a session has been resumed"
1592
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1593run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1594 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1595 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1596 0 \
1597 -C "found session_ticket extension" \
1598 -C "parse new session ticket" \
1599 -c "a session has been resumed"
1600
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1601# Tests for Session Resume based on session-ID and cache, DTLS
1602
1603run_test "Session resume using cache, DTLS: tickets enabled on client" \
1604 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1605 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1606 0 \
1607 -c "client hello, adding session ticket extension" \
1608 -s "found session ticket extension" \
1609 -S "server hello, adding session ticket extension" \
1610 -C "found session_ticket extension" \
1611 -C "parse new session ticket" \
1612 -s "session successfully restored from cache" \
1613 -S "session successfully restored from ticket" \
1614 -s "a session has been resumed" \
1615 -c "a session has been resumed"
1616
1617run_test "Session resume using cache, DTLS: tickets enabled on server" \
1618 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1619 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1620 0 \
1621 -C "client hello, adding session ticket extension" \
1622 -S "found session ticket extension" \
1623 -S "server hello, adding session ticket extension" \
1624 -C "found session_ticket extension" \
1625 -C "parse new session ticket" \
1626 -s "session successfully restored from cache" \
1627 -S "session successfully restored from ticket" \
1628 -s "a session has been resumed" \
1629 -c "a session has been resumed"
1630
1631run_test "Session resume using cache, DTLS: cache_max=0" \
1632 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1633 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1634 0 \
1635 -S "session successfully restored from cache" \
1636 -S "session successfully restored from ticket" \
1637 -S "a session has been resumed" \
1638 -C "a session has been resumed"
1639
1640run_test "Session resume using cache, DTLS: cache_max=1" \
1641 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1642 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1643 0 \
1644 -s "session successfully restored from cache" \
1645 -S "session successfully restored from ticket" \
1646 -s "a session has been resumed" \
1647 -c "a session has been resumed"
1648
1649run_test "Session resume using cache, DTLS: timeout > delay" \
1650 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1651 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1652 0 \
1653 -s "session successfully restored from cache" \
1654 -S "session successfully restored from ticket" \
1655 -s "a session has been resumed" \
1656 -c "a session has been resumed"
1657
1658run_test "Session resume using cache, DTLS: timeout < delay" \
1659 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1660 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1661 0 \
1662 -S "session successfully restored from cache" \
1663 -S "session successfully restored from ticket" \
1664 -S "a session has been resumed" \
1665 -C "a session has been resumed"
1666
1667run_test "Session resume using cache, DTLS: no timeout" \
1668 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1669 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1670 0 \
1671 -s "session successfully restored from cache" \
1672 -S "session successfully restored from ticket" \
1673 -s "a session has been resumed" \
1674 -c "a session has been resumed"
1675
1676run_test "Session resume using cache, DTLS: openssl client" \
1677 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1678 "( $O_CLI -dtls1 -sess_out $SESSION; \
1679 $O_CLI -dtls1 -sess_in $SESSION; \
1680 rm -f $SESSION )" \
1681 0 \
1682 -s "found session ticket extension" \
1683 -S "server hello, adding session ticket extension" \
1684 -s "session successfully restored from cache" \
1685 -S "session successfully restored from ticket" \
1686 -s "a session has been resumed"
1687
1688run_test "Session resume using cache, DTLS: openssl server" \
1689 "$O_SRV -dtls1" \
1690 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1691 0 \
1692 -C "found session_ticket extension" \
1693 -C "parse new session ticket" \
1694 -c "a session has been resumed"
1695
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1696# Tests for Max Fragment Length extension
1697
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1698MAX_CONTENT_LEN_EXPECT='16384'
1699MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1700
1701if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
Gilles Peskine352a7cf2020-08-26 20:05:11 +0200[diff] [blame]1702 cat <<EOF
1703The ${CONFIG_H} file contains a value for the configuration of
1704MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s
1705test value of ${MAX_CONTENT_LEN_EXPECT}.
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1706
Gilles Peskine352a7cf2020-08-26 20:05:11 +0200[diff] [blame]1707The tests assume this value and if it changes, the tests in this
1708script should also be adjusted.
1709EOF
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1710 exit 1
1711fi
1712
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1713requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1714run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1715 "$P_SRV debug_level=3" \
1716 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1717 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1718 -c "Maximum fragment length is 16384" \
1719 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1720 -C "client hello, adding max_fragment_length extension" \
1721 -S "found max fragment length extension" \
1722 -S "server hello, max_fragment_length extension" \
1723 -C "found max_fragment_length extension"
1724
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1725requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1726run_test "Max fragment length: enabled, default, larger message" \
1727 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1728 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1729 0 \
1730 -c "Maximum fragment length is 16384" \
1731 -s "Maximum fragment length is 16384" \
1732 -C "client hello, adding max_fragment_length extension" \
1733 -S "found max fragment length extension" \
1734 -S "server hello, max_fragment_length extension" \
1735 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1736 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1737 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1738 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1739
1740requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1741run_test "Max fragment length, DTLS: enabled, default, larger message" \
1742 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1743 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1744 1 \
1745 -c "Maximum fragment length is 16384" \
1746 -s "Maximum fragment length is 16384" \
1747 -C "client hello, adding max_fragment_length extension" \
1748 -S "found max fragment length extension" \
1749 -S "server hello, max_fragment_length extension" \
1750 -C "found max_fragment_length extension" \
1751 -c "fragment larger than.*maximum "
1752
1753requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1754run_test "Max fragment length: disabled, larger message" \
1755 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1756 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1757 0 \
1758 -C "Maximum fragment length is 16384" \
1759 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1760 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1761 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1762 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1763
1764requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1765run_test "Max fragment length DTLS: disabled, larger message" \
1766 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1767 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1768 1 \
1769 -C "Maximum fragment length is 16384" \
1770 -S "Maximum fragment length is 16384" \
1771 -c "fragment larger than.*maximum "
1772
1773requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1774run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1775 "$P_SRV debug_level=3" \
1776 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1777 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1778 -c "Maximum fragment length is 4096" \
1779 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1780 -c "client hello, adding max_fragment_length extension" \
1781 -s "found max fragment length extension" \
1782 -s "server hello, max_fragment_length extension" \
1783 -c "found max_fragment_length extension"
1784
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1785requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1786run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1787 "$P_SRV debug_level=3 max_frag_len=4096" \
1788 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1789 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1790 -c "Maximum fragment length is 16384" \
1791 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1792 -C "client hello, adding max_fragment_length extension" \
1793 -S "found max fragment length extension" \
1794 -S "server hello, max_fragment_length extension" \
1795 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1796
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1797requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1798requires_gnutls
1799run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1800 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1801 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1802 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1803 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1804 -c "client hello, adding max_fragment_length extension" \
1805 -c "found max_fragment_length extension"
1806
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1807requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1808run_test "Max fragment length: client, message just fits" \
1809 "$P_SRV debug_level=3" \
1810 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1811 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1812 -c "Maximum fragment length is 2048" \
1813 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1814 -c "client hello, adding max_fragment_length extension" \
1815 -s "found max fragment length extension" \
1816 -s "server hello, max_fragment_length extension" \
1817 -c "found max_fragment_length extension" \
1818 -c "2048 bytes written in 1 fragments" \
1819 -s "2048 bytes read"
1820
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1821requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1822run_test "Max fragment length: client, larger message" \
1823 "$P_SRV debug_level=3" \
1824 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1825 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1826 -c "Maximum fragment length is 2048" \
1827 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1828 -c "client hello, adding max_fragment_length extension" \
1829 -s "found max fragment length extension" \
1830 -s "server hello, max_fragment_length extension" \
1831 -c "found max_fragment_length extension" \
1832 -c "2345 bytes written in 2 fragments" \
1833 -s "2048 bytes read" \
1834 -s "297 bytes read"
1835
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1836requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1837run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1838 "$P_SRV debug_level=3 dtls=1" \
1839 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1840 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1841 -c "Maximum fragment length is 2048" \
1842 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1843 -c "client hello, adding max_fragment_length extension" \
1844 -s "found max fragment length extension" \
1845 -s "server hello, max_fragment_length extension" \
1846 -c "found max_fragment_length extension" \
1847 -c "fragment larger than.*maximum"
1848
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1849# Tests for renegotiation
1850
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1851# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1852run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1853 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1854 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1855 0 \
1856 -C "client hello, adding renegotiation extension" \
1857 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1858 -S "found renegotiation extension" \
1859 -s "server hello, secure renegotiation extension" \
1860 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1861 -C "=> renegotiate" \
1862 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1863 -S "write hello request"
1864
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1865requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1866run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1867 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1868 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1869 0 \
1870 -c "client hello, adding renegotiation extension" \
1871 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1872 -s "found renegotiation extension" \
1873 -s "server hello, secure renegotiation extension" \
1874 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1875 -c "=> renegotiate" \
1876 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1877 -S "write hello request"
1878
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1879requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1880run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1881 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1882 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1883 0 \
1884 -c "client hello, adding renegotiation extension" \
1885 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1886 -s "found renegotiation extension" \
1887 -s "server hello, secure renegotiation extension" \
1888 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1889 -c "=> renegotiate" \
1890 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1891 -s "write hello request"
1892
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1893# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1894# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1895# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1896requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1897run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1898 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1899 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1900 0 \
1901 -c "client hello, adding renegotiation extension" \
1902 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1903 -s "found renegotiation extension" \
1904 -s "server hello, secure renegotiation extension" \
1905 -c "found renegotiation extension" \
1906 -c "=> renegotiate" \
1907 -s "=> renegotiate" \
1908 -S "write hello request" \
1909 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1910
1911# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1912# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1913# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1914requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1915run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1916 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1917 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1918 0 \
1919 -c "client hello, adding renegotiation extension" \
1920 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1921 -s "found renegotiation extension" \
1922 -s "server hello, secure renegotiation extension" \
1923 -c "found renegotiation extension" \
1924 -c "=> renegotiate" \
1925 -s "=> renegotiate" \
1926 -s "write hello request" \
1927 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1928
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1929requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1930run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1931 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1932 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1933 0 \
1934 -c "client hello, adding renegotiation extension" \
1935 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1936 -s "found renegotiation extension" \
1937 -s "server hello, secure renegotiation extension" \
1938 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1939 -c "=> renegotiate" \
1940 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1941 -s "write hello request"
1942
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1943requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1944run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1945 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1946 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1947 1 \
1948 -c "client hello, adding renegotiation extension" \
1949 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1950 -S "found renegotiation extension" \
1951 -s "server hello, secure renegotiation extension" \
1952 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1953 -c "=> renegotiate" \
1954 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1955 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1956 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1957 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1958
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1959requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1960run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1961 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1962 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1963 0 \
1964 -C "client hello, adding renegotiation extension" \
1965 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1966 -S "found renegotiation extension" \
1967 -s "server hello, secure renegotiation extension" \
1968 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1969 -C "=> renegotiate" \
1970 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1971 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1972 -S "SSL - An unexpected message was received from our peer" \
1973 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1974
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1975requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1976run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1977 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1978 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1979 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1980 0 \
1981 -C "client hello, adding renegotiation extension" \
1982 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1983 -S "found renegotiation extension" \
1984 -s "server hello, secure renegotiation extension" \
1985 -c "found renegotiation extension" \
1986 -C "=> renegotiate" \
1987 -S "=> renegotiate" \
1988 -s "write hello request" \
1989 -S "SSL - An unexpected message was received from our peer" \
1990 -S "failed"
1991
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1992# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1993requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1994run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1995 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1996 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1997 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1998 0 \
1999 -C "client hello, adding renegotiation extension" \
2000 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2001 -S "found renegotiation extension" \
2002 -s "server hello, secure renegotiation extension" \
2003 -c "found renegotiation extension" \
2004 -C "=> renegotiate" \
2005 -S "=> renegotiate" \
2006 -s "write hello request" \
2007 -S "SSL - An unexpected message was received from our peer" \
2008 -S "failed"
2009
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2010requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2011run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2012 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2013 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2014 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2015 0 \
2016 -C "client hello, adding renegotiation extension" \
2017 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2018 -S "found renegotiation extension" \
2019 -s "server hello, secure renegotiation extension" \
2020 -c "found renegotiation extension" \
2021 -C "=> renegotiate" \
2022 -S "=> renegotiate" \
2023 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]2024 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2025
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2026requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2027run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2028 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2029 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2030 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2031 0 \
2032 -c "client hello, adding renegotiation extension" \
2033 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2034 -s "found renegotiation extension" \
2035 -s "server hello, secure renegotiation extension" \
2036 -c "found renegotiation extension" \
2037 -c "=> renegotiate" \
2038 -s "=> renegotiate" \
2039 -s "write hello request" \
2040 -S "SSL - An unexpected message was received from our peer" \
2041 -S "failed"
2042
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2043requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2044run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2045 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2046 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2047 0 \
2048 -C "client hello, adding renegotiation extension" \
2049 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2050 -S "found renegotiation extension" \
2051 -s "server hello, secure renegotiation extension" \
2052 -c "found renegotiation extension" \
2053 -S "record counter limit reached: renegotiate" \
2054 -C "=> renegotiate" \
2055 -S "=> renegotiate" \
2056 -S "write hello request" \
2057 -S "SSL - An unexpected message was received from our peer" \
2058 -S "failed"
2059
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2060# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2061requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2062run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2063 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2064 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2065 0 \
2066 -c "client hello, adding renegotiation extension" \
2067 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2068 -s "found renegotiation extension" \
2069 -s "server hello, secure renegotiation extension" \
2070 -c "found renegotiation extension" \
2071 -s "record counter limit reached: renegotiate" \
2072 -c "=> renegotiate" \
2073 -s "=> renegotiate" \
2074 -s "write hello request" \
2075 -S "SSL - An unexpected message was received from our peer" \
2076 -S "failed"
2077
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2078requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2079run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2080 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2081 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2082 0 \
2083 -c "client hello, adding renegotiation extension" \
2084 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2085 -s "found renegotiation extension" \
2086 -s "server hello, secure renegotiation extension" \
2087 -c "found renegotiation extension" \
2088 -s "record counter limit reached: renegotiate" \
2089 -c "=> renegotiate" \
2090 -s "=> renegotiate" \
2091 -s "write hello request" \
2092 -S "SSL - An unexpected message was received from our peer" \
2093 -S "failed"
2094
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2095requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2096run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2097 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2098 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2099 0 \
2100 -C "client hello, adding renegotiation extension" \
2101 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2102 -S "found renegotiation extension" \
2103 -s "server hello, secure renegotiation extension" \
2104 -c "found renegotiation extension" \
2105 -S "record counter limit reached: renegotiate" \
2106 -C "=> renegotiate" \
2107 -S "=> renegotiate" \
2108 -S "write hello request" \
2109 -S "SSL - An unexpected message was received from our peer" \
2110 -S "failed"
2111
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2112requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2113run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2114 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2115 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2116 0 \
2117 -c "client hello, adding renegotiation extension" \
2118 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2119 -s "found renegotiation extension" \
2120 -s "server hello, secure renegotiation extension" \
2121 -c "found renegotiation extension" \
2122 -c "=> renegotiate" \
2123 -s "=> renegotiate" \
2124 -S "write hello request"
2125
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2126requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2127run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2128 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2129 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2130 0 \
2131 -c "client hello, adding renegotiation extension" \
2132 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2133 -s "found renegotiation extension" \
2134 -s "server hello, secure renegotiation extension" \
2135 -c "found renegotiation extension" \
2136 -c "=> renegotiate" \
2137 -s "=> renegotiate" \
2138 -s "write hello request"
2139
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2140requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2141run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2142 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2143 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2144 0 \
2145 -c "client hello, adding renegotiation extension" \
2146 -c "found renegotiation extension" \
2147 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2148 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2149 -C "error" \
2150 -c "HTTP/1.0 200 [Oo][Kk]"
2151
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2152requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2153requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2154run_test "Renegotiation: gnutls server strict, client-initiated" \
2155 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2156 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2157 0 \
2158 -c "client hello, adding renegotiation extension" \
2159 -c "found renegotiation extension" \
2160 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2161 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2162 -C "error" \
2163 -c "HTTP/1.0 200 [Oo][Kk]"
2164
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2165requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2166requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2167run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2168 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2169 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2170 1 \
2171 -c "client hello, adding renegotiation extension" \
2172 -C "found renegotiation extension" \
2173 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2174 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2175 -c "error" \
2176 -C "HTTP/1.0 200 [Oo][Kk]"
2177
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2178requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2179requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2180run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2181 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2182 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2183 allow_legacy=0" \
2184 1 \
2185 -c "client hello, adding renegotiation extension" \
2186 -C "found renegotiation extension" \
2187 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2188 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2189 -c "error" \
2190 -C "HTTP/1.0 200 [Oo][Kk]"
2191
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2192requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2193requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2194run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2195 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2196 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2197 allow_legacy=1" \
2198 0 \
2199 -c "client hello, adding renegotiation extension" \
2200 -C "found renegotiation extension" \
2201 -c "=> renegotiate" \
2202 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2203 -C "error" \
2204 -c "HTTP/1.0 200 [Oo][Kk]"
2205
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2206requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]2207run_test "Renegotiation: DTLS, client-initiated" \
2208 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
2209 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
2210 0 \
2211 -c "client hello, adding renegotiation extension" \
2212 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2213 -s "found renegotiation extension" \
2214 -s "server hello, secure renegotiation extension" \
2215 -c "found renegotiation extension" \
2216 -c "=> renegotiate" \
2217 -s "=> renegotiate" \
2218 -S "write hello request"
2219
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2220requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2221run_test "Renegotiation: DTLS, server-initiated" \
2222 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2223 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2224 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2225 0 \
2226 -c "client hello, adding renegotiation extension" \
2227 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2228 -s "found renegotiation extension" \
2229 -s "server hello, secure renegotiation extension" \
2230 -c "found renegotiation extension" \
2231 -c "=> renegotiate" \
2232 -s "=> renegotiate" \
2233 -s "write hello request"
2234
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2235requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2236run_test "Renegotiation: DTLS, renego_period overflow" \
2237 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2238 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2239 0 \
2240 -c "client hello, adding renegotiation extension" \
2241 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2242 -s "found renegotiation extension" \
2243 -s "server hello, secure renegotiation extension" \
2244 -s "record counter limit reached: renegotiate" \
2245 -c "=> renegotiate" \
2246 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2247 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2248
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2249requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2250requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2251run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2252 "$G_SRV -u --mtu 4096" \
2253 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2254 0 \
2255 -c "client hello, adding renegotiation extension" \
2256 -c "found renegotiation extension" \
2257 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2258 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2259 -C "error" \
2260 -s "Extra-header:"
2261
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2262# Test for the "secure renegotation" extension only (no actual renegotiation)
2263
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2264requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2265run_test "Renego ext: gnutls server strict, client default" \
2266 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2267 "$P_CLI debug_level=3" \
2268 0 \
2269 -c "found renegotiation extension" \
2270 -C "error" \
2271 -c "HTTP/1.0 200 [Oo][Kk]"
2272
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2273requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2274run_test "Renego ext: gnutls server unsafe, client default" \
2275 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2276 "$P_CLI debug_level=3" \
2277 0 \
2278 -C "found renegotiation extension" \
2279 -C "error" \
2280 -c "HTTP/1.0 200 [Oo][Kk]"
2281
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2282requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2283run_test "Renego ext: gnutls server unsafe, client break legacy" \
2284 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2285 "$P_CLI debug_level=3 allow_legacy=-1" \
2286 1 \
2287 -C "found renegotiation extension" \
2288 -c "error" \
2289 -C "HTTP/1.0 200 [Oo][Kk]"
2290
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2291requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2292run_test "Renego ext: gnutls client strict, server default" \
2293 "$P_SRV debug_level=3" \
2294 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2295 0 \
2296 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2297 -s "server hello, secure renegotiation extension"
2298
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2299requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2300run_test "Renego ext: gnutls client unsafe, server default" \
2301 "$P_SRV debug_level=3" \
2302 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2303 0 \
2304 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2305 -S "server hello, secure renegotiation extension"
2306
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2307requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2308run_test "Renego ext: gnutls client unsafe, server break legacy" \
2309 "$P_SRV debug_level=3 allow_legacy=-1" \
2310 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2311 1 \
2312 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2313 -S "server hello, secure renegotiation extension"
2314
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2315# Tests for silently dropping trailing extra bytes in .der certificates
2316
2317requires_gnutls
2318run_test "DER format: no trailing bytes" \
2319 "$P_SRV crt_file=data_files/server5-der0.crt \
2320 key_file=data_files/server5.key" \
2321 "$G_CLI " \
2322 0 \
2323 -c "Handshake was completed" \
2324
2325requires_gnutls
2326run_test "DER format: with a trailing zero byte" \
2327 "$P_SRV crt_file=data_files/server5-der1a.crt \
2328 key_file=data_files/server5.key" \
2329 "$G_CLI " \
2330 0 \
2331 -c "Handshake was completed" \
2332
2333requires_gnutls
2334run_test "DER format: with a trailing random byte" \
2335 "$P_SRV crt_file=data_files/server5-der1b.crt \
2336 key_file=data_files/server5.key" \
2337 "$G_CLI " \
2338 0 \
2339 -c "Handshake was completed" \
2340
2341requires_gnutls
2342run_test "DER format: with 2 trailing random bytes" \
2343 "$P_SRV crt_file=data_files/server5-der2.crt \
2344 key_file=data_files/server5.key" \
2345 "$G_CLI " \
2346 0 \
2347 -c "Handshake was completed" \
2348
2349requires_gnutls
2350run_test "DER format: with 4 trailing random bytes" \
2351 "$P_SRV crt_file=data_files/server5-der4.crt \
2352 key_file=data_files/server5.key" \
2353 "$G_CLI " \
2354 0 \
2355 -c "Handshake was completed" \
2356
2357requires_gnutls
2358run_test "DER format: with 8 trailing random bytes" \
2359 "$P_SRV crt_file=data_files/server5-der8.crt \
2360 key_file=data_files/server5.key" \
2361 "$G_CLI " \
2362 0 \
2363 -c "Handshake was completed" \
2364
2365requires_gnutls
2366run_test "DER format: with 9 trailing random bytes" \
2367 "$P_SRV crt_file=data_files/server5-der9.crt \
2368 key_file=data_files/server5.key" \
2369 "$G_CLI " \
2370 0 \
2371 -c "Handshake was completed" \
2372
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2373# Tests for auth_mode
2374
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2375run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2376 "$P_SRV crt_file=data_files/server5-badsign.crt \
2377 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2378 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2379 1 \
2380 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2381 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2382 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2383 -c "X509 - Certificate verification failed"
2384
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2385run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2386 "$P_SRV crt_file=data_files/server5-badsign.crt \
2387 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2388 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2389 0 \
2390 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2391 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2392 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2393 -C "X509 - Certificate verification failed"
2394
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2395run_test "Authentication: server goodcert, client optional, no trusted CA" \
2396 "$P_SRV" \
2397 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2398 0 \
2399 -c "x509_verify_cert() returned" \
2400 -c "! The certificate is not correctly signed by the trusted CA" \
2401 -c "! Certificate verification flags"\
2402 -C "! mbedtls_ssl_handshake returned" \
2403 -C "X509 - Certificate verification failed" \
2404 -C "SSL - No CA Chain is set, but required to operate"
2405
2406run_test "Authentication: server goodcert, client required, no trusted CA" \
2407 "$P_SRV" \
2408 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2409 1 \
2410 -c "x509_verify_cert() returned" \
2411 -c "! The certificate is not correctly signed by the trusted CA" \
2412 -c "! Certificate verification flags"\
2413 -c "! mbedtls_ssl_handshake returned" \
2414 -c "SSL - No CA Chain is set, but required to operate"
2415
2416# The purpose of the next two tests is to test the client's behaviour when receiving a server
2417# certificate with an unsupported elliptic curve. This should usually not happen because
2418# the client informs the server about the supported curves - it does, though, in the
2419# corner case of a static ECDH suite, because the server doesn't check the curve on that
2420# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2421# different means to have the server ignoring the client's supported curve list.
2422
2423requires_config_enabled MBEDTLS_ECP_C
2424run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2425 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2426 crt_file=data_files/server5.ku-ka.crt" \
2427 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2428 1 \
2429 -c "bad certificate (EC key curve)"\
2430 -c "! Certificate verification flags"\
2431 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2432
2433requires_config_enabled MBEDTLS_ECP_C
2434run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2435 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2436 crt_file=data_files/server5.ku-ka.crt" \
2437 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2438 1 \
2439 -c "bad certificate (EC key curve)"\
2440 -c "! Certificate verification flags"\
2441 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2442
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2443run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2444 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2445 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2446 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2447 0 \
2448 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2449 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2450 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2451 -C "X509 - Certificate verification failed"
2452
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2453run_test "Authentication: client SHA256, server required" \
2454 "$P_SRV auth_mode=required" \
2455 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2456 key_file=data_files/server6.key \
2457 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2458 0 \
2459 -c "Supported Signature Algorithm found: 4," \
2460 -c "Supported Signature Algorithm found: 5,"
2461
2462run_test "Authentication: client SHA384, server required" \
2463 "$P_SRV auth_mode=required" \
2464 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2465 key_file=data_files/server6.key \
2466 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2467 0 \
2468 -c "Supported Signature Algorithm found: 4," \
2469 -c "Supported Signature Algorithm found: 5,"
2470
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2471requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2472run_test "Authentication: client has no cert, server required (SSLv3)" \
2473 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2474 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2475 key_file=data_files/server5.key" \
2476 1 \
2477 -S "skip write certificate request" \
2478 -C "skip parse certificate request" \
2479 -c "got a certificate request" \
2480 -c "got no certificate to send" \
2481 -S "x509_verify_cert() returned" \
2482 -s "client has no certificate" \
2483 -s "! mbedtls_ssl_handshake returned" \
2484 -c "! mbedtls_ssl_handshake returned" \
2485 -s "No client certification received from the client, but required by the authentication mode"
2486
2487run_test "Authentication: client has no cert, server required (TLS)" \
2488 "$P_SRV debug_level=3 auth_mode=required" \
2489 "$P_CLI debug_level=3 crt_file=none \
2490 key_file=data_files/server5.key" \
2491 1 \
2492 -S "skip write certificate request" \
2493 -C "skip parse certificate request" \
2494 -c "got a certificate request" \
2495 -c "= write certificate$" \
2496 -C "skip write certificate$" \
2497 -S "x509_verify_cert() returned" \
2498 -s "client has no certificate" \
2499 -s "! mbedtls_ssl_handshake returned" \
2500 -c "! mbedtls_ssl_handshake returned" \
2501 -s "No client certification received from the client, but required by the authentication mode"
2502
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2503run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2504 "$P_SRV debug_level=3 auth_mode=required" \
2505 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2506 key_file=data_files/server5.key" \
2507 1 \
2508 -S "skip write certificate request" \
2509 -C "skip parse certificate request" \
2510 -c "got a certificate request" \
2511 -C "skip write certificate" \
2512 -C "skip write certificate verify" \
2513 -S "skip parse certificate verify" \
2514 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2515 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2516 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2517 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2518 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2519 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2520# We don't check that the client receives the alert because it might
2521# detect that its write end of the connection is closed and abort
2522# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2523
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2524run_test "Authentication: client cert not trusted, server required" \
2525 "$P_SRV debug_level=3 auth_mode=required" \
2526 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2527 key_file=data_files/server5.key" \
2528 1 \
2529 -S "skip write certificate request" \
2530 -C "skip parse certificate request" \
2531 -c "got a certificate request" \
2532 -C "skip write certificate" \
2533 -C "skip write certificate verify" \
2534 -S "skip parse certificate verify" \
2535 -s "x509_verify_cert() returned" \
2536 -s "! The certificate is not correctly signed by the trusted CA" \
2537 -s "! mbedtls_ssl_handshake returned" \
2538 -c "! mbedtls_ssl_handshake returned" \
2539 -s "X509 - Certificate verification failed"
2540
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2541run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2542 "$P_SRV debug_level=3 auth_mode=optional" \
2543 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2544 key_file=data_files/server5.key" \
2545 0 \
2546 -S "skip write certificate request" \
2547 -C "skip parse certificate request" \
2548 -c "got a certificate request" \
2549 -C "skip write certificate" \
2550 -C "skip write certificate verify" \
2551 -S "skip parse certificate verify" \
2552 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2553 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2554 -S "! mbedtls_ssl_handshake returned" \
2555 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2556 -S "X509 - Certificate verification failed"
2557
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2558run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2559 "$P_SRV debug_level=3 auth_mode=none" \
2560 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2561 key_file=data_files/server5.key" \
2562 0 \
2563 -s "skip write certificate request" \
2564 -C "skip parse certificate request" \
2565 -c "got no certificate request" \
2566 -c "skip write certificate" \
2567 -c "skip write certificate verify" \
2568 -s "skip parse certificate verify" \
2569 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2570 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2571 -S "! mbedtls_ssl_handshake returned" \
2572 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2573 -S "X509 - Certificate verification failed"
2574
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2575run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2576 "$P_SRV debug_level=3 auth_mode=optional" \
2577 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2578 0 \
2579 -S "skip write certificate request" \
2580 -C "skip parse certificate request" \
2581 -c "got a certificate request" \
2582 -C "skip write certificate$" \
2583 -C "got no certificate to send" \
2584 -S "SSLv3 client has no certificate" \
2585 -c "skip write certificate verify" \
2586 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2587 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2588 -S "! mbedtls_ssl_handshake returned" \
2589 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2590 -S "X509 - Certificate verification failed"
2591
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2592run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2593 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2594 "$O_CLI" \
2595 0 \
2596 -S "skip write certificate request" \
2597 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2598 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2599 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2600 -S "X509 - Certificate verification failed"
2601
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2602run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2603 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2604 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2605 0 \
2606 -C "skip parse certificate request" \
2607 -c "got a certificate request" \
2608 -C "skip write certificate$" \
2609 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2610 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2611
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2612run_test "Authentication: client no cert, openssl server required" \
2613 "$O_SRV -Verify 10" \
2614 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2615 1 \
2616 -C "skip parse certificate request" \
2617 -c "got a certificate request" \
2618 -C "skip write certificate$" \
2619 -c "skip write certificate verify" \
2620 -c "! mbedtls_ssl_handshake returned"
2621
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2622requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2623run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2624 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2625 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2626 0 \
2627 -S "skip write certificate request" \
2628 -C "skip parse certificate request" \
2629 -c "got a certificate request" \
2630 -C "skip write certificate$" \
2631 -c "skip write certificate verify" \
2632 -c "got no certificate to send" \
2633 -s "SSLv3 client has no certificate" \
2634 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2635 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2636 -S "! mbedtls_ssl_handshake returned" \
2637 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2638 -S "X509 - Certificate verification failed"
2639
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2640# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2641# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2642
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2643MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2644MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2645
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2646if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Gilles Peskine352a7cf2020-08-26 20:05:11 +0200[diff] [blame]2647 cat <<EOF
2648${CONFIG_H} contains a value for the configuration of
2649MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script's
2650test value of ${MAX_IM_CA}.
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2651
Gilles Peskine352a7cf2020-08-26 20:05:11 +0200[diff] [blame]2652The tests assume this value and if it changes, the tests in this
2653script should also be adjusted.
2654EOF
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2655 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2656fi
2657
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2658run_test "Authentication: server max_int chain, client default" \
2659 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2660 key_file=data_files/dir-maxpath/09.key" \
2661 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2662 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2663 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2664
2665run_test "Authentication: server max_int+1 chain, client default" \
2666 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2667 key_file=data_files/dir-maxpath/10.key" \
2668 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2669 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2670 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2671
2672run_test "Authentication: server max_int+1 chain, client optional" \
2673 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2674 key_file=data_files/dir-maxpath/10.key" \
2675 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2676 auth_mode=optional" \
2677 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2678 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2679
2680run_test "Authentication: server max_int+1 chain, client none" \
2681 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2682 key_file=data_files/dir-maxpath/10.key" \
2683 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2684 auth_mode=none" \
2685 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2686 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2687
2688run_test "Authentication: client max_int+1 chain, server default" \
2689 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2690 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2691 key_file=data_files/dir-maxpath/10.key" \
2692 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2693 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2694
2695run_test "Authentication: client max_int+1 chain, server optional" \
2696 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2697 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2698 key_file=data_files/dir-maxpath/10.key" \
2699 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2700 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2701
2702run_test "Authentication: client max_int+1 chain, server required" \
2703 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2704 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2705 key_file=data_files/dir-maxpath/10.key" \
2706 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2707 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2708
2709run_test "Authentication: client max_int chain, server required" \
2710 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2711 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2712 key_file=data_files/dir-maxpath/09.key" \
2713 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2714 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2715
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2716# Tests for CA list in CertificateRequest messages
2717
2718run_test "Authentication: send CA list in CertificateRequest (default)" \
2719 "$P_SRV debug_level=3 auth_mode=required" \
2720 "$P_CLI crt_file=data_files/server6.crt \
2721 key_file=data_files/server6.key" \
2722 0 \
2723 -s "requested DN"
2724
2725run_test "Authentication: do not send CA list in CertificateRequest" \
2726 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2727 "$P_CLI crt_file=data_files/server6.crt \
2728 key_file=data_files/server6.key" \
2729 0 \
2730 -S "requested DN"
2731
2732run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2733 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2734 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2735 key_file=data_files/server5.key" \
2736 1 \
2737 -S "requested DN" \
2738 -s "x509_verify_cert() returned" \
2739 -s "! The certificate is not correctly signed by the trusted CA" \
2740 -s "! mbedtls_ssl_handshake returned" \
2741 -c "! mbedtls_ssl_handshake returned" \
2742 -s "X509 - Certificate verification failed"
2743
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2744# Tests for certificate selection based on SHA verson
2745
2746run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2747 "$P_SRV crt_file=data_files/server5.crt \
2748 key_file=data_files/server5.key \
2749 crt_file2=data_files/server5-sha1.crt \
2750 key_file2=data_files/server5.key" \
2751 "$P_CLI force_version=tls1_2" \
2752 0 \
2753 -c "signed using.*ECDSA with SHA256" \
2754 -C "signed using.*ECDSA with SHA1"
2755
2756run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2757 "$P_SRV crt_file=data_files/server5.crt \
2758 key_file=data_files/server5.key \
2759 crt_file2=data_files/server5-sha1.crt \
2760 key_file2=data_files/server5.key" \
2761 "$P_CLI force_version=tls1_1" \
2762 0 \
2763 -C "signed using.*ECDSA with SHA256" \
2764 -c "signed using.*ECDSA with SHA1"
2765
2766run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2767 "$P_SRV crt_file=data_files/server5.crt \
2768 key_file=data_files/server5.key \
2769 crt_file2=data_files/server5-sha1.crt \
2770 key_file2=data_files/server5.key" \
2771 "$P_CLI force_version=tls1" \
2772 0 \
2773 -C "signed using.*ECDSA with SHA256" \
2774 -c "signed using.*ECDSA with SHA1"
2775
2776run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2777 "$P_SRV crt_file=data_files/server5.crt \
2778 key_file=data_files/server5.key \
2779 crt_file2=data_files/server6.crt \
2780 key_file2=data_files/server6.key" \
2781 "$P_CLI force_version=tls1_1" \
2782 0 \
2783 -c "serial number.*09" \
2784 -c "signed using.*ECDSA with SHA256" \
2785 -C "signed using.*ECDSA with SHA1"
2786
2787run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2788 "$P_SRV crt_file=data_files/server6.crt \
2789 key_file=data_files/server6.key \
2790 crt_file2=data_files/server5.crt \
2791 key_file2=data_files/server5.key" \
2792 "$P_CLI force_version=tls1_1" \
2793 0 \
2794 -c "serial number.*0A" \
2795 -c "signed using.*ECDSA with SHA256" \
2796 -C "signed using.*ECDSA with SHA1"
2797
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2798# tests for SNI
2799
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2800run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2801 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2802 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2803 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2804 0 \
2805 -S "parse ServerName extension" \
2806 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2807 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2808
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2809run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2810 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2811 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2812 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2813 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2814 0 \
2815 -s "parse ServerName extension" \
2816 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2817 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2818
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2819run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2820 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2821 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2822 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2823 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2824 0 \
2825 -s "parse ServerName extension" \
2826 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2827 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2828
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2829run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2830 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2831 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2832 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2833 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2834 1 \
2835 -s "parse ServerName extension" \
2836 -s "ssl_sni_wrapper() returned" \
2837 -s "mbedtls_ssl_handshake returned" \
2838 -c "mbedtls_ssl_handshake returned" \
2839 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2840
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2841run_test "SNI: client auth no override: optional" \
2842 "$P_SRV debug_level=3 auth_mode=optional \
2843 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2844 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2845 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2846 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2847 -S "skip write certificate request" \
2848 -C "skip parse certificate request" \
2849 -c "got a certificate request" \
2850 -C "skip write certificate" \
2851 -C "skip write certificate verify" \
2852 -S "skip parse certificate verify"
2853
2854run_test "SNI: client auth override: none -> optional" \
2855 "$P_SRV debug_level=3 auth_mode=none \
2856 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2857 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2858 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2859 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2860 -S "skip write certificate request" \
2861 -C "skip parse certificate request" \
2862 -c "got a certificate request" \
2863 -C "skip write certificate" \
2864 -C "skip write certificate verify" \
2865 -S "skip parse certificate verify"
2866
2867run_test "SNI: client auth override: optional -> none" \
2868 "$P_SRV debug_level=3 auth_mode=optional \
2869 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2870 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2871 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2872 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2873 -s "skip write certificate request" \
2874 -C "skip parse certificate request" \
2875 -c "got no certificate request" \
2876 -c "skip write certificate" \
2877 -c "skip write certificate verify" \
2878 -s "skip parse certificate verify"
2879
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2880run_test "SNI: CA no override" \
2881 "$P_SRV debug_level=3 auth_mode=optional \
2882 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2883 ca_file=data_files/test-ca.crt \
2884 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2885 "$P_CLI debug_level=3 server_name=localhost \
2886 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2887 1 \
2888 -S "skip write certificate request" \
2889 -C "skip parse certificate request" \
2890 -c "got a certificate request" \
2891 -C "skip write certificate" \
2892 -C "skip write certificate verify" \
2893 -S "skip parse certificate verify" \
2894 -s "x509_verify_cert() returned" \
2895 -s "! The certificate is not correctly signed by the trusted CA" \
2896 -S "The certificate has been revoked (is on a CRL)"
2897
2898run_test "SNI: CA override" \
2899 "$P_SRV debug_level=3 auth_mode=optional \
2900 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2901 ca_file=data_files/test-ca.crt \
2902 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2903 "$P_CLI debug_level=3 server_name=localhost \
2904 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2905 0 \
2906 -S "skip write certificate request" \
2907 -C "skip parse certificate request" \
2908 -c "got a certificate request" \
2909 -C "skip write certificate" \
2910 -C "skip write certificate verify" \
2911 -S "skip parse certificate verify" \
2912 -S "x509_verify_cert() returned" \
2913 -S "! The certificate is not correctly signed by the trusted CA" \
2914 -S "The certificate has been revoked (is on a CRL)"
2915
2916run_test "SNI: CA override with CRL" \
2917 "$P_SRV debug_level=3 auth_mode=optional \
2918 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2919 ca_file=data_files/test-ca.crt \
2920 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2921 "$P_CLI debug_level=3 server_name=localhost \
2922 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2923 1 \
2924 -S "skip write certificate request" \
2925 -C "skip parse certificate request" \
2926 -c "got a certificate request" \
2927 -C "skip write certificate" \
2928 -C "skip write certificate verify" \
2929 -S "skip parse certificate verify" \
2930 -s "x509_verify_cert() returned" \
2931 -S "! The certificate is not correctly signed by the trusted CA" \
2932 -s "The certificate has been revoked (is on a CRL)"
2933
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2934# Tests for SNI and DTLS
2935
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2936run_test "SNI: DTLS, no SNI callback" \
2937 "$P_SRV debug_level=3 dtls=1 \
2938 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2939 "$P_CLI server_name=localhost dtls=1" \
2940 0 \
2941 -S "parse ServerName extension" \
2942 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2943 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2944
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2945run_test "SNI: DTLS, matching cert 1" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2946 "$P_SRV debug_level=3 dtls=1 \
2947 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2948 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2949 "$P_CLI server_name=localhost dtls=1" \
2950 0 \
2951 -s "parse ServerName extension" \
2952 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2953 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2954
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2955run_test "SNI: DTLS, matching cert 2" \
2956 "$P_SRV debug_level=3 dtls=1 \
2957 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2958 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2959 "$P_CLI server_name=polarssl.example dtls=1" \
2960 0 \
2961 -s "parse ServerName extension" \
2962 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2963 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2964
2965run_test "SNI: DTLS, no matching cert" \
2966 "$P_SRV debug_level=3 dtls=1 \
2967 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2968 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2969 "$P_CLI server_name=nonesuch.example dtls=1" \
2970 1 \
2971 -s "parse ServerName extension" \
2972 -s "ssl_sni_wrapper() returned" \
2973 -s "mbedtls_ssl_handshake returned" \
2974 -c "mbedtls_ssl_handshake returned" \
2975 -c "SSL - A fatal alert message was received from our peer"
2976
2977run_test "SNI: DTLS, client auth no override: optional" \
2978 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2979 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2980 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2981 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2982 0 \
2983 -S "skip write certificate request" \
2984 -C "skip parse certificate request" \
2985 -c "got a certificate request" \
2986 -C "skip write certificate" \
2987 -C "skip write certificate verify" \
2988 -S "skip parse certificate verify"
2989
2990run_test "SNI: DTLS, client auth override: none -> optional" \
2991 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2992 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2993 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2994 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2995 0 \
2996 -S "skip write certificate request" \
2997 -C "skip parse certificate request" \
2998 -c "got a certificate request" \
2999 -C "skip write certificate" \
3000 -C "skip write certificate verify" \
3001 -S "skip parse certificate verify"
3002
3003run_test "SNI: DTLS, client auth override: optional -> none" \
3004 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3005 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3006 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
3007 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
3008 0 \
3009 -s "skip write certificate request" \
3010 -C "skip parse certificate request" \
3011 -c "got no certificate request" \
3012 -c "skip write certificate" \
3013 -c "skip write certificate verify" \
3014 -s "skip parse certificate verify"
3015
3016run_test "SNI: DTLS, CA no override" \
3017 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3018 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3019 ca_file=data_files/test-ca.crt \
3020 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
3021 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3022 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3023 1 \
3024 -S "skip write certificate request" \
3025 -C "skip parse certificate request" \
3026 -c "got a certificate request" \
3027 -C "skip write certificate" \
3028 -C "skip write certificate verify" \
3029 -S "skip parse certificate verify" \
3030 -s "x509_verify_cert() returned" \
3031 -s "! The certificate is not correctly signed by the trusted CA" \
3032 -S "The certificate has been revoked (is on a CRL)"
3033
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3034run_test "SNI: DTLS, CA override" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3035 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3036 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3037 ca_file=data_files/test-ca.crt \
3038 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
3039 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3040 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3041 0 \
3042 -S "skip write certificate request" \
3043 -C "skip parse certificate request" \
3044 -c "got a certificate request" \
3045 -C "skip write certificate" \
3046 -C "skip write certificate verify" \
3047 -S "skip parse certificate verify" \
3048 -S "x509_verify_cert() returned" \
3049 -S "! The certificate is not correctly signed by the trusted CA" \
3050 -S "The certificate has been revoked (is on a CRL)"
3051
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3052run_test "SNI: DTLS, CA override with CRL" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3053 "$P_SRV debug_level=3 auth_mode=optional \
3054 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
3055 ca_file=data_files/test-ca.crt \
3056 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
3057 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3058 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3059 1 \
3060 -S "skip write certificate request" \
3061 -C "skip parse certificate request" \
3062 -c "got a certificate request" \
3063 -C "skip write certificate" \
3064 -C "skip write certificate verify" \
3065 -S "skip parse certificate verify" \
3066 -s "x509_verify_cert() returned" \
3067 -S "! The certificate is not correctly signed by the trusted CA" \
3068 -s "The certificate has been revoked (is on a CRL)"
3069
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3070# Tests for non-blocking I/O: exercise a variety of handshake flows
3071
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3072run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3073 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3074 "$P_CLI nbio=2 tickets=0" \
3075 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3076 -S "mbedtls_ssl_handshake returned" \
3077 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3078 -c "Read from server: .* bytes read"
3079
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3080run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3081 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
3082 "$P_CLI nbio=2 tickets=0" \
3083 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3084 -S "mbedtls_ssl_handshake returned" \
3085 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3086 -c "Read from server: .* bytes read"
3087
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3088run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3089 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3090 "$P_CLI nbio=2 tickets=1" \
3091 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3092 -S "mbedtls_ssl_handshake returned" \
3093 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3094 -c "Read from server: .* bytes read"
3095
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3096run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3097 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3098 "$P_CLI nbio=2 tickets=1" \
3099 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3100 -S "mbedtls_ssl_handshake returned" \
3101 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3102 -c "Read from server: .* bytes read"
3103
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3104run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3105 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3106 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3107 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3108 -S "mbedtls_ssl_handshake returned" \
3109 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3110 -c "Read from server: .* bytes read"
3111
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3112run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3113 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3114 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3115 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3116 -S "mbedtls_ssl_handshake returned" \
3117 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3118 -c "Read from server: .* bytes read"
3119
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3120run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3121 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3122 "$P_CLI nbio=2 tickets=0 reconnect=1" \
3123 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3124 -S "mbedtls_ssl_handshake returned" \
3125 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3126 -c "Read from server: .* bytes read"
3127
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3128# Tests for version negotiation
3129
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3130run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3131 "$P_SRV" \
3132 "$P_CLI" \
3133 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3134 -S "mbedtls_ssl_handshake returned" \
3135 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3136 -s "Protocol is TLSv1.2" \
3137 -c "Protocol is TLSv1.2"
3138
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3139run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3140 "$P_SRV" \
3141 "$P_CLI max_version=tls1_1" \
3142 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3143 -S "mbedtls_ssl_handshake returned" \
3144 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3145 -s "Protocol is TLSv1.1" \
3146 -c "Protocol is TLSv1.1"
3147
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3148run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3149 "$P_SRV max_version=tls1_1" \
3150 "$P_CLI" \
3151 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3152 -S "mbedtls_ssl_handshake returned" \
3153 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3154 -s "Protocol is TLSv1.1" \
3155 -c "Protocol is TLSv1.1"
3156
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3157run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3158 "$P_SRV max_version=tls1_1" \
3159 "$P_CLI max_version=tls1_1" \
3160 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3161 -S "mbedtls_ssl_handshake returned" \
3162 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3163 -s "Protocol is TLSv1.1" \
3164 -c "Protocol is TLSv1.1"
3165
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3166run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3167 "$P_SRV min_version=tls1_1" \
3168 "$P_CLI max_version=tls1_1" \
3169 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3170 -S "mbedtls_ssl_handshake returned" \
3171 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3172 -s "Protocol is TLSv1.1" \
3173 -c "Protocol is TLSv1.1"
3174
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3175run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3176 "$P_SRV max_version=tls1_1" \
3177 "$P_CLI min_version=tls1_1" \
3178 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3179 -S "mbedtls_ssl_handshake returned" \
3180 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3181 -s "Protocol is TLSv1.1" \
3182 -c "Protocol is TLSv1.1"
3183
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3184run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3185 "$P_SRV max_version=tls1_1" \
3186 "$P_CLI min_version=tls1_2" \
3187 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3188 -s "mbedtls_ssl_handshake returned" \
3189 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3190 -c "SSL - Handshake protocol not within min/max boundaries"
3191
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3192run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3193 "$P_SRV min_version=tls1_2" \
3194 "$P_CLI max_version=tls1_1" \
3195 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3196 -s "mbedtls_ssl_handshake returned" \
3197 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3198 -s "SSL - Handshake protocol not within min/max boundaries"
3199
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3200# Tests for ALPN extension
3201
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3202run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3203 "$P_SRV debug_level=3" \
3204 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3205 0 \
3206 -C "client hello, adding alpn extension" \
3207 -S "found alpn extension" \
3208 -C "got an alert message, type: \\[2:120]" \
3209 -S "server hello, adding alpn extension" \
3210 -C "found alpn extension " \
3211 -C "Application Layer Protocol is" \
3212 -S "Application Layer Protocol is"
3213
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3214run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3215 "$P_SRV debug_level=3" \
3216 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3217 0 \
3218 -c "client hello, adding alpn extension" \
3219 -s "found alpn extension" \
3220 -C "got an alert message, type: \\[2:120]" \
3221 -S "server hello, adding alpn extension" \
3222 -C "found alpn extension " \
3223 -c "Application Layer Protocol is (none)" \
3224 -S "Application Layer Protocol is"
3225
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3226run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3227 "$P_SRV debug_level=3 alpn=abc,1234" \
3228 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3229 0 \
3230 -C "client hello, adding alpn extension" \
3231 -S "found alpn extension" \
3232 -C "got an alert message, type: \\[2:120]" \
3233 -S "server hello, adding alpn extension" \
3234 -C "found alpn extension " \
3235 -C "Application Layer Protocol is" \
3236 -s "Application Layer Protocol is (none)"
3237
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3238run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3239 "$P_SRV debug_level=3 alpn=abc,1234" \
3240 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3241 0 \
3242 -c "client hello, adding alpn extension" \
3243 -s "found alpn extension" \
3244 -C "got an alert message, type: \\[2:120]" \
3245 -s "server hello, adding alpn extension" \
3246 -c "found alpn extension" \
3247 -c "Application Layer Protocol is abc" \
3248 -s "Application Layer Protocol is abc"
3249
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3250run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3251 "$P_SRV debug_level=3 alpn=abc,1234" \
3252 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3253 0 \
3254 -c "client hello, adding alpn extension" \
3255 -s "found alpn extension" \
3256 -C "got an alert message, type: \\[2:120]" \
3257 -s "server hello, adding alpn extension" \
3258 -c "found alpn extension" \
3259 -c "Application Layer Protocol is abc" \
3260 -s "Application Layer Protocol is abc"
3261
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3262run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3263 "$P_SRV debug_level=3 alpn=abc,1234" \
3264 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3265 0 \
3266 -c "client hello, adding alpn extension" \
3267 -s "found alpn extension" \
3268 -C "got an alert message, type: \\[2:120]" \
3269 -s "server hello, adding alpn extension" \
3270 -c "found alpn extension" \
3271 -c "Application Layer Protocol is 1234" \
3272 -s "Application Layer Protocol is 1234"
3273
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3274run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3275 "$P_SRV debug_level=3 alpn=abc,123" \
3276 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3277 1 \
3278 -c "client hello, adding alpn extension" \
3279 -s "found alpn extension" \
3280 -c "got an alert message, type: \\[2:120]" \
3281 -S "server hello, adding alpn extension" \
3282 -C "found alpn extension" \
3283 -C "Application Layer Protocol is 1234" \
3284 -S "Application Layer Protocol is 1234"
3285
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3286
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3287# Tests for keyUsage in leaf certificates, part 1:
3288# server-side certificate/suite selection
3289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3290run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3291 "$P_SRV key_file=data_files/server2.key \
3292 crt_file=data_files/server2.ku-ds.crt" \
3293 "$P_CLI" \
3294 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3295 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3296
3297
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3298run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3299 "$P_SRV key_file=data_files/server2.key \
3300 crt_file=data_files/server2.ku-ke.crt" \
3301 "$P_CLI" \
3302 0 \
3303 -c "Ciphersuite is TLS-RSA-WITH-"
3304
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3305run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3306 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3307 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3308 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3309 1 \
3310 -C "Ciphersuite is "
3311
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3312run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3313 "$P_SRV key_file=data_files/server5.key \
3314 crt_file=data_files/server5.ku-ds.crt" \
3315 "$P_CLI" \
3316 0 \
3317 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3318
3319
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3320run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3321 "$P_SRV key_file=data_files/server5.key \
3322 crt_file=data_files/server5.ku-ka.crt" \
3323 "$P_CLI" \
3324 0 \
3325 -c "Ciphersuite is TLS-ECDH-"
3326
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3327run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3328 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3329 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3330 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3331 1 \
3332 -C "Ciphersuite is "
3333
3334# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3335# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3336
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3337run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3338 "$O_SRV -key data_files/server2.key \
3339 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3340 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3341 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3342 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3343 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3344 -C "Processing of the Certificate handshake message failed" \
3345 -c "Ciphersuite is TLS-"
3346
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3347run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3348 "$O_SRV -key data_files/server2.key \
3349 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3350 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3351 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3352 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3353 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3354 -C "Processing of the Certificate handshake message failed" \
3355 -c "Ciphersuite is TLS-"
3356
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3357run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3358 "$O_SRV -key data_files/server2.key \
3359 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3360 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3361 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3362 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3363 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3364 -C "Processing of the Certificate handshake message failed" \
3365 -c "Ciphersuite is TLS-"
3366
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3367run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3368 "$O_SRV -key data_files/server2.key \
3369 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3370 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3371 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3372 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3373 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3374 -c "Processing of the Certificate handshake message failed" \
3375 -C "Ciphersuite is TLS-"
3376
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3377run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3378 "$O_SRV -key data_files/server2.key \
3379 -cert data_files/server2.ku-ke.crt" \
3380 "$P_CLI debug_level=1 auth_mode=optional \
3381 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3382 0 \
3383 -c "bad certificate (usage extensions)" \
3384 -C "Processing of the Certificate handshake message failed" \
3385 -c "Ciphersuite is TLS-" \
3386 -c "! Usage does not match the keyUsage extension"
3387
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3388run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3389 "$O_SRV -key data_files/server2.key \
3390 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3391 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3392 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3393 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3394 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3395 -C "Processing of the Certificate handshake message failed" \
3396 -c "Ciphersuite is TLS-"
3397
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3398run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3399 "$O_SRV -key data_files/server2.key \
3400 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3401 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3402 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3403 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3404 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3405 -c "Processing of the Certificate handshake message failed" \
3406 -C "Ciphersuite is TLS-"
3407
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3408run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3409 "$O_SRV -key data_files/server2.key \
3410 -cert data_files/server2.ku-ds.crt" \
3411 "$P_CLI debug_level=1 auth_mode=optional \
3412 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3413 0 \
3414 -c "bad certificate (usage extensions)" \
3415 -C "Processing of the Certificate handshake message failed" \
3416 -c "Ciphersuite is TLS-" \
3417 -c "! Usage does not match the keyUsage extension"
3418
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3419# Tests for keyUsage in leaf certificates, part 3:
3420# server-side checking of client cert
3421
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3422run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3423 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3424 "$O_CLI -key data_files/server2.key \
3425 -cert data_files/server2.ku-ds.crt" \
3426 0 \
3427 -S "bad certificate (usage extensions)" \
3428 -S "Processing of the Certificate handshake message failed"
3429
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3430run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3431 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3432 "$O_CLI -key data_files/server2.key \
3433 -cert data_files/server2.ku-ke.crt" \
3434 0 \
3435 -s "bad certificate (usage extensions)" \
3436 -S "Processing of the Certificate handshake message failed"
3437
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3438run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3439 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3440 "$O_CLI -key data_files/server2.key \
3441 -cert data_files/server2.ku-ke.crt" \
3442 1 \
3443 -s "bad certificate (usage extensions)" \
3444 -s "Processing of the Certificate handshake message failed"
3445
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3446run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3447 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3448 "$O_CLI -key data_files/server5.key \
3449 -cert data_files/server5.ku-ds.crt" \
3450 0 \
3451 -S "bad certificate (usage extensions)" \
3452 -S "Processing of the Certificate handshake message failed"
3453
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3454run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3455 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3456 "$O_CLI -key data_files/server5.key \
3457 -cert data_files/server5.ku-ka.crt" \
3458 0 \
3459 -s "bad certificate (usage extensions)" \
3460 -S "Processing of the Certificate handshake message failed"
3461
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3462# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3463
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3464run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3465 "$P_SRV key_file=data_files/server5.key \
3466 crt_file=data_files/server5.eku-srv.crt" \
3467 "$P_CLI" \
3468 0
3469
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3470run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3471 "$P_SRV key_file=data_files/server5.key \
3472 crt_file=data_files/server5.eku-srv.crt" \
3473 "$P_CLI" \
3474 0
3475
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3476run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3477 "$P_SRV key_file=data_files/server5.key \
3478 crt_file=data_files/server5.eku-cs_any.crt" \
3479 "$P_CLI" \
3480 0
3481
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3482run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3483 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3484 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3485 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3486 1
3487
3488# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3489
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3490run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3491 "$O_SRV -key data_files/server5.key \
3492 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3493 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3494 0 \
3495 -C "bad certificate (usage extensions)" \
3496 -C "Processing of the Certificate handshake message failed" \
3497 -c "Ciphersuite is TLS-"
3498
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3499run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3500 "$O_SRV -key data_files/server5.key \
3501 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3502 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3503 0 \
3504 -C "bad certificate (usage extensions)" \
3505 -C "Processing of the Certificate handshake message failed" \
3506 -c "Ciphersuite is TLS-"
3507
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3508run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3509 "$O_SRV -key data_files/server5.key \
3510 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3511 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3512 0 \
3513 -C "bad certificate (usage extensions)" \
3514 -C "Processing of the Certificate handshake message failed" \
3515 -c "Ciphersuite is TLS-"
3516
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3517run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3518 "$O_SRV -key data_files/server5.key \
3519 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3520 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3521 1 \
3522 -c "bad certificate (usage extensions)" \
3523 -c "Processing of the Certificate handshake message failed" \
3524 -C "Ciphersuite is TLS-"
3525
3526# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3527
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3528run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3529 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3530 "$O_CLI -key data_files/server5.key \
3531 -cert data_files/server5.eku-cli.crt" \
3532 0 \
3533 -S "bad certificate (usage extensions)" \
3534 -S "Processing of the Certificate handshake message failed"
3535
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3536run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3537 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3538 "$O_CLI -key data_files/server5.key \
3539 -cert data_files/server5.eku-srv_cli.crt" \
3540 0 \
3541 -S "bad certificate (usage extensions)" \
3542 -S "Processing of the Certificate handshake message failed"
3543
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3544run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3545 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3546 "$O_CLI -key data_files/server5.key \
3547 -cert data_files/server5.eku-cs_any.crt" \
3548 0 \
3549 -S "bad certificate (usage extensions)" \
3550 -S "Processing of the Certificate handshake message failed"
3551
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3552run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3553 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3554 "$O_CLI -key data_files/server5.key \
3555 -cert data_files/server5.eku-cs.crt" \
3556 0 \
3557 -s "bad certificate (usage extensions)" \
3558 -S "Processing of the Certificate handshake message failed"
3559
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3560run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3561 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3562 "$O_CLI -key data_files/server5.key \
3563 -cert data_files/server5.eku-cs.crt" \
3564 1 \
3565 -s "bad certificate (usage extensions)" \
3566 -s "Processing of the Certificate handshake message failed"
3567
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3568# Tests for DHM parameters loading
3569
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3570run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3571 "$P_SRV" \
3572 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3573 debug_level=3" \
3574 0 \
3575 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3576 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3577
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3578run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3579 "$P_SRV dhm_file=data_files/dhparams.pem" \
3580 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3581 debug_level=3" \
3582 0 \
3583 -c "value of 'DHM: P ' (1024 bits)" \
3584 -c "value of 'DHM: G ' (2 bits)"
3585
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3586# Tests for DHM client-side size checking
3587
3588run_test "DHM size: server default, client default, OK" \
3589 "$P_SRV" \
3590 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3591 debug_level=1" \
3592 0 \
3593 -C "DHM prime too short:"
3594
3595run_test "DHM size: server default, client 2048, OK" \
3596 "$P_SRV" \
3597 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3598 debug_level=1 dhmlen=2048" \
3599 0 \
3600 -C "DHM prime too short:"
3601
3602run_test "DHM size: server 1024, client default, OK" \
3603 "$P_SRV dhm_file=data_files/dhparams.pem" \
3604 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3605 debug_level=1" \
3606 0 \
3607 -C "DHM prime too short:"
3608
3609run_test "DHM size: server 1000, client default, rejected" \
3610 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3611 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3612 debug_level=1" \
3613 1 \
3614 -c "DHM prime too short:"
3615
3616run_test "DHM size: server default, client 2049, rejected" \
3617 "$P_SRV" \
3618 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3619 debug_level=1 dhmlen=2049" \
3620 1 \
3621 -c "DHM prime too short:"
3622
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3623# Tests for PSK callback
3624
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3625run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3626 "$P_SRV psk=abc123 psk_identity=foo" \
3627 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3628 psk_identity=foo psk=abc123" \
3629 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3630 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3631 -S "SSL - Unknown identity received" \
3632 -S "SSL - Verification of the message MAC failed"
3633
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3634run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3635 "$P_SRV" \
3636 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3637 psk_identity=foo psk=abc123" \
3638 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3639 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3640 -S "SSL - Unknown identity received" \
3641 -S "SSL - Verification of the message MAC failed"
3642
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3643run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3644 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3645 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3646 psk_identity=foo psk=abc123" \
3647 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3648 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3649 -s "SSL - Unknown identity received" \
3650 -S "SSL - Verification of the message MAC failed"
3651
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3652run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3653 "$P_SRV psk_list=abc,dead,def,beef" \
3654 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3655 psk_identity=abc psk=dead" \
3656 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3657 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3658 -S "SSL - Unknown identity received" \
3659 -S "SSL - Verification of the message MAC failed"
3660
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3661run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3662 "$P_SRV psk_list=abc,dead,def,beef" \
3663 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3664 psk_identity=def psk=beef" \
3665 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3666 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3667 -S "SSL - Unknown identity received" \
3668 -S "SSL - Verification of the message MAC failed"
3669
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3670run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3671 "$P_SRV psk_list=abc,dead,def,beef" \
3672 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3673 psk_identity=ghi psk=beef" \
3674 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3675 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3676 -s "SSL - Unknown identity received" \
3677 -S "SSL - Verification of the message MAC failed"
3678
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3679run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3680 "$P_SRV psk_list=abc,dead,def,beef" \
3681 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3682 psk_identity=abc psk=beef" \
3683 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3684 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3685 -S "SSL - Unknown identity received" \
3686 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3687
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3688# Tests for EC J-PAKE
3689
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3690requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3691run_test "ECJPAKE: client not configured" \
3692 "$P_SRV debug_level=3" \
3693 "$P_CLI debug_level=3" \
3694 0 \
3695 -C "add ciphersuite: c0ff" \
3696 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3697 -S "found ecjpake kkpp extension" \
3698 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3699 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3700 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3701 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3702 -S "None of the common ciphersuites is usable"
3703
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3704requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3705run_test "ECJPAKE: server not configured" \
3706 "$P_SRV debug_level=3" \
3707 "$P_CLI debug_level=3 ecjpake_pw=bla \
3708 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3709 1 \
3710 -c "add ciphersuite: c0ff" \
3711 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3712 -s "found ecjpake kkpp extension" \
3713 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3714 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3715 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3716 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3717 -s "None of the common ciphersuites is usable"
3718
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3719requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3720run_test "ECJPAKE: working, TLS" \
3721 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3722 "$P_CLI debug_level=3 ecjpake_pw=bla \
3723 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3724 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3725 -c "add ciphersuite: c0ff" \
3726 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3727 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3728 -s "found ecjpake kkpp extension" \
3729 -S "skip ecjpake kkpp extension" \
3730 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3731 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3732 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3733 -S "None of the common ciphersuites is usable" \
3734 -S "SSL - Verification of the message MAC failed"
3735
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3736server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3737requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3738run_test "ECJPAKE: password mismatch, TLS" \
3739 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3740 "$P_CLI debug_level=3 ecjpake_pw=bad \
3741 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3742 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3743 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3744 -s "SSL - Verification of the message MAC failed"
3745
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3746requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3747run_test "ECJPAKE: working, DTLS" \
3748 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3749 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3750 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3751 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3752 -c "re-using cached ecjpake parameters" \
3753 -S "SSL - Verification of the message MAC failed"
3754
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3755requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3756run_test "ECJPAKE: working, DTLS, no cookie" \
3757 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3758 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3759 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3760 0 \
3761 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3762 -S "SSL - Verification of the message MAC failed"
3763
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3764server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3765requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3766run_test "ECJPAKE: password mismatch, DTLS" \
3767 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3768 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3769 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3770 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3771 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3772 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3773
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3774# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3775requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3776run_test "ECJPAKE: working, DTLS, nolog" \
3777 "$P_SRV dtls=1 ecjpake_pw=bla" \
3778 "$P_CLI dtls=1 ecjpake_pw=bla \
3779 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3780 0
3781
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3782# Tests for ciphersuites per version
3783
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3784requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3785requires_config_enabled MBEDTLS_CAMELLIA_C
3786requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3787run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3788 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3789 "$P_CLI force_version=ssl3" \
3790 0 \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3791 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3792
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3793requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
3794requires_config_enabled MBEDTLS_CAMELLIA_C
3795requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3796run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3797 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3798 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3799 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3800 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3801
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3802requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
3803requires_config_enabled MBEDTLS_CAMELLIA_C
3804requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3805run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3806 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3807 "$P_CLI force_version=tls1_1" \
3808 0 \
3809 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3810
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3811requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
3812requires_config_enabled MBEDTLS_CAMELLIA_C
3813requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3814run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3815 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3816 "$P_CLI force_version=tls1_2" \
3817 0 \
3818 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3819
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3820# Test for ClientHello without extensions
3821
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3822requires_gnutls
Manuel Pégourié-Gonnard37abf122020-01-30 12:45:14 +0100[diff] [blame]3823run_test "ClientHello without extensions" \
Manuel Pégourié-Gonnarda92990a2020-01-30 11:19:45 +0100[diff] [blame]3824 "$P_SRV debug_level=3" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3825 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3826 0 \
3827 -s "dumping 'client hello extensions' (0 bytes)"
3828
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3829# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3831run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3832 "$P_SRV" \
3833 "$P_CLI request_size=100" \
3834 0 \
3835 -s "Read from client: 100 bytes read$"
3836
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3837run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3838 "$P_SRV" \
3839 "$P_CLI request_size=500" \
3840 0 \
3841 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3842
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3843# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3844
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3845requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3846run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3847 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3848 "$P_CLI request_size=1 force_version=ssl3 \
3849 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3850 0 \
3851 -s "Read from client: 1 bytes read"
3852
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3853requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3854run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3855 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3856 "$P_CLI request_size=1 force_version=ssl3 \
3857 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3858 0 \
3859 -s "Read from client: 1 bytes read"
3860
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3861run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3862 "$P_SRV" \
3863 "$P_CLI request_size=1 force_version=tls1 \
3864 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3865 0 \
3866 -s "Read from client: 1 bytes read"
3867
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3868run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3869 "$P_SRV" \
3870 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3871 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3872 0 \
3873 -s "Read from client: 1 bytes read"
3874
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3875requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3876run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3877 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3878 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3879 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3880 0 \
3881 -s "Read from client: 1 bytes read"
3882
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3883requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3884run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3885 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3886 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3887 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3888 0 \
3889 -s "Read from client: 1 bytes read"
3890
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3891run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3892 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3893 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3894 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3895 0 \
3896 -s "Read from client: 1 bytes read"
3897
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3898run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3899 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3900 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3901 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3902 0 \
3903 -s "Read from client: 1 bytes read"
3904
3905requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3906run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3907 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3908 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3909 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3910 0 \
3911 -s "Read from client: 1 bytes read"
3912
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3913requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3914run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3915 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3916 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3917 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3918 0 \
3919 -s "Read from client: 1 bytes read"
3920
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3921run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3922 "$P_SRV" \
3923 "$P_CLI request_size=1 force_version=tls1_1 \
3924 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3925 0 \
3926 -s "Read from client: 1 bytes read"
3927
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3928run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3929 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3930 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3931 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3932 0 \
3933 -s "Read from client: 1 bytes read"
3934
3935requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3936run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3937 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3938 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3939 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3940 0 \
3941 -s "Read from client: 1 bytes read"
3942
3943requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3944run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3945 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3946 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3947 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3948 0 \
3949 -s "Read from client: 1 bytes read"
3950
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3951run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3952 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3953 "$P_CLI request_size=1 force_version=tls1_1 \
3954 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3955 0 \
3956 -s "Read from client: 1 bytes read"
3957
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3958run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3959 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3960 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3961 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3962 0 \
3963 -s "Read from client: 1 bytes read"
3964
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3965requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3966run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3967 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3968 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3969 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3970 0 \
3971 -s "Read from client: 1 bytes read"
3972
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3973requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3974run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3975 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3976 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3977 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3978 0 \
3979 -s "Read from client: 1 bytes read"
3980
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3981run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3982 "$P_SRV" \
3983 "$P_CLI request_size=1 force_version=tls1_2 \
3984 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3985 0 \
3986 -s "Read from client: 1 bytes read"
3987
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3988run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3989 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3990 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3991 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3992 0 \
3993 -s "Read from client: 1 bytes read"
3994
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3995run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3996 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3997 "$P_CLI request_size=1 force_version=tls1_2 \
3998 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3999 0 \
4000 -s "Read from client: 1 bytes read"
4001
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4002requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4003run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4004 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4005 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4006 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4007 0 \
4008 -s "Read from client: 1 bytes read"
4009
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4010requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4011run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4012 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4013 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4014 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4015 0 \
4016 -s "Read from client: 1 bytes read"
4017
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4018run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4019 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4020 "$P_CLI request_size=1 force_version=tls1_2 \
4021 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4022 0 \
4023 -s "Read from client: 1 bytes read"
4024
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4025run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4026 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4027 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4028 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4029 0 \
4030 -s "Read from client: 1 bytes read"
4031
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4032requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4033run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4034 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4035 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4036 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4037 0 \
4038 -s "Read from client: 1 bytes read"
4039
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4040requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4041run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4042 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4043 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4044 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4045 0 \
4046 -s "Read from client: 1 bytes read"
4047
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4048run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4049 "$P_SRV" \
4050 "$P_CLI request_size=1 force_version=tls1_2 \
4051 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4052 0 \
4053 -s "Read from client: 1 bytes read"
4054
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4055run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4056 "$P_SRV" \
4057 "$P_CLI request_size=1 force_version=tls1_2 \
4058 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4059 0 \
4060 -s "Read from client: 1 bytes read"
4061
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4062# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4063
4064requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4065run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4066 "$P_SRV dtls=1 force_version=dtls1" \
4067 "$P_CLI dtls=1 request_size=1 \
4068 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4069 0 \
4070 -s "Read from client: 1 bytes read"
4071
4072requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4073run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4074 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
4075 "$P_CLI dtls=1 request_size=1 \
4076 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4077 0 \
4078 -s "Read from client: 1 bytes read"
4079
4080requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4081requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4082run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4083 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
4084 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4085 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4086 0 \
4087 -s "Read from client: 1 bytes read"
4088
4089requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4090requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4091run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4092 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4093 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4094 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4095 0 \
4096 -s "Read from client: 1 bytes read"
4097
4098requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4099run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4100 "$P_SRV dtls=1 force_version=dtls1_2" \
4101 "$P_CLI dtls=1 request_size=1 \
4102 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4103 0 \
4104 -s "Read from client: 1 bytes read"
4105
4106requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4107run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4108 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4109 "$P_CLI dtls=1 request_size=1 \
4110 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4111 0 \
4112 -s "Read from client: 1 bytes read"
4113
4114requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4115requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4116run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4117 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4118 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4119 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4120 0 \
4121 -s "Read from client: 1 bytes read"
4122
4123requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4124requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4125run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4126 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4127 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4128 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4129 0 \
4130 -s "Read from client: 1 bytes read"
4131
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4132# Tests for small server packets
4133
4134requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4135run_test "Small server packet SSLv3 BlockCipher" \
4136 "$P_SRV response_size=1 min_version=ssl3" \
4137 "$P_CLI force_version=ssl3 \
4138 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4139 0 \
4140 -c "Read from server: 1 bytes read"
4141
4142requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4143run_test "Small server packet SSLv3 StreamCipher" \
4144 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4145 "$P_CLI force_version=ssl3 \
4146 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4147 0 \
4148 -c "Read from server: 1 bytes read"
4149
4150run_test "Small server packet TLS 1.0 BlockCipher" \
4151 "$P_SRV response_size=1" \
4152 "$P_CLI force_version=tls1 \
4153 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4154 0 \
4155 -c "Read from server: 1 bytes read"
4156
4157run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
4158 "$P_SRV response_size=1" \
4159 "$P_CLI force_version=tls1 etm=0 \
4160 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4161 0 \
4162 -c "Read from server: 1 bytes read"
4163
4164requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4165run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
4166 "$P_SRV response_size=1 trunc_hmac=1" \
4167 "$P_CLI force_version=tls1 \
4168 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4169 0 \
4170 -c "Read from server: 1 bytes read"
4171
4172requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4173run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
4174 "$P_SRV response_size=1 trunc_hmac=1" \
4175 "$P_CLI force_version=tls1 \
4176 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4177 0 \
4178 -c "Read from server: 1 bytes read"
4179
4180run_test "Small server packet TLS 1.0 StreamCipher" \
4181 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4182 "$P_CLI force_version=tls1 \
4183 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4184 0 \
4185 -c "Read from server: 1 bytes read"
4186
4187run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
4188 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4189 "$P_CLI force_version=tls1 \
4190 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4191 0 \
4192 -c "Read from server: 1 bytes read"
4193
4194requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4195run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
4196 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4197 "$P_CLI force_version=tls1 \
4198 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4199 0 \
4200 -c "Read from server: 1 bytes read"
4201
4202requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4203run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4204 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4205 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4206 trunc_hmac=1 etm=0" \
4207 0 \
4208 -c "Read from server: 1 bytes read"
4209
4210run_test "Small server packet TLS 1.1 BlockCipher" \
4211 "$P_SRV response_size=1" \
4212 "$P_CLI force_version=tls1_1 \
4213 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4214 0 \
4215 -c "Read from server: 1 bytes read"
4216
4217run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
4218 "$P_SRV response_size=1" \
4219 "$P_CLI force_version=tls1_1 \
4220 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4221 0 \
4222 -c "Read from server: 1 bytes read"
4223
4224requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4225run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
4226 "$P_SRV response_size=1 trunc_hmac=1" \
4227 "$P_CLI force_version=tls1_1 \
4228 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4229 0 \
4230 -c "Read from server: 1 bytes read"
4231
4232requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4233run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4234 "$P_SRV response_size=1 trunc_hmac=1" \
4235 "$P_CLI force_version=tls1_1 \
4236 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4237 0 \
4238 -c "Read from server: 1 bytes read"
4239
4240run_test "Small server packet TLS 1.1 StreamCipher" \
4241 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4242 "$P_CLI force_version=tls1_1 \
4243 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4244 0 \
4245 -c "Read from server: 1 bytes read"
4246
4247run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
4248 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4249 "$P_CLI force_version=tls1_1 \
4250 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4251 0 \
4252 -c "Read from server: 1 bytes read"
4253
4254requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4255run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
4256 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4257 "$P_CLI force_version=tls1_1 \
4258 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4259 0 \
4260 -c "Read from server: 1 bytes read"
4261
4262requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4263run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4264 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4265 "$P_CLI force_version=tls1_1 \
4266 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4267 0 \
4268 -c "Read from server: 1 bytes read"
4269
4270run_test "Small server packet TLS 1.2 BlockCipher" \
4271 "$P_SRV response_size=1" \
4272 "$P_CLI force_version=tls1_2 \
4273 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4274 0 \
4275 -c "Read from server: 1 bytes read"
4276
4277run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
4278 "$P_SRV response_size=1" \
4279 "$P_CLI force_version=tls1_2 \
4280 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4281 0 \
4282 -c "Read from server: 1 bytes read"
4283
4284run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
4285 "$P_SRV response_size=1" \
4286 "$P_CLI force_version=tls1_2 \
4287 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4288 0 \
4289 -c "Read from server: 1 bytes read"
4290
4291requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4292run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
4293 "$P_SRV response_size=1 trunc_hmac=1" \
4294 "$P_CLI force_version=tls1_2 \
4295 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4296 0 \
4297 -c "Read from server: 1 bytes read"
4298
4299requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4300run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4301 "$P_SRV response_size=1 trunc_hmac=1" \
4302 "$P_CLI force_version=tls1_2 \
4303 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4304 0 \
4305 -c "Read from server: 1 bytes read"
4306
4307run_test "Small server packet TLS 1.2 StreamCipher" \
4308 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4309 "$P_CLI force_version=tls1_2 \
4310 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4311 0 \
4312 -c "Read from server: 1 bytes read"
4313
4314run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
4315 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4316 "$P_CLI force_version=tls1_2 \
4317 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4318 0 \
4319 -c "Read from server: 1 bytes read"
4320
4321requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4322run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
4323 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4324 "$P_CLI force_version=tls1_2 \
4325 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4326 0 \
4327 -c "Read from server: 1 bytes read"
4328
4329requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4330run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4331 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4332 "$P_CLI force_version=tls1_2 \
4333 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4334 0 \
4335 -c "Read from server: 1 bytes read"
4336
4337run_test "Small server packet TLS 1.2 AEAD" \
4338 "$P_SRV response_size=1" \
4339 "$P_CLI force_version=tls1_2 \
4340 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4341 0 \
4342 -c "Read from server: 1 bytes read"
4343
4344run_test "Small server packet TLS 1.2 AEAD shorter tag" \
4345 "$P_SRV response_size=1" \
4346 "$P_CLI force_version=tls1_2 \
4347 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4348 0 \
4349 -c "Read from server: 1 bytes read"
4350
4351# Tests for small server packets in DTLS
4352
4353requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4354run_test "Small server packet DTLS 1.0" \
4355 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
4356 "$P_CLI dtls=1 \
4357 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4358 0 \
4359 -c "Read from server: 1 bytes read"
4360
4361requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4362run_test "Small server packet DTLS 1.0, without EtM" \
4363 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
4364 "$P_CLI dtls=1 \
4365 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4366 0 \
4367 -c "Read from server: 1 bytes read"
4368
4369requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4370requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4371run_test "Small server packet DTLS 1.0, truncated hmac" \
4372 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
4373 "$P_CLI dtls=1 trunc_hmac=1 \
4374 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4375 0 \
4376 -c "Read from server: 1 bytes read"
4377
4378requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4379requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4380run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
4381 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
4382 "$P_CLI dtls=1 \
4383 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4384 0 \
4385 -c "Read from server: 1 bytes read"
4386
4387requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4388run_test "Small server packet DTLS 1.2" \
4389 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
4390 "$P_CLI dtls=1 \
4391 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4392 0 \
4393 -c "Read from server: 1 bytes read"
4394
4395requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4396run_test "Small server packet DTLS 1.2, without EtM" \
4397 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
4398 "$P_CLI dtls=1 \
4399 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4400 0 \
4401 -c "Read from server: 1 bytes read"
4402
4403requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4404requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4405run_test "Small server packet DTLS 1.2, truncated hmac" \
4406 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
4407 "$P_CLI dtls=1 \
4408 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4409 0 \
4410 -c "Read from server: 1 bytes read"
4411
4412requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4413requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4414run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
4415 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
4416 "$P_CLI dtls=1 \
4417 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4418 0 \
4419 -c "Read from server: 1 bytes read"
4420
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]4421# A test for extensions in SSLv3
4422
4423requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4424run_test "SSLv3 with extensions, server side" \
4425 "$P_SRV min_version=ssl3 debug_level=3" \
4426 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
4427 0 \
4428 -S "dumping 'client hello extensions'" \
4429 -S "server hello, total extension length:"
4430
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4431# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4432
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4433requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4434run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4435 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4436 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4437 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4438 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4439 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4440 -s "Read from client: 16384 bytes read"
4441
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4442requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4443run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4444 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4445 "$P_CLI request_size=16384 force_version=ssl3 \
4446 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4447 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4448 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4449 -s "Read from client: 16384 bytes read"
4450
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4451run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4452 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4453 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4454 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4455 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4456 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4457 -s "Read from client: 16384 bytes read"
4458
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4459run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4460 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4461 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
4462 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4463 0 \
4464 -s "Read from client: 16384 bytes read"
4465
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4466requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4467run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4468 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4469 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4470 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4471 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4472 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4473 -s "Read from client: 16384 bytes read"
4474
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4475requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4476run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4477 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4478 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4479 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4480 0 \
4481 -s "Read from client: 16384 bytes read"
4482
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4483run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4484 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4485 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4486 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4487 0 \
4488 -s "Read from client: 16384 bytes read"
4489
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4490run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4491 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4492 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4493 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4494 0 \
4495 -s "Read from client: 16384 bytes read"
4496
4497requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4498run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4499 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4500 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4501 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4502 0 \
4503 -s "Read from client: 16384 bytes read"
4504
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4505requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4506run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4507 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4508 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4509 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4510 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4511 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4512 -s "Read from client: 16384 bytes read"
4513
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4514run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4515 "$P_SRV" \
4516 "$P_CLI request_size=16384 force_version=tls1_1 \
4517 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4518 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4519 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4520 -s "Read from client: 16384 bytes read"
4521
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4522run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4523 "$P_SRV" \
4524 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4525 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4526 0 \
4527 -s "Read from client: 16384 bytes read"
4528
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4529requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4530run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4531 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4532 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4533 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4534 0 \
4535 -s "Read from client: 16384 bytes read"
4536
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4537requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4538run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4539 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4540 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4541 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4542 0 \
4543 -s "Read from client: 16384 bytes read"
4544
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4545run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4546 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4547 "$P_CLI request_size=16384 force_version=tls1_1 \
4548 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4549 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4550 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4551 -s "Read from client: 16384 bytes read"
4552
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4553run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4554 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4555 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4556 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4557 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4558 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4559 -s "Read from client: 16384 bytes read"
4560
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4561requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4562run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4563 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4564 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4565 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4566 0 \
4567 -s "Read from client: 16384 bytes read"
4568
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4569requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4570run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4571 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4572 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4573 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4574 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4575 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4576 -s "Read from client: 16384 bytes read"
4577
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4578run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4579 "$P_SRV" \
4580 "$P_CLI request_size=16384 force_version=tls1_2 \
4581 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4582 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4583 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4584 -s "Read from client: 16384 bytes read"
4585
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4586run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4587 "$P_SRV" \
4588 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4589 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4590 0 \
4591 -s "Read from client: 16384 bytes read"
4592
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4593run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4594 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4595 "$P_CLI request_size=16384 force_version=tls1_2 \
4596 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4597 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4598 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4599 -s "Read from client: 16384 bytes read"
4600
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4601requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4602run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4603 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4604 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4605 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4606 0 \
4607 -s "Read from client: 16384 bytes read"
4608
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4609requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4610run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4611 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4612 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4613 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4614 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4615 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4616 -s "Read from client: 16384 bytes read"
4617
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4618run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4619 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4620 "$P_CLI request_size=16384 force_version=tls1_2 \
4621 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4622 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4623 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4624 -s "Read from client: 16384 bytes read"
4625
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4626run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4627 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4628 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4629 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4630 0 \
4631 -s "Read from client: 16384 bytes read"
4632
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4633requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4634run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4635 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4636 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4637 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4638 0 \
4639 -s "Read from client: 16384 bytes read"
4640
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4641requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4642run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4643 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4644 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4645 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4646 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4647 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4648 -s "Read from client: 16384 bytes read"
4649
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4650run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4651 "$P_SRV" \
4652 "$P_CLI request_size=16384 force_version=tls1_2 \
4653 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4654 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4655 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4656 -s "Read from client: 16384 bytes read"
4657
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4658run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4659 "$P_SRV" \
4660 "$P_CLI request_size=16384 force_version=tls1_2 \
4661 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4662 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4663 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4664 -s "Read from client: 16384 bytes read"
4665
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4666# Tests for ECC extensions (rfc 4492)
4667
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4668requires_config_enabled MBEDTLS_AES_C
4669requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4670requires_config_enabled MBEDTLS_SHA256_C
4671requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4672run_test "Force a non ECC ciphersuite in the client side" \
4673 "$P_SRV debug_level=3" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4674 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4675 0 \
4676 -C "client hello, adding supported_elliptic_curves extension" \
4677 -C "client hello, adding supported_point_formats extension" \
4678 -S "found supported elliptic curves extension" \
4679 -S "found supported point formats extension"
4680
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4681requires_config_enabled MBEDTLS_AES_C
4682requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4683requires_config_enabled MBEDTLS_SHA256_C
4684requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4685run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4686 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4687 "$P_CLI debug_level=3" \
4688 0 \
4689 -C "found supported_point_formats extension" \
4690 -S "server hello, supported_point_formats extension"
4691
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4692requires_config_enabled MBEDTLS_AES_C
4693requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4694requires_config_enabled MBEDTLS_SHA256_C
4695requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4696run_test "Force an ECC ciphersuite in the client side" \
4697 "$P_SRV debug_level=3" \
4698 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4699 0 \
4700 -c "client hello, adding supported_elliptic_curves extension" \
4701 -c "client hello, adding supported_point_formats extension" \
4702 -s "found supported elliptic curves extension" \
4703 -s "found supported point formats extension"
4704
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4705requires_config_enabled MBEDTLS_AES_C
4706requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4707requires_config_enabled MBEDTLS_SHA256_C
4708requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4709run_test "Force an ECC ciphersuite in the server side" \
4710 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4711 "$P_CLI debug_level=3" \
4712 0 \
4713 -c "found supported_point_formats extension" \
4714 -s "server hello, supported_point_formats extension"
4715
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4716# Test for large server packets
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4717requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4718run_test "Large server packet SSLv3 StreamCipher" \
4719 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4720 "$P_CLI force_version=ssl3 \
4721 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4722 0 \
4723 -c "Read from server: 16384 bytes read"
4724
Andrzej Kurekc8958212018-08-27 08:00:13 -0400[diff] [blame]4725# Checking next 4 tests logs for 1n-1 split against BEAST too
4726requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4727run_test "Large server packet SSLv3 BlockCipher" \
4728 "$P_SRV response_size=16384 min_version=ssl3" \
4729 "$P_CLI force_version=ssl3 recsplit=0 \
4730 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4731 0 \
4732 -c "Read from server: 1 bytes read"\
4733 -c "16383 bytes read"\
4734 -C "Read from server: 16384 bytes read"
4735
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4736run_test "Large server packet TLS 1.0 BlockCipher" \
4737 "$P_SRV response_size=16384" \
4738 "$P_CLI force_version=tls1 recsplit=0 \
4739 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4740 0 \
4741 -c "Read from server: 1 bytes read"\
4742 -c "16383 bytes read"\
4743 -C "Read from server: 16384 bytes read"
4744
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4745run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
4746 "$P_SRV response_size=16384" \
4747 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
4748 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4749 0 \
4750 -c "Read from server: 1 bytes read"\
4751 -c "16383 bytes read"\
4752 -C "Read from server: 16384 bytes read"
4753
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4754requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4755run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
4756 "$P_SRV response_size=16384" \
4757 "$P_CLI force_version=tls1 recsplit=0 \
4758 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4759 trunc_hmac=1" \
4760 0 \
4761 -c "Read from server: 1 bytes read"\
4762 -c "16383 bytes read"\
4763 -C "Read from server: 16384 bytes read"
4764
4765requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4766run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
4767 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4768 "$P_CLI force_version=tls1 \
4769 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4770 trunc_hmac=1" \
4771 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4772 -s "16384 bytes written in 1 fragments" \
4773 -c "Read from server: 16384 bytes read"
4774
4775run_test "Large server packet TLS 1.0 StreamCipher" \
4776 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4777 "$P_CLI force_version=tls1 \
4778 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4779 0 \
4780 -s "16384 bytes written in 1 fragments" \
4781 -c "Read from server: 16384 bytes read"
4782
4783run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
4784 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4785 "$P_CLI force_version=tls1 \
4786 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4787 0 \
4788 -s "16384 bytes written in 1 fragments" \
4789 -c "Read from server: 16384 bytes read"
4790
4791requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4792run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
4793 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4794 "$P_CLI force_version=tls1 \
4795 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4796 0 \
4797 -s "16384 bytes written in 1 fragments" \
4798 -c "Read from server: 16384 bytes read"
4799
4800requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4801run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4802 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4803 "$P_CLI force_version=tls1 \
4804 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4805 0 \
4806 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4807 -c "Read from server: 16384 bytes read"
4808
4809run_test "Large server packet TLS 1.1 BlockCipher" \
4810 "$P_SRV response_size=16384" \
4811 "$P_CLI force_version=tls1_1 \
4812 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4813 0 \
4814 -c "Read from server: 16384 bytes read"
4815
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4816run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
4817 "$P_SRV response_size=16384" \
4818 "$P_CLI force_version=tls1_1 etm=0 \
4819 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4820 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4821 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4822 -c "Read from server: 16384 bytes read"
4823
4824requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4825run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
4826 "$P_SRV response_size=16384" \
4827 "$P_CLI force_version=tls1_1 \
4828 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4829 trunc_hmac=1" \
4830 0 \
4831 -c "Read from server: 16384 bytes read"
4832
4833requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4834run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4835 "$P_SRV response_size=16384 trunc_hmac=1" \
4836 "$P_CLI force_version=tls1_1 \
4837 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4838 0 \
4839 -s "16384 bytes written in 1 fragments" \
4840 -c "Read from server: 16384 bytes read"
4841
4842run_test "Large server packet TLS 1.1 StreamCipher" \
4843 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4844 "$P_CLI force_version=tls1_1 \
4845 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4846 0 \
4847 -c "Read from server: 16384 bytes read"
4848
4849run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
4850 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4851 "$P_CLI force_version=tls1_1 \
4852 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4853 0 \
4854 -s "16384 bytes written in 1 fragments" \
4855 -c "Read from server: 16384 bytes read"
4856
4857requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4858run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
4859 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4860 "$P_CLI force_version=tls1_1 \
4861 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4862 trunc_hmac=1" \
4863 0 \
4864 -c "Read from server: 16384 bytes read"
4865
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4866run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4867 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4868 "$P_CLI force_version=tls1_1 \
4869 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4870 0 \
4871 -s "16384 bytes written in 1 fragments" \
4872 -c "Read from server: 16384 bytes read"
4873
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4874run_test "Large server packet TLS 1.2 BlockCipher" \
4875 "$P_SRV response_size=16384" \
4876 "$P_CLI force_version=tls1_2 \
4877 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4878 0 \
4879 -c "Read from server: 16384 bytes read"
4880
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4881run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
4882 "$P_SRV response_size=16384" \
4883 "$P_CLI force_version=tls1_2 etm=0 \
4884 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4885 0 \
4886 -s "16384 bytes written in 1 fragments" \
4887 -c "Read from server: 16384 bytes read"
4888
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4889run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
4890 "$P_SRV response_size=16384" \
4891 "$P_CLI force_version=tls1_2 \
4892 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4893 0 \
4894 -c "Read from server: 16384 bytes read"
4895
4896requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4897run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
4898 "$P_SRV response_size=16384" \
4899 "$P_CLI force_version=tls1_2 \
4900 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4901 trunc_hmac=1" \
4902 0 \
4903 -c "Read from server: 16384 bytes read"
4904
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4905run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4906 "$P_SRV response_size=16384 trunc_hmac=1" \
4907 "$P_CLI force_version=tls1_2 \
4908 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4909 0 \
4910 -s "16384 bytes written in 1 fragments" \
4911 -c "Read from server: 16384 bytes read"
4912
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4913run_test "Large server packet TLS 1.2 StreamCipher" \
4914 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4915 "$P_CLI force_version=tls1_2 \
4916 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4917 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4918 -s "16384 bytes written in 1 fragments" \
4919 -c "Read from server: 16384 bytes read"
4920
4921run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
4922 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4923 "$P_CLI force_version=tls1_2 \
4924 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4925 0 \
4926 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4927 -c "Read from server: 16384 bytes read"
4928
4929requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4930run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
4931 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4932 "$P_CLI force_version=tls1_2 \
4933 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4934 trunc_hmac=1" \
4935 0 \
4936 -c "Read from server: 16384 bytes read"
4937
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4938requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4939run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4940 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4941 "$P_CLI force_version=tls1_2 \
4942 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4943 0 \
4944 -s "16384 bytes written in 1 fragments" \
4945 -c "Read from server: 16384 bytes read"
4946
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4947run_test "Large server packet TLS 1.2 AEAD" \
4948 "$P_SRV response_size=16384" \
4949 "$P_CLI force_version=tls1_2 \
4950 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4951 0 \
4952 -c "Read from server: 16384 bytes read"
4953
4954run_test "Large server packet TLS 1.2 AEAD shorter tag" \
4955 "$P_SRV response_size=16384" \
4956 "$P_CLI force_version=tls1_2 \
4957 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4958 0 \
4959 -c "Read from server: 16384 bytes read"
4960
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4961# Tests for DTLS HelloVerifyRequest
4962
4963run_test "DTLS cookie: enabled" \
4964 "$P_SRV dtls=1 debug_level=2" \
4965 "$P_CLI dtls=1 debug_level=2" \
4966 0 \
4967 -s "cookie verification failed" \
4968 -s "cookie verification passed" \
4969 -S "cookie verification skipped" \
4970 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4971 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4972 -S "SSL - The requested feature is not available"
4973
4974run_test "DTLS cookie: disabled" \
4975 "$P_SRV dtls=1 debug_level=2 cookies=0" \
4976 "$P_CLI dtls=1 debug_level=2" \
4977 0 \
4978 -S "cookie verification failed" \
4979 -S "cookie verification passed" \
4980 -s "cookie verification skipped" \
4981 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4982 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4983 -S "SSL - The requested feature is not available"
4984
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4985run_test "DTLS cookie: default (failing)" \
4986 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4987 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4988 1 \
4989 -s "cookie verification failed" \
4990 -S "cookie verification passed" \
4991 -S "cookie verification skipped" \
4992 -C "received hello verify request" \
4993 -S "hello verification requested" \
4994 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4995
4996requires_ipv6
4997run_test "DTLS cookie: enabled, IPv6" \
4998 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4999 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
5000 0 \
5001 -s "cookie verification failed" \
5002 -s "cookie verification passed" \
5003 -S "cookie verification skipped" \
5004 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5005 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]5006 -S "SSL - The requested feature is not available"
5007
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5008run_test "DTLS cookie: enabled, nbio" \
5009 "$P_SRV dtls=1 nbio=2 debug_level=2" \
5010 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5011 0 \
5012 -s "cookie verification failed" \
5013 -s "cookie verification passed" \
5014 -S "cookie verification skipped" \
5015 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5016 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5017 -S "SSL - The requested feature is not available"
5018
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5019# Tests for client reconnecting from the same port with DTLS
5020
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5021not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5022run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5023 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
5024 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5025 0 \
5026 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5027 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5028 -S "Client initiated reconnection from same port"
5029
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5030not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5031run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5032 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
5033 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5034 0 \
5035 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5036 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5037 -s "Client initiated reconnection from same port"
5038
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5039not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
5040run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5041 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
5042 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5043 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5044 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5045 -s "Client initiated reconnection from same port"
5046
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5047only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
5048run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
5049 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
5050 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
5051 0 \
5052 -S "The operation timed out" \
5053 -s "Client initiated reconnection from same port"
5054
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5055run_test "DTLS client reconnect from same port: no cookies" \
5056 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]5057 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
5058 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5059 -s "The operation timed out" \
5060 -S "Client initiated reconnection from same port"
5061
Manuel Pégourié-Gonnarda58b0462020-03-13 11:11:02 +0100[diff] [blame]5062run_test "DTLS client reconnect from same port: attacker-injected" \
5063 -p "$P_PXY inject_clihlo=1" \
5064 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
5065 "$P_CLI dtls=1 exchanges=2" \
5066 0 \
5067 -s "possible client reconnect from the same port" \
5068 -S "Client initiated reconnection from same port"
5069
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5070# Tests for various cases of client authentication with DTLS
5071# (focused on handshake flows and message parsing)
5072
5073run_test "DTLS client auth: required" \
5074 "$P_SRV dtls=1 auth_mode=required" \
5075 "$P_CLI dtls=1" \
5076 0 \
5077 -s "Verifying peer X.509 certificate... ok"
5078
5079run_test "DTLS client auth: optional, client has no cert" \
5080 "$P_SRV dtls=1 auth_mode=optional" \
5081 "$P_CLI dtls=1 crt_file=none key_file=none" \
5082 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5083 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5084
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5085run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5086 "$P_SRV dtls=1 auth_mode=none" \
5087 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
5088 0 \
5089 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5090 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5091
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]5092run_test "DTLS wrong PSK: badmac alert" \
5093 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
5094 "$P_CLI dtls=1 psk=abc124" \
5095 1 \
5096 -s "SSL - Verification of the message MAC failed" \
5097 -c "SSL - A fatal alert message was received from our peer"
5098
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]5099# Tests for receiving fragmented handshake messages with DTLS
5100
5101requires_gnutls
5102run_test "DTLS reassembly: no fragmentation (gnutls server)" \
5103 "$G_SRV -u --mtu 2048 -a" \
5104 "$P_CLI dtls=1 debug_level=2" \
5105 0 \
5106 -C "found fragmented DTLS handshake message" \
5107 -C "error"
5108
5109requires_gnutls
5110run_test "DTLS reassembly: some fragmentation (gnutls server)" \
5111 "$G_SRV -u --mtu 512" \
5112 "$P_CLI dtls=1 debug_level=2" \
5113 0 \
5114 -c "found fragmented DTLS handshake message" \
5115 -C "error"
5116
5117requires_gnutls
5118run_test "DTLS reassembly: more fragmentation (gnutls server)" \
5119 "$G_SRV -u --mtu 128" \
5120 "$P_CLI dtls=1 debug_level=2" \
5121 0 \
5122 -c "found fragmented DTLS handshake message" \
5123 -C "error"
5124
5125requires_gnutls
5126run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
5127 "$G_SRV -u --mtu 128" \
5128 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5129 0 \
5130 -c "found fragmented DTLS handshake message" \
5131 -C "error"
5132
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5133requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5134requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5135run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
5136 "$G_SRV -u --mtu 256" \
5137 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
5138 0 \
5139 -c "found fragmented DTLS handshake message" \
5140 -c "client hello, adding renegotiation extension" \
5141 -c "found renegotiation extension" \
5142 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5143 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5144 -C "error" \
5145 -s "Extra-header:"
5146
5147requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5148requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5149run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
5150 "$G_SRV -u --mtu 256" \
5151 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
5152 0 \
5153 -c "found fragmented DTLS handshake message" \
5154 -c "client hello, adding renegotiation extension" \
5155 -c "found renegotiation extension" \
5156 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5157 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5158 -C "error" \
5159 -s "Extra-header:"
5160
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5161run_test "DTLS reassembly: no fragmentation (openssl server)" \
5162 "$O_SRV -dtls1 -mtu 2048" \
5163 "$P_CLI dtls=1 debug_level=2" \
5164 0 \
5165 -C "found fragmented DTLS handshake message" \
5166 -C "error"
5167
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5168run_test "DTLS reassembly: some fragmentation (openssl server)" \
5169 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5170 "$P_CLI dtls=1 debug_level=2" \
5171 0 \
5172 -c "found fragmented DTLS handshake message" \
5173 -C "error"
5174
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5175run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5176 "$O_SRV -dtls1 -mtu 256" \
5177 "$P_CLI dtls=1 debug_level=2" \
5178 0 \
5179 -c "found fragmented DTLS handshake message" \
5180 -C "error"
5181
5182run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
5183 "$O_SRV -dtls1 -mtu 256" \
5184 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5185 0 \
5186 -c "found fragmented DTLS handshake message" \
5187 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5188
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5189# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5190
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5191not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5192run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5193 -p "$P_PXY" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5194 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5195 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5196 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5197 -C "replayed record" \
5198 -S "replayed record" \
5199 -C "record from another epoch" \
5200 -S "record from another epoch" \
5201 -C "discarding invalid record" \
5202 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5203 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5204 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5205 -c "HTTP/1.0 200 OK"
5206
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5207not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5208run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5209 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5210 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5211 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5212 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5213 -c "replayed record" \
5214 -s "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5215 -c "record from another epoch" \
5216 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5217 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5218 -s "Extra-header:" \
5219 -c "HTTP/1.0 200 OK"
5220
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5221run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
5222 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5223 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
5224 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5225 0 \
5226 -c "replayed record" \
5227 -S "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5228 -c "record from another epoch" \
5229 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5230 -c "resend" \
5231 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5232 -s "Extra-header:" \
5233 -c "HTTP/1.0 200 OK"
5234
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5235run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5236 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5237 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5238 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5239 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5240 -c "discarding invalid record (mac)" \
5241 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5242 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5243 -c "HTTP/1.0 200 OK" \
5244 -S "too many records with bad MAC" \
5245 -S "Verification of the message MAC failed"
5246
5247run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
5248 -p "$P_PXY bad_ad=1" \
5249 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
5250 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5251 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5252 -C "discarding invalid record (mac)" \
5253 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5254 -S "Extra-header:" \
5255 -C "HTTP/1.0 200 OK" \
5256 -s "too many records with bad MAC" \
5257 -s "Verification of the message MAC failed"
5258
5259run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
5260 -p "$P_PXY bad_ad=1" \
5261 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
5262 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5263 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5264 -c "discarding invalid record (mac)" \
5265 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5266 -s "Extra-header:" \
5267 -c "HTTP/1.0 200 OK" \
5268 -S "too many records with bad MAC" \
5269 -S "Verification of the message MAC failed"
5270
5271run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
5272 -p "$P_PXY bad_ad=1" \
5273 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
5274 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
5275 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5276 -c "discarding invalid record (mac)" \
5277 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5278 -s "Extra-header:" \
5279 -c "HTTP/1.0 200 OK" \
5280 -s "too many records with bad MAC" \
5281 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5282
5283run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5284 -p "$P_PXY delay_ccs=1" \
5285 "$P_SRV dtls=1 debug_level=1" \
5286 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5287 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5288 -c "record from another epoch" \
5289 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5290 -s "Extra-header:" \
5291 -c "HTTP/1.0 200 OK"
5292
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5293# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5294
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5295client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5296run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5297 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5298 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5299 psk=abc123" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5300 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5301 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5302 0 \
5303 -s "Extra-header:" \
5304 -c "HTTP/1.0 200 OK"
5305
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5306client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5307run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
5308 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5309 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5310 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5311 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5312 0 \
5313 -s "Extra-header:" \
5314 -c "HTTP/1.0 200 OK"
5315
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5316client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5317run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
5318 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5319 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5320 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5321 0 \
5322 -s "Extra-header:" \
5323 -c "HTTP/1.0 200 OK"
5324
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5325client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5326run_test "DTLS proxy: 3d, FS, client auth" \
5327 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5328 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=required" \
5329 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5330 0 \
5331 -s "Extra-header:" \
5332 -c "HTTP/1.0 200 OK"
5333
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5334client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5335run_test "DTLS proxy: 3d, FS, ticket" \
5336 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5337 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=none" \
5338 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5339 0 \
5340 -s "Extra-header:" \
5341 -c "HTTP/1.0 200 OK"
5342
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5343client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5344run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
5345 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5346 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=required" \
5347 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5348 0 \
5349 -s "Extra-header:" \
5350 -c "HTTP/1.0 200 OK"
5351
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5352client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5353run_test "DTLS proxy: 3d, max handshake, nbio" \
5354 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5355 "$P_SRV dtls=1 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5356 auth_mode=required" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5357 "$P_CLI dtls=1 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5358 0 \
5359 -s "Extra-header:" \
5360 -c "HTTP/1.0 200 OK"
5361
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5362client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5363run_test "DTLS proxy: 3d, min handshake, resumption" \
5364 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5365 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5366 psk=abc123 debug_level=3" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5367 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5368 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5369 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5370 0 \
5371 -s "a session has been resumed" \
5372 -c "a session has been resumed" \
5373 -s "Extra-header:" \
5374 -c "HTTP/1.0 200 OK"
5375
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5376client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5377run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
5378 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5379 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5380 psk=abc123 debug_level=3 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5381 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5382 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5383 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
5384 0 \
5385 -s "a session has been resumed" \
5386 -c "a session has been resumed" \
5387 -s "Extra-header:" \
5388 -c "HTTP/1.0 200 OK"
5389
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5390client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5391requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5392run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5393 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5394 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5395 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5396 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5397 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5398 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5399 0 \
5400 -c "=> renegotiate" \
5401 -s "=> renegotiate" \
5402 -s "Extra-header:" \
5403 -c "HTTP/1.0 200 OK"
5404
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5405client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5406requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5407run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
5408 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5409 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5410 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5411 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5412 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5413 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5414 0 \
5415 -c "=> renegotiate" \
5416 -s "=> renegotiate" \
5417 -s "Extra-header:" \
5418 -c "HTTP/1.0 200 OK"
5419
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5420client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5421requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5422run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5423 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5424 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5425 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5426 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5427 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5428 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5429 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5430 0 \
5431 -c "=> renegotiate" \
5432 -s "=> renegotiate" \
5433 -s "Extra-header:" \
5434 -c "HTTP/1.0 200 OK"
5435
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5436client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5437requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5438run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5439 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5440 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5441 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5442 debug_level=2 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5443 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5444 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5445 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5446 0 \
5447 -c "=> renegotiate" \
5448 -s "=> renegotiate" \
5449 -s "Extra-header:" \
5450 -c "HTTP/1.0 200 OK"
5451
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5452client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5453not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5454run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5455 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5456 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5457 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5458 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5459 -c "HTTP/1.0 200 OK"
5460
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5461client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5462not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5463run_test "DTLS proxy: 3d, openssl server, fragmentation" \
5464 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5465 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5466 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5467 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5468 -c "HTTP/1.0 200 OK"
5469
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5470client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5471not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5472run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
5473 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5474 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5475 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5476 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5477 -c "HTTP/1.0 200 OK"
5478
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5479requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5480client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5481not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5482run_test "DTLS proxy: 3d, gnutls server" \
5483 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5484 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5485 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5486 0 \
5487 -s "Extra-header:" \
5488 -c "Extra-header:"
5489
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5490requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5491client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5492not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5493run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
5494 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5495 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5496 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5497 0 \
5498 -s "Extra-header:" \
5499 -c "Extra-header:"
5500
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5501requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5502client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5503not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5504run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
5505 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5506 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5507 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5508 0 \
5509 -s "Extra-header:" \
5510 -c "Extra-header:"
5511
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5512# Final report
5513
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5514echo "------------------------------------------------------------------------"
5515
5516if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5517 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5518else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5519 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5520fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]5521PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]5522echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5523
5524exit $FAILS