TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 06b786372ccb5e78cc72ac3640e24fc3e9a44c06 / . / tests / ssl-opt.sh
blob: d7e0b8c013b95335d4de8f7b86360d81f4f927ae [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]24# default values, can be overriden by the environment
25: ${P_SRV:=../programs/ssl/ssl_server2}
26: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]27: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]28: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]29: ${GNUTLS_CLI:=gnutls-cli}
30: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]31: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]33O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]34O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]35G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]36G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]37TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]38
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]39TESTS=0
40FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]41SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]44
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]47EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]49SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]50RUN_TEST_NUMBER=''
51
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]52PRESERVE_LOGS=0
53
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]54# Pick a "unique" server port in the range 10000-19999, and a proxy
55# port which is this plus 10000. Each port number may be independently
56# overridden by a command line option.
57SRV_PORT=$(($$ % 10000 + 10000))
58PXY_PORT=$((SRV_PORT + 10000))
59
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]60print_usage() {
61 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]62 printf " -h|--help\tPrint this help.\n"
63 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]64 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
65 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]66 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]67 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]68 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
70 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]71 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72}
73
74get_options() {
75 while [ $# -gt 0 ]; do
76 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77 -f|--filter)
78 shift; FILTER=$1
79 ;;
80 -e|--exclude)
81 shift; EXCLUDE=$1
82 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]83 -m|--memcheck)
84 MEMCHECK=1
85 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]86 -n|--number)
87 shift; RUN_TEST_NUMBER=$1
88 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]89 -s|--show-numbers)
90 SHOW_TEST_NUMBER=1
91 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]92 -p|--preserve-logs)
93 PRESERVE_LOGS=1
94 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 --port)
96 shift; SRV_PORT=$1
97 ;;
98 --proxy-port)
99 shift; PXY_PORT=$1
100 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]101 --seed)
102 shift; SEED="$1"
103 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104 -h|--help)
105 print_usage
106 exit 0
107 ;;
108 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]109 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 print_usage
111 exit 1
112 ;;
113 esac
114 shift
115 done
116}
117
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]118# skip next test if the flag is not enabled in config.h
119requires_config_enabled() {
120 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
121 SKIP_NEXT="YES"
122 fi
123}
124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]125# skip next test if the flag is enabled in config.h
126requires_config_disabled() {
127 if grep "^#define $1" $CONFIG_H > /dev/null; then
128 SKIP_NEXT="YES"
129 fi
130}
131
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]132# skip next test if OpenSSL doesn't support FALLBACK_SCSV
133requires_openssl_with_fallback_scsv() {
134 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
135 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
136 then
137 OPENSSL_HAS_FBSCSV="YES"
138 else
139 OPENSSL_HAS_FBSCSV="NO"
140 fi
141 fi
142 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
143 SKIP_NEXT="YES"
144 fi
145}
146
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]147# skip next test if GnuTLS isn't available
148requires_gnutls() {
149 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]150 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]151 GNUTLS_AVAILABLE="YES"
152 else
153 GNUTLS_AVAILABLE="NO"
154 fi
155 fi
156 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]161# skip next test if IPv6 isn't available on this host
162requires_ipv6() {
163 if [ -z "${HAS_IPV6:-}" ]; then
164 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
165 SRV_PID=$!
166 sleep 1
167 kill $SRV_PID >/dev/null 2>&1
168 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
169 HAS_IPV6="NO"
170 else
171 HAS_IPV6="YES"
172 fi
173 rm -r $SRV_OUT
174 fi
175
176 if [ "$HAS_IPV6" = "NO" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]181# skip the next test if valgrind is in use
182not_with_valgrind() {
183 if [ "$MEMCHECK" -gt 0 ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]188# skip the next test if valgrind is NOT in use
189only_with_valgrind() {
190 if [ "$MEMCHECK" -eq 0 ]; then
191 SKIP_NEXT="YES"
192 fi
193}
194
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]195# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]196client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]197 CLI_DELAY_FACTOR=$1
198}
199
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]200# wait for the given seconds after the client finished in the next test
201server_needs_more_time() {
202 SRV_DELAY_SECONDS=$1
203}
204
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]205# print_name <name>
206print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]207 TESTS=$(( $TESTS + 1 ))
208 LINE=""
209
210 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
211 LINE="$TESTS "
212 fi
213
214 LINE="$LINE$1"
215 printf "$LINE "
216 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]217 for i in `seq 1 $LEN`; do printf '.'; done
218 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]219
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]220}
221
222# fail <message>
223fail() {
224 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]225 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]227 mv $SRV_OUT o-srv-${TESTS}.log
228 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]229 if [ -n "$PXY_CMD" ]; then
230 mv $PXY_OUT o-pxy-${TESTS}.log
231 fi
232 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]233
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]234 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
235 echo " ! server output:"
236 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]237 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]238 echo " ! client output:"
239 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]240 if [ -n "$PXY_CMD" ]; then
241 echo " ! ========================================================"
242 echo " ! proxy output:"
243 cat o-pxy-${TESTS}.log
244 fi
245 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]246 fi
247
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]248 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249}
250
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]251# is_polar <cmd_line>
252is_polar() {
253 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
254}
255
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]256# openssl s_server doesn't have -www with DTLS
257check_osrv_dtls() {
258 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
259 NEEDS_INPUT=1
260 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
261 else
262 NEEDS_INPUT=0
263 fi
264}
265
266# provide input to commands that need it
267provide_input() {
268 if [ $NEEDS_INPUT -eq 0 ]; then
269 return
270 fi
271
272 while true; do
273 echo "HTTP/1.0 200 OK"
274 sleep 1
275 done
276}
277
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]278# has_mem_err <log_file_name>
279has_mem_err() {
280 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
281 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
282 then
283 return 1 # false: does not have errors
284 else
285 return 0 # true: has errors
286 fi
287}
288
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]289# wait for server to start: two versions depending on lsof availability
290wait_server_start() {
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]291 if which lsof >/dev/null 2>&1; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]292 START_TIME=$( date +%s )
293 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]294
295 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]296 if [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]297 while [ $DONE -eq 0 ]; do
298 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
299 then
300 DONE=1
301 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
302 echo "SERVERSTART TIMEOUT"
303 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
304 DONE=1
305 fi
306 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]307 else
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]308 while [ $DONE -eq 0 ]; do
309 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
310 then
311 DONE=1
312 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
313 echo "SERVERSTART TIMEOUT"
314 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
315 DONE=1
316 fi
317 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]318 fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]319 else
320 sleep "$START_DELAY"
321 fi
322}
323
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]324# wait for client to terminate and set CLI_EXIT
325# must be called right after starting the client
326wait_client_done() {
327 CLI_PID=$!
328
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]329 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
330 CLI_DELAY_FACTOR=1
331
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]332 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]333 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]334
335 wait $CLI_PID
336 CLI_EXIT=$?
337
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]338 kill $DOG_PID >/dev/null 2>&1
339 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]340
341 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]342
343 sleep $SRV_DELAY_SECONDS
344 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]345}
346
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]347# check if the given command uses dtls and sets global variable DTLS
348detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]349 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]350 DTLS=1
351 else
352 DTLS=0
353 fi
354}
355
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]356# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]357# Options: -s pattern pattern that must be present in server output
358# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]359# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]360# -S pattern pattern that must be absent in server output
361# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]362# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]363run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]364 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]365 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]366
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]367 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
368 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]369 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]370 return
371 fi
372
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]373 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]374
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]375 # Do we only run numbered tests?
376 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
377 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
378 else
379 SKIP_NEXT="YES"
380 fi
381
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]382 # should we skip?
383 if [ "X$SKIP_NEXT" = "XYES" ]; then
384 SKIP_NEXT="NO"
385 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]386 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]387 return
388 fi
389
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]390 # does this test use a proxy?
391 if [ "X$1" = "X-p" ]; then
392 PXY_CMD="$2"
393 shift 2
394 else
395 PXY_CMD=""
396 fi
397
398 # get commands and client output
399 SRV_CMD="$1"
400 CLI_CMD="$2"
401 CLI_EXPECT="$3"
402 shift 3
403
404 # fix client port
405 if [ -n "$PXY_CMD" ]; then
406 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
407 else
408 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
409 fi
410
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]411 # update DTLS variable
412 detect_dtls "$SRV_CMD"
413
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]414 # prepend valgrind to our commands if active
415 if [ "$MEMCHECK" -gt 0 ]; then
416 if is_polar "$SRV_CMD"; then
417 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
418 fi
419 if is_polar "$CLI_CMD"; then
420 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
421 fi
422 fi
423
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]424 TIMES_LEFT=2
425 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]426 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]427
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]428 # run the commands
429 if [ -n "$PXY_CMD" ]; then
430 echo "$PXY_CMD" > $PXY_OUT
431 $PXY_CMD >> $PXY_OUT 2>&1 &
432 PXY_PID=$!
433 # assume proxy starts faster than server
434 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]435
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]436 check_osrv_dtls
437 echo "$SRV_CMD" > $SRV_OUT
438 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
439 SRV_PID=$!
440 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]441
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]442 echo "$CLI_CMD" > $CLI_OUT
443 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
444 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]445
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]446 # terminate the server (and the proxy)
447 kill $SRV_PID
448 wait $SRV_PID
449 if [ -n "$PXY_CMD" ]; then
450 kill $PXY_PID >/dev/null 2>&1
451 wait $PXY_PID
452 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]453
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]454 # retry only on timeouts
455 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
456 printf "RETRY "
457 else
458 TIMES_LEFT=0
459 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]460 done
461
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]462 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]463 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]464 # expected client exit to incorrectly succeed in case of catastrophic
465 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]466 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]467 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]468 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]469 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]470 return
471 fi
472 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]473 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]474 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]475 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]476 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]477 return
478 fi
479 fi
480
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]481 # check server exit code
482 if [ $? != 0 ]; then
483 fail "server fail"
484 return
485 fi
486
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]487 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]488 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
489 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]490 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]491 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]492 return
493 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]494
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]495 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]496 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]497 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]498 while [ $# -gt 0 ]
499 do
500 case $1 in
501 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]502 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]503 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]504 return
505 fi
506 ;;
507
508 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]509 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]510 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]511 return
512 fi
513 ;;
514
515 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]516 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]517 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]518 return
519 fi
520 ;;
521
522 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]523 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]524 fail "pattern '$2' MUST NOT be present in the Client output"
525 return
526 fi
527 ;;
528
529 # The filtering in the following two options (-u and -U) do the following
530 # - ignore valgrind output
531 # - filter out everything but lines right after the pattern occurances
532 # - keep one of each non-unique line
533 # - count how many lines remain
534 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
535 # if there were no duplicates.
536 "-U")
537 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
538 fail "lines following pattern '$2' must be unique in Server output"
539 return
540 fi
541 ;;
542
543 "-u")
544 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
545 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]546 return
547 fi
548 ;;
549
550 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]551 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]552 exit 1
553 esac
554 shift 2
555 done
556
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]557 # check valgrind's results
558 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]559 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]560 fail "Server has memory errors"
561 return
562 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]563 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]564 fail "Client has memory errors"
565 return
566 fi
567 fi
568
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]569 # if we're here, everything is ok
570 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]571 if [ "$PRESERVE_LOGS" -gt 0 ]; then
572 mv $SRV_OUT o-srv-${TESTS}.log
573 mv $CLI_OUT o-cli-${TESTS}.log
574 fi
575
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]576 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]577}
578
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]579cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]580 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]581 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
582 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
583 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
584 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]585 exit 1
586}
587
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]588#
589# MAIN
590#
591
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]592if cd $( dirname $0 ); then :; else
593 echo "cd $( dirname $0 ) failed" >&2
594 exit 1
595fi
596
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]597get_options "$@"
598
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]599# sanity checks, avoid an avalanche of errors
600if [ ! -x "$P_SRV" ]; then
601 echo "Command '$P_SRV' is not an executable file"
602 exit 1
603fi
604if [ ! -x "$P_CLI" ]; then
605 echo "Command '$P_CLI' is not an executable file"
606 exit 1
607fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]608if [ ! -x "$P_PXY" ]; then
609 echo "Command '$P_PXY' is not an executable file"
610 exit 1
611fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]612if [ "$MEMCHECK" -gt 0 ]; then
613 if which valgrind >/dev/null 2>&1; then :; else
614 echo "Memcheck not possible. Valgrind not found"
615 exit 1
616 fi
617fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]618if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
619 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]620 exit 1
621fi
622
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]623# used by watchdog
624MAIN_PID="$$"
625
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]626# be more patient with valgrind
627if [ "$MEMCHECK" -gt 0 ]; then
628 START_DELAY=3
629 DOG_DELAY=30
630else
631 START_DELAY=1
632 DOG_DELAY=10
633fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]634CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]635SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]636
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]637# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]638# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]639P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
640P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]641P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]642O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]643O_CLI="$O_CLI -connect localhost:+SRV_PORT"
644G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]645G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]646
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]647# Allow SHA-1, because many of our test certificates use it
648P_SRV="$P_SRV allow_sha1=1"
649P_CLI="$P_CLI allow_sha1=1"
650
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]651# Also pick a unique name for intermediate files
652SRV_OUT="srv_out.$$"
653CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]654PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]655SESSION="session.$$"
656
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]657SKIP_NEXT="NO"
658
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]659trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]660
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]661# Basic test
662
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]663# Checks that:
664# - things work with all ciphersuites active (used with config-full in all.sh)
665# - the expected (highest security) parameters are selected
666# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]667run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]668 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]669 "$P_CLI" \
670 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]671 -s "Protocol is TLSv1.2" \
672 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
673 -s "client hello v3, signature_algorithm ext: 6" \
674 -s "ECDHE curve: secp521r1" \
675 -S "error" \
676 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]677
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]678run_test "Default, DTLS" \
679 "$P_SRV dtls=1" \
680 "$P_CLI dtls=1" \
681 0 \
682 -s "Protocol is DTLSv1.2" \
683 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
684
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]685# Test for uniqueness of IVs in AEAD ciphersuites
686run_test "Unique IV in GCM" \
687 "$P_SRV exchanges=20 debug_level=4" \
688 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
689 0 \
690 -u "IV used" \
691 -U "IV used"
692
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]693# Tests for rc4 option
694
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]695requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]696run_test "RC4: server disabled, client enabled" \
697 "$P_SRV" \
698 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
699 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]700 -s "SSL - The server has no ciphersuites in common"
701
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]702requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]703run_test "RC4: server half, client enabled" \
704 "$P_SRV arc4=1" \
705 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
706 1 \
707 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]708
709run_test "RC4: server enabled, client disabled" \
710 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
711 "$P_CLI" \
712 1 \
713 -s "SSL - The server has no ciphersuites in common"
714
715run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]716 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]717 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
718 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]719 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]720 -S "SSL - The server has no ciphersuites in common"
721
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]722# Tests for SHA-1 support
723
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]724requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]725run_test "SHA-1 forbidden by default in server certificate" \
726 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
727 "$P_CLI debug_level=2 allow_sha1=0" \
728 1 \
729 -c "The certificate is signed with an unacceptable hash"
730
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]731requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
732run_test "SHA-1 forbidden by default in server certificate" \
733 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
734 "$P_CLI debug_level=2 allow_sha1=0" \
735 0
736
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]737run_test "SHA-1 explicitly allowed in server certificate" \
738 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
739 "$P_CLI allow_sha1=1" \
740 0
741
742run_test "SHA-256 allowed by default in server certificate" \
743 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
744 "$P_CLI allow_sha1=0" \
745 0
746
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]747requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]748run_test "SHA-1 forbidden by default in client certificate" \
749 "$P_SRV auth_mode=required allow_sha1=0" \
750 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
751 1 \
752 -s "The certificate is signed with an unacceptable hash"
753
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]754requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
755run_test "SHA-1 forbidden by default in client certificate" \
756 "$P_SRV auth_mode=required allow_sha1=0" \
757 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
758 0
759
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]760run_test "SHA-1 explicitly allowed in client certificate" \
761 "$P_SRV auth_mode=required allow_sha1=1" \
762 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
763 0
764
765run_test "SHA-256 allowed by default in client certificate" \
766 "$P_SRV auth_mode=required allow_sha1=0" \
767 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
768 0
769
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]770# Tests for Truncated HMAC extension
771
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]772run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]773 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]774 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]775 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]776 -s "dumping 'computed mac' (20 bytes)" \
777 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]778
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]779run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]780 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]781 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
782 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]783 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]784 -s "dumping 'computed mac' (20 bytes)" \
785 -S "dumping 'computed mac' (10 bytes)"
786
787run_test "Truncated HMAC: client enabled, server default" \
788 "$P_SRV debug_level=4" \
789 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
790 trunc_hmac=1" \
791 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]792 -s "dumping 'computed mac' (20 bytes)" \
793 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]794
795run_test "Truncated HMAC: client enabled, server disabled" \
796 "$P_SRV debug_level=4 trunc_hmac=0" \
797 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
798 trunc_hmac=1" \
799 0 \
800 -s "dumping 'computed mac' (20 bytes)" \
801 -S "dumping 'computed mac' (10 bytes)"
802
803run_test "Truncated HMAC: client enabled, server enabled" \
804 "$P_SRV debug_level=4 trunc_hmac=1" \
805 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
806 trunc_hmac=1" \
807 0 \
808 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]809 -s "dumping 'computed mac' (10 bytes)"
810
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]811# Tests for Encrypt-then-MAC extension
812
813run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]814 "$P_SRV debug_level=3 \
815 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]816 "$P_CLI debug_level=3" \
817 0 \
818 -c "client hello, adding encrypt_then_mac extension" \
819 -s "found encrypt then mac extension" \
820 -s "server hello, adding encrypt then mac extension" \
821 -c "found encrypt_then_mac extension" \
822 -c "using encrypt then mac" \
823 -s "using encrypt then mac"
824
825run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]826 "$P_SRV debug_level=3 etm=0 \
827 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]828 "$P_CLI debug_level=3 etm=1" \
829 0 \
830 -c "client hello, adding encrypt_then_mac extension" \
831 -s "found encrypt then mac extension" \
832 -S "server hello, adding encrypt then mac extension" \
833 -C "found encrypt_then_mac extension" \
834 -C "using encrypt then mac" \
835 -S "using encrypt then mac"
836
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]837run_test "Encrypt then MAC: client enabled, aead cipher" \
838 "$P_SRV debug_level=3 etm=1 \
839 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
840 "$P_CLI debug_level=3 etm=1" \
841 0 \
842 -c "client hello, adding encrypt_then_mac extension" \
843 -s "found encrypt then mac extension" \
844 -S "server hello, adding encrypt then mac extension" \
845 -C "found encrypt_then_mac extension" \
846 -C "using encrypt then mac" \
847 -S "using encrypt then mac"
848
849run_test "Encrypt then MAC: client enabled, stream cipher" \
850 "$P_SRV debug_level=3 etm=1 \
851 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]852 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]853 0 \
854 -c "client hello, adding encrypt_then_mac extension" \
855 -s "found encrypt then mac extension" \
856 -S "server hello, adding encrypt then mac extension" \
857 -C "found encrypt_then_mac extension" \
858 -C "using encrypt then mac" \
859 -S "using encrypt then mac"
860
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]861run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]862 "$P_SRV debug_level=3 etm=1 \
863 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]864 "$P_CLI debug_level=3 etm=0" \
865 0 \
866 -C "client hello, adding encrypt_then_mac extension" \
867 -S "found encrypt then mac extension" \
868 -S "server hello, adding encrypt then mac extension" \
869 -C "found encrypt_then_mac extension" \
870 -C "using encrypt then mac" \
871 -S "using encrypt then mac"
872
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]873requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]874run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]875 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]876 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]877 "$P_CLI debug_level=3 force_version=ssl3" \
878 0 \
879 -C "client hello, adding encrypt_then_mac extension" \
880 -S "found encrypt then mac extension" \
881 -S "server hello, adding encrypt then mac extension" \
882 -C "found encrypt_then_mac extension" \
883 -C "using encrypt then mac" \
884 -S "using encrypt then mac"
885
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]886requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]887run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]888 "$P_SRV debug_level=3 force_version=ssl3 \
889 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]890 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]891 0 \
892 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]893 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]894 -S "server hello, adding encrypt then mac extension" \
895 -C "found encrypt_then_mac extension" \
896 -C "using encrypt then mac" \
897 -S "using encrypt then mac"
898
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]899# Tests for Extended Master Secret extension
900
901run_test "Extended Master Secret: default" \
902 "$P_SRV debug_level=3" \
903 "$P_CLI debug_level=3" \
904 0 \
905 -c "client hello, adding extended_master_secret extension" \
906 -s "found extended master secret extension" \
907 -s "server hello, adding extended master secret extension" \
908 -c "found extended_master_secret extension" \
909 -c "using extended master secret" \
910 -s "using extended master secret"
911
912run_test "Extended Master Secret: client enabled, server disabled" \
913 "$P_SRV debug_level=3 extended_ms=0" \
914 "$P_CLI debug_level=3 extended_ms=1" \
915 0 \
916 -c "client hello, adding extended_master_secret extension" \
917 -s "found extended master secret extension" \
918 -S "server hello, adding extended master secret extension" \
919 -C "found extended_master_secret extension" \
920 -C "using extended master secret" \
921 -S "using extended master secret"
922
923run_test "Extended Master Secret: client disabled, server enabled" \
924 "$P_SRV debug_level=3 extended_ms=1" \
925 "$P_CLI debug_level=3 extended_ms=0" \
926 0 \
927 -C "client hello, adding extended_master_secret extension" \
928 -S "found extended master secret extension" \
929 -S "server hello, adding extended master secret extension" \
930 -C "found extended_master_secret extension" \
931 -C "using extended master secret" \
932 -S "using extended master secret"
933
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]934requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]935run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]936 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]937 "$P_CLI debug_level=3 force_version=ssl3" \
938 0 \
939 -C "client hello, adding extended_master_secret extension" \
940 -S "found extended master secret extension" \
941 -S "server hello, adding extended master secret extension" \
942 -C "found extended_master_secret extension" \
943 -C "using extended master secret" \
944 -S "using extended master secret"
945
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]946requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]947run_test "Extended Master Secret: client enabled, server SSLv3" \
948 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]949 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]950 0 \
951 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]952 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]953 -S "server hello, adding extended master secret extension" \
954 -C "found extended_master_secret extension" \
955 -C "using extended master secret" \
956 -S "using extended master secret"
957
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]958# Tests for FALLBACK_SCSV
959
960run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]961 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]962 "$P_CLI debug_level=3 force_version=tls1_1" \
963 0 \
964 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]965 -S "received FALLBACK_SCSV" \
966 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]967 -C "is a fatal alert message (msg 86)"
968
969run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]970 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]971 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
972 0 \
973 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]974 -S "received FALLBACK_SCSV" \
975 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]976 -C "is a fatal alert message (msg 86)"
977
978run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]979 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]980 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]981 1 \
982 -c "adding FALLBACK_SCSV" \
983 -s "received FALLBACK_SCSV" \
984 -s "inapropriate fallback" \
985 -c "is a fatal alert message (msg 86)"
986
987run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]988 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]989 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]990 0 \
991 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]992 -s "received FALLBACK_SCSV" \
993 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]994 -C "is a fatal alert message (msg 86)"
995
996requires_openssl_with_fallback_scsv
997run_test "Fallback SCSV: default, openssl server" \
998 "$O_SRV" \
999 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1000 0 \
1001 -C "adding FALLBACK_SCSV" \
1002 -C "is a fatal alert message (msg 86)"
1003
1004requires_openssl_with_fallback_scsv
1005run_test "Fallback SCSV: enabled, openssl server" \
1006 "$O_SRV" \
1007 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1008 1 \
1009 -c "adding FALLBACK_SCSV" \
1010 -c "is a fatal alert message (msg 86)"
1011
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1012requires_openssl_with_fallback_scsv
1013run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1014 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1015 "$O_CLI -tls1_1" \
1016 0 \
1017 -S "received FALLBACK_SCSV" \
1018 -S "inapropriate fallback"
1019
1020requires_openssl_with_fallback_scsv
1021run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1022 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1023 "$O_CLI -tls1_1 -fallback_scsv" \
1024 1 \
1025 -s "received FALLBACK_SCSV" \
1026 -s "inapropriate fallback"
1027
1028requires_openssl_with_fallback_scsv
1029run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1030 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1031 "$O_CLI -fallback_scsv" \
1032 0 \
1033 -s "received FALLBACK_SCSV" \
1034 -S "inapropriate fallback"
1035
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1036## ClientHello generated with
1037## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1038## then manually twiddling the ciphersuite list.
1039## The ClientHello content is spelled out below as a hex string as
1040## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1041## The expected response is an inappropriate_fallback alert.
1042requires_openssl_with_fallback_scsv
1043run_test "Fallback SCSV: beginning of list" \
1044 "$P_SRV debug_level=2" \
1045 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1046 0 \
1047 -s "received FALLBACK_SCSV" \
1048 -s "inapropriate fallback"
1049
1050requires_openssl_with_fallback_scsv
1051run_test "Fallback SCSV: end of list" \
1052 "$P_SRV debug_level=2" \
1053 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1054 0 \
1055 -s "received FALLBACK_SCSV" \
1056 -s "inapropriate fallback"
1057
1058## Here the expected response is a valid ServerHello prefix, up to the random.
1059requires_openssl_with_fallback_scsv
1060run_test "Fallback SCSV: not in list" \
1061 "$P_SRV debug_level=2" \
1062 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1063 0 \
1064 -S "received FALLBACK_SCSV" \
1065 -S "inapropriate fallback"
1066
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1067# Tests for CBC 1/n-1 record splitting
1068
1069run_test "CBC Record splitting: TLS 1.2, no splitting" \
1070 "$P_SRV" \
1071 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1072 request_size=123 force_version=tls1_2" \
1073 0 \
1074 -s "Read from client: 123 bytes read" \
1075 -S "Read from client: 1 bytes read" \
1076 -S "122 bytes read"
1077
1078run_test "CBC Record splitting: TLS 1.1, no splitting" \
1079 "$P_SRV" \
1080 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1081 request_size=123 force_version=tls1_1" \
1082 0 \
1083 -s "Read from client: 123 bytes read" \
1084 -S "Read from client: 1 bytes read" \
1085 -S "122 bytes read"
1086
1087run_test "CBC Record splitting: TLS 1.0, splitting" \
1088 "$P_SRV" \
1089 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1090 request_size=123 force_version=tls1" \
1091 0 \
1092 -S "Read from client: 123 bytes read" \
1093 -s "Read from client: 1 bytes read" \
1094 -s "122 bytes read"
1095
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1096requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1097run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1098 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1099 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1100 request_size=123 force_version=ssl3" \
1101 0 \
1102 -S "Read from client: 123 bytes read" \
1103 -s "Read from client: 1 bytes read" \
1104 -s "122 bytes read"
1105
1106run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1107 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1108 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1109 request_size=123 force_version=tls1" \
1110 0 \
1111 -s "Read from client: 123 bytes read" \
1112 -S "Read from client: 1 bytes read" \
1113 -S "122 bytes read"
1114
1115run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1116 "$P_SRV" \
1117 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1118 request_size=123 force_version=tls1 recsplit=0" \
1119 0 \
1120 -s "Read from client: 123 bytes read" \
1121 -S "Read from client: 1 bytes read" \
1122 -S "122 bytes read"
1123
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1124run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1125 "$P_SRV nbio=2" \
1126 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1127 request_size=123 force_version=tls1" \
1128 0 \
1129 -S "Read from client: 123 bytes read" \
1130 -s "Read from client: 1 bytes read" \
1131 -s "122 bytes read"
1132
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1133# Tests for Session Tickets
1134
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1135run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1136 "$P_SRV debug_level=3 tickets=1" \
1137 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1138 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1139 -c "client hello, adding session ticket extension" \
1140 -s "found session ticket extension" \
1141 -s "server hello, adding session ticket extension" \
1142 -c "found session_ticket extension" \
1143 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1144 -S "session successfully restored from cache" \
1145 -s "session successfully restored from ticket" \
1146 -s "a session has been resumed" \
1147 -c "a session has been resumed"
1148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1149run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1150 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1151 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1152 0 \
1153 -c "client hello, adding session ticket extension" \
1154 -s "found session ticket extension" \
1155 -s "server hello, adding session ticket extension" \
1156 -c "found session_ticket extension" \
1157 -c "parse new session ticket" \
1158 -S "session successfully restored from cache" \
1159 -s "session successfully restored from ticket" \
1160 -s "a session has been resumed" \
1161 -c "a session has been resumed"
1162
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1163run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1164 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1165 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1166 0 \
1167 -c "client hello, adding session ticket extension" \
1168 -s "found session ticket extension" \
1169 -s "server hello, adding session ticket extension" \
1170 -c "found session_ticket extension" \
1171 -c "parse new session ticket" \
1172 -S "session successfully restored from cache" \
1173 -S "session successfully restored from ticket" \
1174 -S "a session has been resumed" \
1175 -C "a session has been resumed"
1176
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1177run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1178 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1179 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1180 0 \
1181 -c "client hello, adding session ticket extension" \
1182 -c "found session_ticket extension" \
1183 -c "parse new session ticket" \
1184 -c "a session has been resumed"
1185
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1186run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1187 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1188 "( $O_CLI -sess_out $SESSION; \
1189 $O_CLI -sess_in $SESSION; \
1190 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1191 0 \
1192 -s "found session ticket extension" \
1193 -s "server hello, adding session ticket extension" \
1194 -S "session successfully restored from cache" \
1195 -s "session successfully restored from ticket" \
1196 -s "a session has been resumed"
1197
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1198# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1199
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1200run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1201 "$P_SRV debug_level=3 tickets=0" \
1202 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1203 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1204 -c "client hello, adding session ticket extension" \
1205 -s "found session ticket extension" \
1206 -S "server hello, adding session ticket extension" \
1207 -C "found session_ticket extension" \
1208 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1209 -s "session successfully restored from cache" \
1210 -S "session successfully restored from ticket" \
1211 -s "a session has been resumed" \
1212 -c "a session has been resumed"
1213
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1214run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1215 "$P_SRV debug_level=3 tickets=1" \
1216 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1217 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1218 -C "client hello, adding session ticket extension" \
1219 -S "found session ticket extension" \
1220 -S "server hello, adding session ticket extension" \
1221 -C "found session_ticket extension" \
1222 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1223 -s "session successfully restored from cache" \
1224 -S "session successfully restored from ticket" \
1225 -s "a session has been resumed" \
1226 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1227
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1228run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1229 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1230 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1231 0 \
1232 -S "session successfully restored from cache" \
1233 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1234 -S "a session has been resumed" \
1235 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1236
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1237run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1238 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1239 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1240 0 \
1241 -s "session successfully restored from cache" \
1242 -S "session successfully restored from ticket" \
1243 -s "a session has been resumed" \
1244 -c "a session has been resumed"
1245
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1246run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1247 "$P_SRV debug_level=3 tickets=0" \
1248 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1249 0 \
1250 -s "session successfully restored from cache" \
1251 -S "session successfully restored from ticket" \
1252 -s "a session has been resumed" \
1253 -c "a session has been resumed"
1254
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1255run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1256 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1257 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1258 0 \
1259 -S "session successfully restored from cache" \
1260 -S "session successfully restored from ticket" \
1261 -S "a session has been resumed" \
1262 -C "a session has been resumed"
1263
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1264run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1265 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1266 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1267 0 \
1268 -s "session successfully restored from cache" \
1269 -S "session successfully restored from ticket" \
1270 -s "a session has been resumed" \
1271 -c "a session has been resumed"
1272
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1273run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1274 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1275 "( $O_CLI -sess_out $SESSION; \
1276 $O_CLI -sess_in $SESSION; \
1277 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1278 0 \
1279 -s "found session ticket extension" \
1280 -S "server hello, adding session ticket extension" \
1281 -s "session successfully restored from cache" \
1282 -S "session successfully restored from ticket" \
1283 -s "a session has been resumed"
1284
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1285run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1286 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1287 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1288 0 \
1289 -C "found session_ticket extension" \
1290 -C "parse new session ticket" \
1291 -c "a session has been resumed"
1292
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1293# Tests for Max Fragment Length extension
1294
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1295run_test "Max fragment length: not used, reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1296 "$P_SRV debug_level=3" \
1297 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1298 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1299 -c "Maximum fragment length is 16384" \
1300 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1301 -C "client hello, adding max_fragment_length extension" \
1302 -S "found max fragment length extension" \
1303 -S "server hello, max_fragment_length extension" \
1304 -C "found max_fragment_length extension"
1305
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1306run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1307 "$P_SRV debug_level=3" \
1308 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1309 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1310 -c "Maximum fragment length is 4096" \
1311 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1312 -c "client hello, adding max_fragment_length extension" \
1313 -s "found max fragment length extension" \
1314 -s "server hello, max_fragment_length extension" \
1315 -c "found max_fragment_length extension"
1316
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1317run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1318 "$P_SRV debug_level=3 max_frag_len=4096" \
1319 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1320 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1321 -c "Maximum fragment length is 16384" \
1322 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1323 -C "client hello, adding max_fragment_length extension" \
1324 -S "found max fragment length extension" \
1325 -S "server hello, max_fragment_length extension" \
1326 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1327
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1328requires_gnutls
1329run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1330 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1331 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1332 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1333 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1334 -c "client hello, adding max_fragment_length extension" \
1335 -c "found max_fragment_length extension"
1336
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1337run_test "Max fragment length: client, message just fits" \
1338 "$P_SRV debug_level=3" \
1339 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1340 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1341 -c "Maximum fragment length is 2048" \
1342 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1343 -c "client hello, adding max_fragment_length extension" \
1344 -s "found max fragment length extension" \
1345 -s "server hello, max_fragment_length extension" \
1346 -c "found max_fragment_length extension" \
1347 -c "2048 bytes written in 1 fragments" \
1348 -s "2048 bytes read"
1349
1350run_test "Max fragment length: client, larger message" \
1351 "$P_SRV debug_level=3" \
1352 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1353 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1354 -c "Maximum fragment length is 2048" \
1355 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1356 -c "client hello, adding max_fragment_length extension" \
1357 -s "found max fragment length extension" \
1358 -s "server hello, max_fragment_length extension" \
1359 -c "found max_fragment_length extension" \
1360 -c "2345 bytes written in 2 fragments" \
1361 -s "2048 bytes read" \
1362 -s "297 bytes read"
1363
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1364run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1365 "$P_SRV debug_level=3 dtls=1" \
1366 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1367 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1368 -c "Maximum fragment length is 2048" \
1369 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1370 -c "client hello, adding max_fragment_length extension" \
1371 -s "found max fragment length extension" \
1372 -s "server hello, max_fragment_length extension" \
1373 -c "found max_fragment_length extension" \
1374 -c "fragment larger than.*maximum"
1375
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1376# Tests for renegotiation
1377
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1378run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1379 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1380 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1381 0 \
1382 -C "client hello, adding renegotiation extension" \
1383 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1384 -S "found renegotiation extension" \
1385 -s "server hello, secure renegotiation extension" \
1386 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1387 -C "=> renegotiate" \
1388 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1389 -S "write hello request"
1390
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1391run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1392 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1393 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1394 0 \
1395 -c "client hello, adding renegotiation extension" \
1396 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1397 -s "found renegotiation extension" \
1398 -s "server hello, secure renegotiation extension" \
1399 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1400 -c "=> renegotiate" \
1401 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1402 -S "write hello request"
1403
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1404run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1405 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1406 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1407 0 \
1408 -c "client hello, adding renegotiation extension" \
1409 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1410 -s "found renegotiation extension" \
1411 -s "server hello, secure renegotiation extension" \
1412 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1413 -c "=> renegotiate" \
1414 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1415 -s "write hello request"
1416
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1417run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1418 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1419 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1420 0 \
1421 -c "client hello, adding renegotiation extension" \
1422 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1423 -s "found renegotiation extension" \
1424 -s "server hello, secure renegotiation extension" \
1425 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1426 -c "=> renegotiate" \
1427 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1428 -s "write hello request"
1429
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1430run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1431 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1432 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1433 1 \
1434 -c "client hello, adding renegotiation extension" \
1435 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1436 -S "found renegotiation extension" \
1437 -s "server hello, secure renegotiation extension" \
1438 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1439 -c "=> renegotiate" \
1440 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1441 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1442 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1443 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1444
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1445run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1446 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1447 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1448 0 \
1449 -C "client hello, adding renegotiation extension" \
1450 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1451 -S "found renegotiation extension" \
1452 -s "server hello, secure renegotiation extension" \
1453 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1454 -C "=> renegotiate" \
1455 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1456 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1457 -S "SSL - An unexpected message was received from our peer" \
1458 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1459
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1460run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1461 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1462 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1463 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1464 0 \
1465 -C "client hello, adding renegotiation extension" \
1466 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1467 -S "found renegotiation extension" \
1468 -s "server hello, secure renegotiation extension" \
1469 -c "found renegotiation extension" \
1470 -C "=> renegotiate" \
1471 -S "=> renegotiate" \
1472 -s "write hello request" \
1473 -S "SSL - An unexpected message was received from our peer" \
1474 -S "failed"
1475
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1476# delay 2 for 1 alert record + 1 application data record
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1477run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1478 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1479 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1480 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1481 0 \
1482 -C "client hello, adding renegotiation extension" \
1483 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1484 -S "found renegotiation extension" \
1485 -s "server hello, secure renegotiation extension" \
1486 -c "found renegotiation extension" \
1487 -C "=> renegotiate" \
1488 -S "=> renegotiate" \
1489 -s "write hello request" \
1490 -S "SSL - An unexpected message was received from our peer" \
1491 -S "failed"
1492
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1493run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1494 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1495 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1496 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1497 0 \
1498 -C "client hello, adding renegotiation extension" \
1499 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1500 -S "found renegotiation extension" \
1501 -s "server hello, secure renegotiation extension" \
1502 -c "found renegotiation extension" \
1503 -C "=> renegotiate" \
1504 -S "=> renegotiate" \
1505 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1506 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1507
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1508run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1509 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1510 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1511 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1512 0 \
1513 -c "client hello, adding renegotiation extension" \
1514 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1515 -s "found renegotiation extension" \
1516 -s "server hello, secure renegotiation extension" \
1517 -c "found renegotiation extension" \
1518 -c "=> renegotiate" \
1519 -s "=> renegotiate" \
1520 -s "write hello request" \
1521 -S "SSL - An unexpected message was received from our peer" \
1522 -S "failed"
1523
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1524run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1525 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1526 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1527 0 \
1528 -C "client hello, adding renegotiation extension" \
1529 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1530 -S "found renegotiation extension" \
1531 -s "server hello, secure renegotiation extension" \
1532 -c "found renegotiation extension" \
1533 -S "record counter limit reached: renegotiate" \
1534 -C "=> renegotiate" \
1535 -S "=> renegotiate" \
1536 -S "write hello request" \
1537 -S "SSL - An unexpected message was received from our peer" \
1538 -S "failed"
1539
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1540# one extra exchange to be able to complete renego
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1541run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1542 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1543 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1544 0 \
1545 -c "client hello, adding renegotiation extension" \
1546 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1547 -s "found renegotiation extension" \
1548 -s "server hello, secure renegotiation extension" \
1549 -c "found renegotiation extension" \
1550 -s "record counter limit reached: renegotiate" \
1551 -c "=> renegotiate" \
1552 -s "=> renegotiate" \
1553 -s "write hello request" \
1554 -S "SSL - An unexpected message was received from our peer" \
1555 -S "failed"
1556
1557run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1558 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1559 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1560 0 \
1561 -c "client hello, adding renegotiation extension" \
1562 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1563 -s "found renegotiation extension" \
1564 -s "server hello, secure renegotiation extension" \
1565 -c "found renegotiation extension" \
1566 -s "record counter limit reached: renegotiate" \
1567 -c "=> renegotiate" \
1568 -s "=> renegotiate" \
1569 -s "write hello request" \
1570 -S "SSL - An unexpected message was received from our peer" \
1571 -S "failed"
1572
1573run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1574 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1575 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1576 0 \
1577 -C "client hello, adding renegotiation extension" \
1578 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1579 -S "found renegotiation extension" \
1580 -s "server hello, secure renegotiation extension" \
1581 -c "found renegotiation extension" \
1582 -S "record counter limit reached: renegotiate" \
1583 -C "=> renegotiate" \
1584 -S "=> renegotiate" \
1585 -S "write hello request" \
1586 -S "SSL - An unexpected message was received from our peer" \
1587 -S "failed"
1588
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1589run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1590 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1591 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1592 0 \
1593 -c "client hello, adding renegotiation extension" \
1594 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1595 -s "found renegotiation extension" \
1596 -s "server hello, secure renegotiation extension" \
1597 -c "found renegotiation extension" \
1598 -c "=> renegotiate" \
1599 -s "=> renegotiate" \
1600 -S "write hello request"
1601
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1602run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1603 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1604 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1605 0 \
1606 -c "client hello, adding renegotiation extension" \
1607 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1608 -s "found renegotiation extension" \
1609 -s "server hello, secure renegotiation extension" \
1610 -c "found renegotiation extension" \
1611 -c "=> renegotiate" \
1612 -s "=> renegotiate" \
1613 -s "write hello request"
1614
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1615run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1616 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1617 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1618 0 \
1619 -c "client hello, adding renegotiation extension" \
1620 -c "found renegotiation extension" \
1621 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1622 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1623 -C "error" \
1624 -c "HTTP/1.0 200 [Oo][Kk]"
1625
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1626requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1627run_test "Renegotiation: gnutls server strict, client-initiated" \
1628 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1629 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1630 0 \
1631 -c "client hello, adding renegotiation extension" \
1632 -c "found renegotiation extension" \
1633 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1634 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1635 -C "error" \
1636 -c "HTTP/1.0 200 [Oo][Kk]"
1637
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1638requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1639run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1640 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1641 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1642 1 \
1643 -c "client hello, adding renegotiation extension" \
1644 -C "found renegotiation extension" \
1645 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1646 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1647 -c "error" \
1648 -C "HTTP/1.0 200 [Oo][Kk]"
1649
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1650requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1651run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1652 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1653 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1654 allow_legacy=0" \
1655 1 \
1656 -c "client hello, adding renegotiation extension" \
1657 -C "found renegotiation extension" \
1658 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1659 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1660 -c "error" \
1661 -C "HTTP/1.0 200 [Oo][Kk]"
1662
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1663requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1664run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1665 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1666 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1667 allow_legacy=1" \
1668 0 \
1669 -c "client hello, adding renegotiation extension" \
1670 -C "found renegotiation extension" \
1671 -c "=> renegotiate" \
1672 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1673 -C "error" \
1674 -c "HTTP/1.0 200 [Oo][Kk]"
1675
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1676run_test "Renegotiation: DTLS, client-initiated" \
1677 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1678 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1679 0 \
1680 -c "client hello, adding renegotiation extension" \
1681 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1682 -s "found renegotiation extension" \
1683 -s "server hello, secure renegotiation extension" \
1684 -c "found renegotiation extension" \
1685 -c "=> renegotiate" \
1686 -s "=> renegotiate" \
1687 -S "write hello request"
1688
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1689run_test "Renegotiation: DTLS, server-initiated" \
1690 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1691 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1692 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1693 0 \
1694 -c "client hello, adding renegotiation extension" \
1695 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1696 -s "found renegotiation extension" \
1697 -s "server hello, secure renegotiation extension" \
1698 -c "found renegotiation extension" \
1699 -c "=> renegotiate" \
1700 -s "=> renegotiate" \
1701 -s "write hello request"
1702
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1703run_test "Renegotiation: DTLS, renego_period overflow" \
1704 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1705 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1706 0 \
1707 -c "client hello, adding renegotiation extension" \
1708 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1709 -s "found renegotiation extension" \
1710 -s "server hello, secure renegotiation extension" \
1711 -s "record counter limit reached: renegotiate" \
1712 -c "=> renegotiate" \
1713 -s "=> renegotiate" \
1714 -s "write hello request" \
1715
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1716requires_gnutls
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1717run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1718 "$G_SRV -u --mtu 4096" \
1719 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1720 0 \
1721 -c "client hello, adding renegotiation extension" \
1722 -c "found renegotiation extension" \
1723 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1724 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1725 -C "error" \
1726 -s "Extra-header:"
1727
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1728# Test for the "secure renegotation" extension only (no actual renegotiation)
1729
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1730requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1731run_test "Renego ext: gnutls server strict, client default" \
1732 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1733 "$P_CLI debug_level=3" \
1734 0 \
1735 -c "found renegotiation extension" \
1736 -C "error" \
1737 -c "HTTP/1.0 200 [Oo][Kk]"
1738
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1739requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1740run_test "Renego ext: gnutls server unsafe, client default" \
1741 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1742 "$P_CLI debug_level=3" \
1743 0 \
1744 -C "found renegotiation extension" \
1745 -C "error" \
1746 -c "HTTP/1.0 200 [Oo][Kk]"
1747
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1748requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1749run_test "Renego ext: gnutls server unsafe, client break legacy" \
1750 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1751 "$P_CLI debug_level=3 allow_legacy=-1" \
1752 1 \
1753 -C "found renegotiation extension" \
1754 -c "error" \
1755 -C "HTTP/1.0 200 [Oo][Kk]"
1756
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1757requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1758run_test "Renego ext: gnutls client strict, server default" \
1759 "$P_SRV debug_level=3" \
1760 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1761 0 \
1762 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1763 -s "server hello, secure renegotiation extension"
1764
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1765requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1766run_test "Renego ext: gnutls client unsafe, server default" \
1767 "$P_SRV debug_level=3" \
1768 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1769 0 \
1770 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1771 -S "server hello, secure renegotiation extension"
1772
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1773requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1774run_test "Renego ext: gnutls client unsafe, server break legacy" \
1775 "$P_SRV debug_level=3 allow_legacy=-1" \
1776 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1777 1 \
1778 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1779 -S "server hello, secure renegotiation extension"
1780
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]1781# Tests for silently dropping trailing extra bytes in .der certificates
1782
1783requires_gnutls
1784run_test "DER format: no trailing bytes" \
1785 "$P_SRV crt_file=data_files/server5-der0.crt \
1786 key_file=data_files/server5.key" \
1787 "$G_CLI " \
1788 0 \
1789 -c "Handshake was completed" \
1790
1791requires_gnutls
1792run_test "DER format: with a trailing zero byte" \
1793 "$P_SRV crt_file=data_files/server5-der1a.crt \
1794 key_file=data_files/server5.key" \
1795 "$G_CLI " \
1796 0 \
1797 -c "Handshake was completed" \
1798
1799requires_gnutls
1800run_test "DER format: with a trailing random byte" \
1801 "$P_SRV crt_file=data_files/server5-der1b.crt \
1802 key_file=data_files/server5.key" \
1803 "$G_CLI " \
1804 0 \
1805 -c "Handshake was completed" \
1806
1807requires_gnutls
1808run_test "DER format: with 2 trailing random bytes" \
1809 "$P_SRV crt_file=data_files/server5-der2.crt \
1810 key_file=data_files/server5.key" \
1811 "$G_CLI " \
1812 0 \
1813 -c "Handshake was completed" \
1814
1815requires_gnutls
1816run_test "DER format: with 4 trailing random bytes" \
1817 "$P_SRV crt_file=data_files/server5-der4.crt \
1818 key_file=data_files/server5.key" \
1819 "$G_CLI " \
1820 0 \
1821 -c "Handshake was completed" \
1822
1823requires_gnutls
1824run_test "DER format: with 8 trailing random bytes" \
1825 "$P_SRV crt_file=data_files/server5-der8.crt \
1826 key_file=data_files/server5.key" \
1827 "$G_CLI " \
1828 0 \
1829 -c "Handshake was completed" \
1830
1831requires_gnutls
1832run_test "DER format: with 9 trailing random bytes" \
1833 "$P_SRV crt_file=data_files/server5-der9.crt \
1834 key_file=data_files/server5.key" \
1835 "$G_CLI " \
1836 0 \
1837 -c "Handshake was completed" \
1838
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1839# Tests for auth_mode
1840
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1841run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1842 "$P_SRV crt_file=data_files/server5-badsign.crt \
1843 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1844 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1845 1 \
1846 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1847 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1848 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1849 -c "X509 - Certificate verification failed"
1850
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1851run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1852 "$P_SRV crt_file=data_files/server5-badsign.crt \
1853 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1854 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1855 0 \
1856 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1857 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1859 -C "X509 - Certificate verification failed"
1860
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]1861run_test "Authentication: server goodcert, client optional, no trusted CA" \
1862 "$P_SRV" \
1863 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1864 0 \
1865 -c "x509_verify_cert() returned" \
1866 -c "! The certificate is not correctly signed by the trusted CA" \
1867 -c "! Certificate verification flags"\
1868 -C "! mbedtls_ssl_handshake returned" \
1869 -C "X509 - Certificate verification failed" \
1870 -C "SSL - No CA Chain is set, but required to operate"
1871
1872run_test "Authentication: server goodcert, client required, no trusted CA" \
1873 "$P_SRV" \
1874 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1875 1 \
1876 -c "x509_verify_cert() returned" \
1877 -c "! The certificate is not correctly signed by the trusted CA" \
1878 -c "! Certificate verification flags"\
1879 -c "! mbedtls_ssl_handshake returned" \
1880 -c "SSL - No CA Chain is set, but required to operate"
1881
1882# The purpose of the next two tests is to test the client's behaviour when receiving a server
1883# certificate with an unsupported elliptic curve. This should usually not happen because
1884# the client informs the server about the supported curves - it does, though, in the
1885# corner case of a static ECDH suite, because the server doesn't check the curve on that
1886# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1887# different means to have the server ignoring the client's supported curve list.
1888
1889requires_config_enabled MBEDTLS_ECP_C
1890run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1891 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1892 crt_file=data_files/server5.ku-ka.crt" \
1893 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1894 1 \
1895 -c "bad certificate (EC key curve)"\
1896 -c "! Certificate verification flags"\
1897 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1898
1899requires_config_enabled MBEDTLS_ECP_C
1900run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1901 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1902 crt_file=data_files/server5.ku-ka.crt" \
1903 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1904 1 \
1905 -c "bad certificate (EC key curve)"\
1906 -c "! Certificate verification flags"\
1907 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1908
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1909run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1910 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1911 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1912 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1913 0 \
1914 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1915 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1916 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1917 -C "X509 - Certificate verification failed"
1918
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]1919run_test "Authentication: client SHA256, server required" \
1920 "$P_SRV auth_mode=required" \
1921 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
1922 key_file=data_files/server6.key \
1923 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1924 0 \
1925 -c "Supported Signature Algorithm found: 4," \
1926 -c "Supported Signature Algorithm found: 5,"
1927
1928run_test "Authentication: client SHA384, server required" \
1929 "$P_SRV auth_mode=required" \
1930 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
1931 key_file=data_files/server6.key \
1932 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
1933 0 \
1934 -c "Supported Signature Algorithm found: 4," \
1935 -c "Supported Signature Algorithm found: 5,"
1936
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]1937requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
1938run_test "Authentication: client has no cert, server required (SSLv3)" \
1939 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
1940 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
1941 key_file=data_files/server5.key" \
1942 1 \
1943 -S "skip write certificate request" \
1944 -C "skip parse certificate request" \
1945 -c "got a certificate request" \
1946 -c "got no certificate to send" \
1947 -S "x509_verify_cert() returned" \
1948 -s "client has no certificate" \
1949 -s "! mbedtls_ssl_handshake returned" \
1950 -c "! mbedtls_ssl_handshake returned" \
1951 -s "No client certification received from the client, but required by the authentication mode"
1952
1953run_test "Authentication: client has no cert, server required (TLS)" \
1954 "$P_SRV debug_level=3 auth_mode=required" \
1955 "$P_CLI debug_level=3 crt_file=none \
1956 key_file=data_files/server5.key" \
1957 1 \
1958 -S "skip write certificate request" \
1959 -C "skip parse certificate request" \
1960 -c "got a certificate request" \
1961 -c "= write certificate$" \
1962 -C "skip write certificate$" \
1963 -S "x509_verify_cert() returned" \
1964 -s "client has no certificate" \
1965 -s "! mbedtls_ssl_handshake returned" \
1966 -c "! mbedtls_ssl_handshake returned" \
1967 -s "No client certification received from the client, but required by the authentication mode"
1968
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1969run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1970 "$P_SRV debug_level=3 auth_mode=required" \
1971 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1972 key_file=data_files/server5.key" \
1973 1 \
1974 -S "skip write certificate request" \
1975 -C "skip parse certificate request" \
1976 -c "got a certificate request" \
1977 -C "skip write certificate" \
1978 -C "skip write certificate verify" \
1979 -S "skip parse certificate verify" \
1980 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]1981 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1982 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1983 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1984 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1985 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1986# We don't check that the client receives the alert because it might
1987# detect that its write end of the connection is closed and abort
1988# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1989
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]1990run_test "Authentication: client cert not trusted, server required" \
1991 "$P_SRV debug_level=3 auth_mode=required" \
1992 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
1993 key_file=data_files/server5.key" \
1994 1 \
1995 -S "skip write certificate request" \
1996 -C "skip parse certificate request" \
1997 -c "got a certificate request" \
1998 -C "skip write certificate" \
1999 -C "skip write certificate verify" \
2000 -S "skip parse certificate verify" \
2001 -s "x509_verify_cert() returned" \
2002 -s "! The certificate is not correctly signed by the trusted CA" \
2003 -s "! mbedtls_ssl_handshake returned" \
2004 -c "! mbedtls_ssl_handshake returned" \
2005 -s "X509 - Certificate verification failed"
2006
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2007run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2008 "$P_SRV debug_level=3 auth_mode=optional" \
2009 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2010 key_file=data_files/server5.key" \
2011 0 \
2012 -S "skip write certificate request" \
2013 -C "skip parse certificate request" \
2014 -c "got a certificate request" \
2015 -C "skip write certificate" \
2016 -C "skip write certificate verify" \
2017 -S "skip parse certificate verify" \
2018 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2019 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2020 -S "! mbedtls_ssl_handshake returned" \
2021 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2022 -S "X509 - Certificate verification failed"
2023
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2024run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2025 "$P_SRV debug_level=3 auth_mode=none" \
2026 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2027 key_file=data_files/server5.key" \
2028 0 \
2029 -s "skip write certificate request" \
2030 -C "skip parse certificate request" \
2031 -c "got no certificate request" \
2032 -c "skip write certificate" \
2033 -c "skip write certificate verify" \
2034 -s "skip parse certificate verify" \
2035 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2036 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037 -S "! mbedtls_ssl_handshake returned" \
2038 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2039 -S "X509 - Certificate verification failed"
2040
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2041run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2042 "$P_SRV debug_level=3 auth_mode=optional" \
2043 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2044 0 \
2045 -S "skip write certificate request" \
2046 -C "skip parse certificate request" \
2047 -c "got a certificate request" \
2048 -C "skip write certificate$" \
2049 -C "got no certificate to send" \
2050 -S "SSLv3 client has no certificate" \
2051 -c "skip write certificate verify" \
2052 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2053 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2054 -S "! mbedtls_ssl_handshake returned" \
2055 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2056 -S "X509 - Certificate verification failed"
2057
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2058run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2059 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2060 "$O_CLI" \
2061 0 \
2062 -S "skip write certificate request" \
2063 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2064 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2065 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2066 -S "X509 - Certificate verification failed"
2067
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2068run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2069 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2070 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2071 0 \
2072 -C "skip parse certificate request" \
2073 -c "got a certificate request" \
2074 -C "skip write certificate$" \
2075 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2076 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2077
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2078run_test "Authentication: client no cert, openssl server required" \
2079 "$O_SRV -Verify 10" \
2080 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2081 1 \
2082 -C "skip parse certificate request" \
2083 -c "got a certificate request" \
2084 -C "skip write certificate$" \
2085 -c "skip write certificate verify" \
2086 -c "! mbedtls_ssl_handshake returned"
2087
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2088requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2089run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2090 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2091 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2092 0 \
2093 -S "skip write certificate request" \
2094 -C "skip parse certificate request" \
2095 -c "got a certificate request" \
2096 -C "skip write certificate$" \
2097 -c "skip write certificate verify" \
2098 -c "got no certificate to send" \
2099 -s "SSLv3 client has no certificate" \
2100 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2101 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2102 -S "! mbedtls_ssl_handshake returned" \
2103 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2104 -S "X509 - Certificate verification failed"
2105
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2106# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2107# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2108
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame^]2109: ${MAX_IM_CA:='20'}
2110MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2111
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame^]2112if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -gt "$MAX_IM_CA" ]; then
2113 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
2114 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is greater than the script’s\n"
2115 printf "test value of ${MAX_IM_CA}. \n"
2116 printf "\n"
2117 printf "By default, this value cannot be higher as there are insufficient\n"
2118 printf "test certificate files available to test with.\n"
2119 printf "\n"
2120 printf "To generate additional test certificates use the script:\n"
2121 printf " tests/data_files/dir-maxpath/long.sh\n"
2122 printf "\n"
2123 printf "To test using an alternative value, please set the environment variable\n"
2124 printf "MAX_IM_CA or change the default value in the script tests/ssl-opt.sh.\n"
2125
2126 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2127fi
2128
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2129run_test "Authentication: server max_int chain, client default" \
2130 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2131 key_file=data_files/dir-maxpath/09.key" \
2132 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2133 0 \
2134 -C "X509 - A fatal error occured"
2135
2136run_test "Authentication: server max_int+1 chain, client default" \
2137 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2138 key_file=data_files/dir-maxpath/10.key" \
2139 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2140 1 \
2141 -c "X509 - A fatal error occured"
2142
2143run_test "Authentication: server max_int+1 chain, client optional" \
2144 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2145 key_file=data_files/dir-maxpath/10.key" \
2146 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2147 auth_mode=optional" \
2148 1 \
2149 -c "X509 - A fatal error occured"
2150
2151run_test "Authentication: server max_int+1 chain, client none" \
2152 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2153 key_file=data_files/dir-maxpath/10.key" \
2154 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2155 auth_mode=none" \
2156 0 \
2157 -C "X509 - A fatal error occured"
2158
2159run_test "Authentication: client max_int+1 chain, server default" \
2160 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2161 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2162 key_file=data_files/dir-maxpath/10.key" \
2163 0 \
2164 -S "X509 - A fatal error occured"
2165
2166run_test "Authentication: client max_int+1 chain, server optional" \
2167 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2168 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2169 key_file=data_files/dir-maxpath/10.key" \
2170 1 \
2171 -s "X509 - A fatal error occured"
2172
2173run_test "Authentication: client max_int+1 chain, server required" \
2174 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2175 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2176 key_file=data_files/dir-maxpath/10.key" \
2177 1 \
2178 -s "X509 - A fatal error occured"
2179
2180run_test "Authentication: client max_int chain, server required" \
2181 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2182 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2183 key_file=data_files/dir-maxpath/09.key" \
2184 0 \
2185 -S "X509 - A fatal error occured"
2186
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2187# Tests for CA list in CertificateRequest messages
2188
2189run_test "Authentication: send CA list in CertificateRequest (default)" \
2190 "$P_SRV debug_level=3 auth_mode=required" \
2191 "$P_CLI crt_file=data_files/server6.crt \
2192 key_file=data_files/server6.key" \
2193 0 \
2194 -s "requested DN"
2195
2196run_test "Authentication: do not send CA list in CertificateRequest" \
2197 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2198 "$P_CLI crt_file=data_files/server6.crt \
2199 key_file=data_files/server6.key" \
2200 0 \
2201 -S "requested DN"
2202
2203run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2204 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2205 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2206 key_file=data_files/server5.key" \
2207 1 \
2208 -S "requested DN" \
2209 -s "x509_verify_cert() returned" \
2210 -s "! The certificate is not correctly signed by the trusted CA" \
2211 -s "! mbedtls_ssl_handshake returned" \
2212 -c "! mbedtls_ssl_handshake returned" \
2213 -s "X509 - Certificate verification failed"
2214
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2215# Tests for certificate selection based on SHA verson
2216
2217run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2218 "$P_SRV crt_file=data_files/server5.crt \
2219 key_file=data_files/server5.key \
2220 crt_file2=data_files/server5-sha1.crt \
2221 key_file2=data_files/server5.key" \
2222 "$P_CLI force_version=tls1_2" \
2223 0 \
2224 -c "signed using.*ECDSA with SHA256" \
2225 -C "signed using.*ECDSA with SHA1"
2226
2227run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2228 "$P_SRV crt_file=data_files/server5.crt \
2229 key_file=data_files/server5.key \
2230 crt_file2=data_files/server5-sha1.crt \
2231 key_file2=data_files/server5.key" \
2232 "$P_CLI force_version=tls1_1" \
2233 0 \
2234 -C "signed using.*ECDSA with SHA256" \
2235 -c "signed using.*ECDSA with SHA1"
2236
2237run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2238 "$P_SRV crt_file=data_files/server5.crt \
2239 key_file=data_files/server5.key \
2240 crt_file2=data_files/server5-sha1.crt \
2241 key_file2=data_files/server5.key" \
2242 "$P_CLI force_version=tls1" \
2243 0 \
2244 -C "signed using.*ECDSA with SHA256" \
2245 -c "signed using.*ECDSA with SHA1"
2246
2247run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2248 "$P_SRV crt_file=data_files/server5.crt \
2249 key_file=data_files/server5.key \
2250 crt_file2=data_files/server6.crt \
2251 key_file2=data_files/server6.key" \
2252 "$P_CLI force_version=tls1_1" \
2253 0 \
2254 -c "serial number.*09" \
2255 -c "signed using.*ECDSA with SHA256" \
2256 -C "signed using.*ECDSA with SHA1"
2257
2258run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2259 "$P_SRV crt_file=data_files/server6.crt \
2260 key_file=data_files/server6.key \
2261 crt_file2=data_files/server5.crt \
2262 key_file2=data_files/server5.key" \
2263 "$P_CLI force_version=tls1_1" \
2264 0 \
2265 -c "serial number.*0A" \
2266 -c "signed using.*ECDSA with SHA256" \
2267 -C "signed using.*ECDSA with SHA1"
2268
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2269# tests for SNI
2270
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2271run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2272 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2273 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2274 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2275 0 \
2276 -S "parse ServerName extension" \
2277 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2278 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2279
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2280run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2281 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2282 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2283 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2284 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2285 0 \
2286 -s "parse ServerName extension" \
2287 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2288 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2290run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2291 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2292 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2293 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2294 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2295 0 \
2296 -s "parse ServerName extension" \
2297 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2298 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2299
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2300run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2301 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2302 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2303 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2304 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2305 1 \
2306 -s "parse ServerName extension" \
2307 -s "ssl_sni_wrapper() returned" \
2308 -s "mbedtls_ssl_handshake returned" \
2309 -c "mbedtls_ssl_handshake returned" \
2310 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2311
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2312run_test "SNI: client auth no override: optional" \
2313 "$P_SRV debug_level=3 auth_mode=optional \
2314 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2315 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2316 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2317 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2318 -S "skip write certificate request" \
2319 -C "skip parse certificate request" \
2320 -c "got a certificate request" \
2321 -C "skip write certificate" \
2322 -C "skip write certificate verify" \
2323 -S "skip parse certificate verify"
2324
2325run_test "SNI: client auth override: none -> optional" \
2326 "$P_SRV debug_level=3 auth_mode=none \
2327 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2328 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2329 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2330 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2331 -S "skip write certificate request" \
2332 -C "skip parse certificate request" \
2333 -c "got a certificate request" \
2334 -C "skip write certificate" \
2335 -C "skip write certificate verify" \
2336 -S "skip parse certificate verify"
2337
2338run_test "SNI: client auth override: optional -> none" \
2339 "$P_SRV debug_level=3 auth_mode=optional \
2340 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2341 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2342 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2343 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2344 -s "skip write certificate request" \
2345 -C "skip parse certificate request" \
2346 -c "got no certificate request" \
2347 -c "skip write certificate" \
2348 -c "skip write certificate verify" \
2349 -s "skip parse certificate verify"
2350
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2351run_test "SNI: CA no override" \
2352 "$P_SRV debug_level=3 auth_mode=optional \
2353 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2354 ca_file=data_files/test-ca.crt \
2355 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2356 "$P_CLI debug_level=3 server_name=localhost \
2357 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2358 1 \
2359 -S "skip write certificate request" \
2360 -C "skip parse certificate request" \
2361 -c "got a certificate request" \
2362 -C "skip write certificate" \
2363 -C "skip write certificate verify" \
2364 -S "skip parse certificate verify" \
2365 -s "x509_verify_cert() returned" \
2366 -s "! The certificate is not correctly signed by the trusted CA" \
2367 -S "The certificate has been revoked (is on a CRL)"
2368
2369run_test "SNI: CA override" \
2370 "$P_SRV debug_level=3 auth_mode=optional \
2371 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2372 ca_file=data_files/test-ca.crt \
2373 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2374 "$P_CLI debug_level=3 server_name=localhost \
2375 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2376 0 \
2377 -S "skip write certificate request" \
2378 -C "skip parse certificate request" \
2379 -c "got a certificate request" \
2380 -C "skip write certificate" \
2381 -C "skip write certificate verify" \
2382 -S "skip parse certificate verify" \
2383 -S "x509_verify_cert() returned" \
2384 -S "! The certificate is not correctly signed by the trusted CA" \
2385 -S "The certificate has been revoked (is on a CRL)"
2386
2387run_test "SNI: CA override with CRL" \
2388 "$P_SRV debug_level=3 auth_mode=optional \
2389 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2390 ca_file=data_files/test-ca.crt \
2391 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2392 "$P_CLI debug_level=3 server_name=localhost \
2393 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2394 1 \
2395 -S "skip write certificate request" \
2396 -C "skip parse certificate request" \
2397 -c "got a certificate request" \
2398 -C "skip write certificate" \
2399 -C "skip write certificate verify" \
2400 -S "skip parse certificate verify" \
2401 -s "x509_verify_cert() returned" \
2402 -S "! The certificate is not correctly signed by the trusted CA" \
2403 -s "The certificate has been revoked (is on a CRL)"
2404
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2405# Tests for non-blocking I/O: exercise a variety of handshake flows
2406
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2407run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2408 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2409 "$P_CLI nbio=2 tickets=0" \
2410 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2411 -S "mbedtls_ssl_handshake returned" \
2412 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2413 -c "Read from server: .* bytes read"
2414
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2415run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2416 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2417 "$P_CLI nbio=2 tickets=0" \
2418 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2419 -S "mbedtls_ssl_handshake returned" \
2420 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2421 -c "Read from server: .* bytes read"
2422
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2423run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2424 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2425 "$P_CLI nbio=2 tickets=1" \
2426 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2427 -S "mbedtls_ssl_handshake returned" \
2428 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2429 -c "Read from server: .* bytes read"
2430
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2431run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2432 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2433 "$P_CLI nbio=2 tickets=1" \
2434 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2435 -S "mbedtls_ssl_handshake returned" \
2436 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2437 -c "Read from server: .* bytes read"
2438
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2439run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2440 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2441 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2442 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2443 -S "mbedtls_ssl_handshake returned" \
2444 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2445 -c "Read from server: .* bytes read"
2446
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2447run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2448 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2449 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2450 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2451 -S "mbedtls_ssl_handshake returned" \
2452 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2453 -c "Read from server: .* bytes read"
2454
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2455run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2456 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2457 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2458 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2459 -S "mbedtls_ssl_handshake returned" \
2460 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2461 -c "Read from server: .* bytes read"
2462
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2463# Tests for version negotiation
2464
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2465run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2466 "$P_SRV" \
2467 "$P_CLI" \
2468 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2469 -S "mbedtls_ssl_handshake returned" \
2470 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2471 -s "Protocol is TLSv1.2" \
2472 -c "Protocol is TLSv1.2"
2473
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2474run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2475 "$P_SRV" \
2476 "$P_CLI max_version=tls1_1" \
2477 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2478 -S "mbedtls_ssl_handshake returned" \
2479 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2480 -s "Protocol is TLSv1.1" \
2481 -c "Protocol is TLSv1.1"
2482
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2483run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2484 "$P_SRV max_version=tls1_1" \
2485 "$P_CLI" \
2486 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2487 -S "mbedtls_ssl_handshake returned" \
2488 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2489 -s "Protocol is TLSv1.1" \
2490 -c "Protocol is TLSv1.1"
2491
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2492run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2493 "$P_SRV max_version=tls1_1" \
2494 "$P_CLI max_version=tls1_1" \
2495 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2496 -S "mbedtls_ssl_handshake returned" \
2497 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2498 -s "Protocol is TLSv1.1" \
2499 -c "Protocol is TLSv1.1"
2500
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2501run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2502 "$P_SRV min_version=tls1_1" \
2503 "$P_CLI max_version=tls1_1" \
2504 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2505 -S "mbedtls_ssl_handshake returned" \
2506 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2507 -s "Protocol is TLSv1.1" \
2508 -c "Protocol is TLSv1.1"
2509
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2510run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2511 "$P_SRV max_version=tls1_1" \
2512 "$P_CLI min_version=tls1_1" \
2513 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2514 -S "mbedtls_ssl_handshake returned" \
2515 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2516 -s "Protocol is TLSv1.1" \
2517 -c "Protocol is TLSv1.1"
2518
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2519run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2520 "$P_SRV max_version=tls1_1" \
2521 "$P_CLI min_version=tls1_2" \
2522 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2523 -s "mbedtls_ssl_handshake returned" \
2524 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2525 -c "SSL - Handshake protocol not within min/max boundaries"
2526
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2527run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2528 "$P_SRV min_version=tls1_2" \
2529 "$P_CLI max_version=tls1_1" \
2530 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2531 -s "mbedtls_ssl_handshake returned" \
2532 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2533 -s "SSL - Handshake protocol not within min/max boundaries"
2534
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2535# Tests for ALPN extension
2536
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2537run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2538 "$P_SRV debug_level=3" \
2539 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2540 0 \
2541 -C "client hello, adding alpn extension" \
2542 -S "found alpn extension" \
2543 -C "got an alert message, type: \\[2:120]" \
2544 -S "server hello, adding alpn extension" \
2545 -C "found alpn extension " \
2546 -C "Application Layer Protocol is" \
2547 -S "Application Layer Protocol is"
2548
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2549run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2550 "$P_SRV debug_level=3" \
2551 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2552 0 \
2553 -c "client hello, adding alpn extension" \
2554 -s "found alpn extension" \
2555 -C "got an alert message, type: \\[2:120]" \
2556 -S "server hello, adding alpn extension" \
2557 -C "found alpn extension " \
2558 -c "Application Layer Protocol is (none)" \
2559 -S "Application Layer Protocol is"
2560
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2561run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2562 "$P_SRV debug_level=3 alpn=abc,1234" \
2563 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2564 0 \
2565 -C "client hello, adding alpn extension" \
2566 -S "found alpn extension" \
2567 -C "got an alert message, type: \\[2:120]" \
2568 -S "server hello, adding alpn extension" \
2569 -C "found alpn extension " \
2570 -C "Application Layer Protocol is" \
2571 -s "Application Layer Protocol is (none)"
2572
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2573run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2574 "$P_SRV debug_level=3 alpn=abc,1234" \
2575 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2576 0 \
2577 -c "client hello, adding alpn extension" \
2578 -s "found alpn extension" \
2579 -C "got an alert message, type: \\[2:120]" \
2580 -s "server hello, adding alpn extension" \
2581 -c "found alpn extension" \
2582 -c "Application Layer Protocol is abc" \
2583 -s "Application Layer Protocol is abc"
2584
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2585run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2586 "$P_SRV debug_level=3 alpn=abc,1234" \
2587 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2588 0 \
2589 -c "client hello, adding alpn extension" \
2590 -s "found alpn extension" \
2591 -C "got an alert message, type: \\[2:120]" \
2592 -s "server hello, adding alpn extension" \
2593 -c "found alpn extension" \
2594 -c "Application Layer Protocol is abc" \
2595 -s "Application Layer Protocol is abc"
2596
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2597run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2598 "$P_SRV debug_level=3 alpn=abc,1234" \
2599 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2600 0 \
2601 -c "client hello, adding alpn extension" \
2602 -s "found alpn extension" \
2603 -C "got an alert message, type: \\[2:120]" \
2604 -s "server hello, adding alpn extension" \
2605 -c "found alpn extension" \
2606 -c "Application Layer Protocol is 1234" \
2607 -s "Application Layer Protocol is 1234"
2608
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2609run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2610 "$P_SRV debug_level=3 alpn=abc,123" \
2611 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2612 1 \
2613 -c "client hello, adding alpn extension" \
2614 -s "found alpn extension" \
2615 -c "got an alert message, type: \\[2:120]" \
2616 -S "server hello, adding alpn extension" \
2617 -C "found alpn extension" \
2618 -C "Application Layer Protocol is 1234" \
2619 -S "Application Layer Protocol is 1234"
2620
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2621
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2622# Tests for keyUsage in leaf certificates, part 1:
2623# server-side certificate/suite selection
2624
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2625run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2626 "$P_SRV key_file=data_files/server2.key \
2627 crt_file=data_files/server2.ku-ds.crt" \
2628 "$P_CLI" \
2629 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2630 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2631
2632
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2633run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2634 "$P_SRV key_file=data_files/server2.key \
2635 crt_file=data_files/server2.ku-ke.crt" \
2636 "$P_CLI" \
2637 0 \
2638 -c "Ciphersuite is TLS-RSA-WITH-"
2639
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2640run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2641 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2642 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2643 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2644 1 \
2645 -C "Ciphersuite is "
2646
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2647run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2648 "$P_SRV key_file=data_files/server5.key \
2649 crt_file=data_files/server5.ku-ds.crt" \
2650 "$P_CLI" \
2651 0 \
2652 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2653
2654
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2655run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2656 "$P_SRV key_file=data_files/server5.key \
2657 crt_file=data_files/server5.ku-ka.crt" \
2658 "$P_CLI" \
2659 0 \
2660 -c "Ciphersuite is TLS-ECDH-"
2661
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2662run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2663 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2664 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2665 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2666 1 \
2667 -C "Ciphersuite is "
2668
2669# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2670# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2671
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2672run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2673 "$O_SRV -key data_files/server2.key \
2674 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2675 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2676 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2677 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2678 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2679 -C "Processing of the Certificate handshake message failed" \
2680 -c "Ciphersuite is TLS-"
2681
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2682run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2683 "$O_SRV -key data_files/server2.key \
2684 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2685 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2686 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2687 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2688 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2689 -C "Processing of the Certificate handshake message failed" \
2690 -c "Ciphersuite is TLS-"
2691
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2692run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2693 "$O_SRV -key data_files/server2.key \
2694 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2695 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2696 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2697 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2698 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2699 -C "Processing of the Certificate handshake message failed" \
2700 -c "Ciphersuite is TLS-"
2701
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2702run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2703 "$O_SRV -key data_files/server2.key \
2704 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2705 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2706 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2707 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2708 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2709 -c "Processing of the Certificate handshake message failed" \
2710 -C "Ciphersuite is TLS-"
2711
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2712run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2713 "$O_SRV -key data_files/server2.key \
2714 -cert data_files/server2.ku-ke.crt" \
2715 "$P_CLI debug_level=1 auth_mode=optional \
2716 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2717 0 \
2718 -c "bad certificate (usage extensions)" \
2719 -C "Processing of the Certificate handshake message failed" \
2720 -c "Ciphersuite is TLS-" \
2721 -c "! Usage does not match the keyUsage extension"
2722
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2723run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2724 "$O_SRV -key data_files/server2.key \
2725 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2726 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2727 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2728 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2729 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2730 -C "Processing of the Certificate handshake message failed" \
2731 -c "Ciphersuite is TLS-"
2732
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2733run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2734 "$O_SRV -key data_files/server2.key \
2735 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2736 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2737 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2738 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2739 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2740 -c "Processing of the Certificate handshake message failed" \
2741 -C "Ciphersuite is TLS-"
2742
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2743run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2744 "$O_SRV -key data_files/server2.key \
2745 -cert data_files/server2.ku-ds.crt" \
2746 "$P_CLI debug_level=1 auth_mode=optional \
2747 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2748 0 \
2749 -c "bad certificate (usage extensions)" \
2750 -C "Processing of the Certificate handshake message failed" \
2751 -c "Ciphersuite is TLS-" \
2752 -c "! Usage does not match the keyUsage extension"
2753
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2754# Tests for keyUsage in leaf certificates, part 3:
2755# server-side checking of client cert
2756
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2757run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2758 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2759 "$O_CLI -key data_files/server2.key \
2760 -cert data_files/server2.ku-ds.crt" \
2761 0 \
2762 -S "bad certificate (usage extensions)" \
2763 -S "Processing of the Certificate handshake message failed"
2764
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2765run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2766 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2767 "$O_CLI -key data_files/server2.key \
2768 -cert data_files/server2.ku-ke.crt" \
2769 0 \
2770 -s "bad certificate (usage extensions)" \
2771 -S "Processing of the Certificate handshake message failed"
2772
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2773run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2774 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2775 "$O_CLI -key data_files/server2.key \
2776 -cert data_files/server2.ku-ke.crt" \
2777 1 \
2778 -s "bad certificate (usage extensions)" \
2779 -s "Processing of the Certificate handshake message failed"
2780
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2781run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2782 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2783 "$O_CLI -key data_files/server5.key \
2784 -cert data_files/server5.ku-ds.crt" \
2785 0 \
2786 -S "bad certificate (usage extensions)" \
2787 -S "Processing of the Certificate handshake message failed"
2788
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2789run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2790 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2791 "$O_CLI -key data_files/server5.key \
2792 -cert data_files/server5.ku-ka.crt" \
2793 0 \
2794 -s "bad certificate (usage extensions)" \
2795 -S "Processing of the Certificate handshake message failed"
2796
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2797# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2798
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2799run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2800 "$P_SRV key_file=data_files/server5.key \
2801 crt_file=data_files/server5.eku-srv.crt" \
2802 "$P_CLI" \
2803 0
2804
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2805run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2806 "$P_SRV key_file=data_files/server5.key \
2807 crt_file=data_files/server5.eku-srv.crt" \
2808 "$P_CLI" \
2809 0
2810
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2811run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2812 "$P_SRV key_file=data_files/server5.key \
2813 crt_file=data_files/server5.eku-cs_any.crt" \
2814 "$P_CLI" \
2815 0
2816
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2817run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2818 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2819 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2820 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2821 1
2822
2823# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2824
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2825run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2826 "$O_SRV -key data_files/server5.key \
2827 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2828 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2829 0 \
2830 -C "bad certificate (usage extensions)" \
2831 -C "Processing of the Certificate handshake message failed" \
2832 -c "Ciphersuite is TLS-"
2833
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2834run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2835 "$O_SRV -key data_files/server5.key \
2836 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2837 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2838 0 \
2839 -C "bad certificate (usage extensions)" \
2840 -C "Processing of the Certificate handshake message failed" \
2841 -c "Ciphersuite is TLS-"
2842
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2843run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2844 "$O_SRV -key data_files/server5.key \
2845 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2846 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2847 0 \
2848 -C "bad certificate (usage extensions)" \
2849 -C "Processing of the Certificate handshake message failed" \
2850 -c "Ciphersuite is TLS-"
2851
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2852run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2853 "$O_SRV -key data_files/server5.key \
2854 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2855 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2856 1 \
2857 -c "bad certificate (usage extensions)" \
2858 -c "Processing of the Certificate handshake message failed" \
2859 -C "Ciphersuite is TLS-"
2860
2861# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2862
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2863run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2864 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2865 "$O_CLI -key data_files/server5.key \
2866 -cert data_files/server5.eku-cli.crt" \
2867 0 \
2868 -S "bad certificate (usage extensions)" \
2869 -S "Processing of the Certificate handshake message failed"
2870
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2871run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2872 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2873 "$O_CLI -key data_files/server5.key \
2874 -cert data_files/server5.eku-srv_cli.crt" \
2875 0 \
2876 -S "bad certificate (usage extensions)" \
2877 -S "Processing of the Certificate handshake message failed"
2878
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2879run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2880 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2881 "$O_CLI -key data_files/server5.key \
2882 -cert data_files/server5.eku-cs_any.crt" \
2883 0 \
2884 -S "bad certificate (usage extensions)" \
2885 -S "Processing of the Certificate handshake message failed"
2886
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2887run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2888 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2889 "$O_CLI -key data_files/server5.key \
2890 -cert data_files/server5.eku-cs.crt" \
2891 0 \
2892 -s "bad certificate (usage extensions)" \
2893 -S "Processing of the Certificate handshake message failed"
2894
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2895run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2896 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2897 "$O_CLI -key data_files/server5.key \
2898 -cert data_files/server5.eku-cs.crt" \
2899 1 \
2900 -s "bad certificate (usage extensions)" \
2901 -s "Processing of the Certificate handshake message failed"
2902
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2903# Tests for DHM parameters loading
2904
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2905run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2906 "$P_SRV" \
2907 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2908 debug_level=3" \
2909 0 \
2910 -c "value of 'DHM: P ' (2048 bits)" \
2911 -c "value of 'DHM: G ' (2048 bits)"
2912
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2913run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2914 "$P_SRV dhm_file=data_files/dhparams.pem" \
2915 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2916 debug_level=3" \
2917 0 \
2918 -c "value of 'DHM: P ' (1024 bits)" \
2919 -c "value of 'DHM: G ' (2 bits)"
2920
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2921# Tests for DHM client-side size checking
2922
2923run_test "DHM size: server default, client default, OK" \
2924 "$P_SRV" \
2925 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2926 debug_level=1" \
2927 0 \
2928 -C "DHM prime too short:"
2929
2930run_test "DHM size: server default, client 2048, OK" \
2931 "$P_SRV" \
2932 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2933 debug_level=1 dhmlen=2048" \
2934 0 \
2935 -C "DHM prime too short:"
2936
2937run_test "DHM size: server 1024, client default, OK" \
2938 "$P_SRV dhm_file=data_files/dhparams.pem" \
2939 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2940 debug_level=1" \
2941 0 \
2942 -C "DHM prime too short:"
2943
2944run_test "DHM size: server 1000, client default, rejected" \
2945 "$P_SRV dhm_file=data_files/dh.1000.pem" \
2946 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2947 debug_level=1" \
2948 1 \
2949 -c "DHM prime too short:"
2950
2951run_test "DHM size: server default, client 2049, rejected" \
2952 "$P_SRV" \
2953 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2954 debug_level=1 dhmlen=2049" \
2955 1 \
2956 -c "DHM prime too short:"
2957
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2958# Tests for PSK callback
2959
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2960run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2961 "$P_SRV psk=abc123 psk_identity=foo" \
2962 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2963 psk_identity=foo psk=abc123" \
2964 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2965 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2966 -S "SSL - Unknown identity received" \
2967 -S "SSL - Verification of the message MAC failed"
2968
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2969run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2970 "$P_SRV" \
2971 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2972 psk_identity=foo psk=abc123" \
2973 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2974 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2975 -S "SSL - Unknown identity received" \
2976 -S "SSL - Verification of the message MAC failed"
2977
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2978run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2979 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2980 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2981 psk_identity=foo psk=abc123" \
2982 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2983 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2984 -s "SSL - Unknown identity received" \
2985 -S "SSL - Verification of the message MAC failed"
2986
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2987run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2988 "$P_SRV psk_list=abc,dead,def,beef" \
2989 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2990 psk_identity=abc psk=dead" \
2991 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2992 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2993 -S "SSL - Unknown identity received" \
2994 -S "SSL - Verification of the message MAC failed"
2995
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2996run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2997 "$P_SRV psk_list=abc,dead,def,beef" \
2998 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2999 psk_identity=def psk=beef" \
3000 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3001 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3002 -S "SSL - Unknown identity received" \
3003 -S "SSL - Verification of the message MAC failed"
3004
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3005run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3006 "$P_SRV psk_list=abc,dead,def,beef" \
3007 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3008 psk_identity=ghi psk=beef" \
3009 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3010 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3011 -s "SSL - Unknown identity received" \
3012 -S "SSL - Verification of the message MAC failed"
3013
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3014run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3015 "$P_SRV psk_list=abc,dead,def,beef" \
3016 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3017 psk_identity=abc psk=beef" \
3018 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3019 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3020 -S "SSL - Unknown identity received" \
3021 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3022
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3023# Tests for EC J-PAKE
3024
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3025requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3026run_test "ECJPAKE: client not configured" \
3027 "$P_SRV debug_level=3" \
3028 "$P_CLI debug_level=3" \
3029 0 \
3030 -C "add ciphersuite: c0ff" \
3031 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3032 -S "found ecjpake kkpp extension" \
3033 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3034 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3035 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3036 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3037 -S "None of the common ciphersuites is usable"
3038
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3039requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3040run_test "ECJPAKE: server not configured" \
3041 "$P_SRV debug_level=3" \
3042 "$P_CLI debug_level=3 ecjpake_pw=bla \
3043 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3044 1 \
3045 -c "add ciphersuite: c0ff" \
3046 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3047 -s "found ecjpake kkpp extension" \
3048 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3049 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3050 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3051 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3052 -s "None of the common ciphersuites is usable"
3053
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3054requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3055run_test "ECJPAKE: working, TLS" \
3056 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3057 "$P_CLI debug_level=3 ecjpake_pw=bla \
3058 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3059 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3060 -c "add ciphersuite: c0ff" \
3061 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3062 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3063 -s "found ecjpake kkpp extension" \
3064 -S "skip ecjpake kkpp extension" \
3065 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3066 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3067 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3068 -S "None of the common ciphersuites is usable" \
3069 -S "SSL - Verification of the message MAC failed"
3070
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3071server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3072requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3073run_test "ECJPAKE: password mismatch, TLS" \
3074 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3075 "$P_CLI debug_level=3 ecjpake_pw=bad \
3076 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3077 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3078 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3079 -s "SSL - Verification of the message MAC failed"
3080
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3081requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3082run_test "ECJPAKE: working, DTLS" \
3083 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3084 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3085 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3086 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3087 -c "re-using cached ecjpake parameters" \
3088 -S "SSL - Verification of the message MAC failed"
3089
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3090requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3091run_test "ECJPAKE: working, DTLS, no cookie" \
3092 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3093 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3094 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3095 0 \
3096 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3097 -S "SSL - Verification of the message MAC failed"
3098
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3099server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3100requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3101run_test "ECJPAKE: password mismatch, DTLS" \
3102 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3103 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3104 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3105 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3106 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3107 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3108
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3109# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3110requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3111run_test "ECJPAKE: working, DTLS, nolog" \
3112 "$P_SRV dtls=1 ecjpake_pw=bla" \
3113 "$P_CLI dtls=1 ecjpake_pw=bla \
3114 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3115 0
3116
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3117# Tests for ciphersuites per version
3118
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3119requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3120run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3121 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3122 "$P_CLI force_version=ssl3" \
3123 0 \
3124 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3125
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3126run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3127 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3128 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3129 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3130 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3131
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3132run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3133 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3134 "$P_CLI force_version=tls1_1" \
3135 0 \
3136 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3137
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3138run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3139 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3140 "$P_CLI force_version=tls1_2" \
3141 0 \
3142 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3143
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3144# Test for ClientHello without extensions
3145
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3146requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3147run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3148 "$P_SRV debug_level=3" \
3149 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3150 0 \
3151 -s "dumping 'client hello extensions' (0 bytes)"
3152
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3153requires_gnutls
3154run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3155 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3156 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3157 0 \
3158 -s "dumping 'client hello extensions' (0 bytes)"
3159
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3160# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3162run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3163 "$P_SRV" \
3164 "$P_CLI request_size=100" \
3165 0 \
3166 -s "Read from client: 100 bytes read$"
3167
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3168run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3169 "$P_SRV" \
3170 "$P_CLI request_size=500" \
3171 0 \
3172 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3173
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3174# Tests for small packets
3175
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3176requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3177run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3178 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3179 "$P_CLI request_size=1 force_version=ssl3 \
3180 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3181 0 \
3182 -s "Read from client: 1 bytes read"
3183
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3184requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3185run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3186 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3187 "$P_CLI request_size=1 force_version=ssl3 \
3188 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3189 0 \
3190 -s "Read from client: 1 bytes read"
3191
3192run_test "Small packet TLS 1.0 BlockCipher" \
3193 "$P_SRV" \
3194 "$P_CLI request_size=1 force_version=tls1 \
3195 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3196 0 \
3197 -s "Read from client: 1 bytes read"
3198
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3199run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3200 "$P_SRV" \
3201 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3202 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3203 0 \
3204 -s "Read from client: 1 bytes read"
3205
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3206run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3207 "$P_SRV" \
3208 "$P_CLI request_size=1 force_version=tls1 \
3209 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3210 trunc_hmac=1" \
3211 0 \
3212 -s "Read from client: 1 bytes read"
3213
3214run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3215 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3216 "$P_CLI request_size=1 force_version=tls1 \
3217 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3218 trunc_hmac=1" \
3219 0 \
3220 -s "Read from client: 1 bytes read"
3221
3222run_test "Small packet TLS 1.1 BlockCipher" \
3223 "$P_SRV" \
3224 "$P_CLI request_size=1 force_version=tls1_1 \
3225 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3226 0 \
3227 -s "Read from client: 1 bytes read"
3228
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3229run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3230 "$P_SRV" \
3231 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3232 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3233 0 \
3234 -s "Read from client: 1 bytes read"
3235
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3236run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3237 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3238 "$P_CLI request_size=1 force_version=tls1_1 \
3239 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3240 0 \
3241 -s "Read from client: 1 bytes read"
3242
3243run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3244 "$P_SRV" \
3245 "$P_CLI request_size=1 force_version=tls1_1 \
3246 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3247 trunc_hmac=1" \
3248 0 \
3249 -s "Read from client: 1 bytes read"
3250
3251run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3252 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3253 "$P_CLI request_size=1 force_version=tls1_1 \
3254 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3255 trunc_hmac=1" \
3256 0 \
3257 -s "Read from client: 1 bytes read"
3258
3259run_test "Small packet TLS 1.2 BlockCipher" \
3260 "$P_SRV" \
3261 "$P_CLI request_size=1 force_version=tls1_2 \
3262 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3263 0 \
3264 -s "Read from client: 1 bytes read"
3265
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3266run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3267 "$P_SRV" \
3268 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3269 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3270 0 \
3271 -s "Read from client: 1 bytes read"
3272
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3273run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3274 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3275 "$P_CLI request_size=1 force_version=tls1_2 \
3276 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3277 0 \
3278 -s "Read from client: 1 bytes read"
3279
3280run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3281 "$P_SRV" \
3282 "$P_CLI request_size=1 force_version=tls1_2 \
3283 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3284 trunc_hmac=1" \
3285 0 \
3286 -s "Read from client: 1 bytes read"
3287
3288run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3289 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3290 "$P_CLI request_size=1 force_version=tls1_2 \
3291 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3292 0 \
3293 -s "Read from client: 1 bytes read"
3294
3295run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3296 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3297 "$P_CLI request_size=1 force_version=tls1_2 \
3298 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3299 trunc_hmac=1" \
3300 0 \
3301 -s "Read from client: 1 bytes read"
3302
3303run_test "Small packet TLS 1.2 AEAD" \
3304 "$P_SRV" \
3305 "$P_CLI request_size=1 force_version=tls1_2 \
3306 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3307 0 \
3308 -s "Read from client: 1 bytes read"
3309
3310run_test "Small packet TLS 1.2 AEAD shorter tag" \
3311 "$P_SRV" \
3312 "$P_CLI request_size=1 force_version=tls1_2 \
3313 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3314 0 \
3315 -s "Read from client: 1 bytes read"
3316
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]3317# A test for extensions in SSLv3
3318
3319requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3320run_test "SSLv3 with extensions, server side" \
3321 "$P_SRV min_version=ssl3 debug_level=3" \
3322 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3323 0 \
3324 -S "dumping 'client hello extensions'" \
3325 -S "server hello, total extension length:"
3326
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3327# Test for large packets
3328
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3329requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3330run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3331 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3332 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3333 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3334 0 \
3335 -s "Read from client: 16384 bytes read"
3336
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3337requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3338run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3339 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3340 "$P_CLI request_size=16384 force_version=ssl3 \
3341 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3342 0 \
3343 -s "Read from client: 16384 bytes read"
3344
3345run_test "Large packet TLS 1.0 BlockCipher" \
3346 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3347 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3348 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3349 0 \
3350 -s "Read from client: 16384 bytes read"
3351
3352run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3353 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3354 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3355 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3356 trunc_hmac=1" \
3357 0 \
3358 -s "Read from client: 16384 bytes read"
3359
3360run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3361 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3362 "$P_CLI request_size=16384 force_version=tls1 \
3363 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3364 trunc_hmac=1" \
3365 0 \
3366 -s "Read from client: 16384 bytes read"
3367
3368run_test "Large packet TLS 1.1 BlockCipher" \
3369 "$P_SRV" \
3370 "$P_CLI request_size=16384 force_version=tls1_1 \
3371 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3372 0 \
3373 -s "Read from client: 16384 bytes read"
3374
3375run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3376 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3377 "$P_CLI request_size=16384 force_version=tls1_1 \
3378 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3379 0 \
3380 -s "Read from client: 16384 bytes read"
3381
3382run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3383 "$P_SRV" \
3384 "$P_CLI request_size=16384 force_version=tls1_1 \
3385 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3386 trunc_hmac=1" \
3387 0 \
3388 -s "Read from client: 16384 bytes read"
3389
3390run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3391 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3392 "$P_CLI request_size=16384 force_version=tls1_1 \
3393 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3394 trunc_hmac=1" \
3395 0 \
3396 -s "Read from client: 16384 bytes read"
3397
3398run_test "Large packet TLS 1.2 BlockCipher" \
3399 "$P_SRV" \
3400 "$P_CLI request_size=16384 force_version=tls1_2 \
3401 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3402 0 \
3403 -s "Read from client: 16384 bytes read"
3404
3405run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3406 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3407 "$P_CLI request_size=16384 force_version=tls1_2 \
3408 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3409 0 \
3410 -s "Read from client: 16384 bytes read"
3411
3412run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3413 "$P_SRV" \
3414 "$P_CLI request_size=16384 force_version=tls1_2 \
3415 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3416 trunc_hmac=1" \
3417 0 \
3418 -s "Read from client: 16384 bytes read"
3419
3420run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3421 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3422 "$P_CLI request_size=16384 force_version=tls1_2 \
3423 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3424 0 \
3425 -s "Read from client: 16384 bytes read"
3426
3427run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3428 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3429 "$P_CLI request_size=16384 force_version=tls1_2 \
3430 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3431 trunc_hmac=1" \
3432 0 \
3433 -s "Read from client: 16384 bytes read"
3434
3435run_test "Large packet TLS 1.2 AEAD" \
3436 "$P_SRV" \
3437 "$P_CLI request_size=16384 force_version=tls1_2 \
3438 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3439 0 \
3440 -s "Read from client: 16384 bytes read"
3441
3442run_test "Large packet TLS 1.2 AEAD shorter tag" \
3443 "$P_SRV" \
3444 "$P_CLI request_size=16384 force_version=tls1_2 \
3445 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3446 0 \
3447 -s "Read from client: 16384 bytes read"
3448
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3449# Tests for DTLS HelloVerifyRequest
3450
3451run_test "DTLS cookie: enabled" \
3452 "$P_SRV dtls=1 debug_level=2" \
3453 "$P_CLI dtls=1 debug_level=2" \
3454 0 \
3455 -s "cookie verification failed" \
3456 -s "cookie verification passed" \
3457 -S "cookie verification skipped" \
3458 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3459 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3460 -S "SSL - The requested feature is not available"
3461
3462run_test "DTLS cookie: disabled" \
3463 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3464 "$P_CLI dtls=1 debug_level=2" \
3465 0 \
3466 -S "cookie verification failed" \
3467 -S "cookie verification passed" \
3468 -s "cookie verification skipped" \
3469 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3470 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3471 -S "SSL - The requested feature is not available"
3472
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3473run_test "DTLS cookie: default (failing)" \
3474 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3475 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3476 1 \
3477 -s "cookie verification failed" \
3478 -S "cookie verification passed" \
3479 -S "cookie verification skipped" \
3480 -C "received hello verify request" \
3481 -S "hello verification requested" \
3482 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3483
3484requires_ipv6
3485run_test "DTLS cookie: enabled, IPv6" \
3486 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3487 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3488 0 \
3489 -s "cookie verification failed" \
3490 -s "cookie verification passed" \
3491 -S "cookie verification skipped" \
3492 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3493 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3494 -S "SSL - The requested feature is not available"
3495
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3496run_test "DTLS cookie: enabled, nbio" \
3497 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3498 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3499 0 \
3500 -s "cookie verification failed" \
3501 -s "cookie verification passed" \
3502 -S "cookie verification skipped" \
3503 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3504 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3505 -S "SSL - The requested feature is not available"
3506
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3507# Tests for client reconnecting from the same port with DTLS
3508
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3509not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3510run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3511 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3512 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3513 0 \
3514 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3515 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3516 -S "Client initiated reconnection from same port"
3517
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3518not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3519run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3520 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3521 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3522 0 \
3523 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3524 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3525 -s "Client initiated reconnection from same port"
3526
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3527not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3528run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3529 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3530 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3531 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3532 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3533 -s "Client initiated reconnection from same port"
3534
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3535only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3536run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3537 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3538 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3539 0 \
3540 -S "The operation timed out" \
3541 -s "Client initiated reconnection from same port"
3542
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3543run_test "DTLS client reconnect from same port: no cookies" \
3544 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3545 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3546 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3547 -s "The operation timed out" \
3548 -S "Client initiated reconnection from same port"
3549
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3550# Tests for various cases of client authentication with DTLS
3551# (focused on handshake flows and message parsing)
3552
3553run_test "DTLS client auth: required" \
3554 "$P_SRV dtls=1 auth_mode=required" \
3555 "$P_CLI dtls=1" \
3556 0 \
3557 -s "Verifying peer X.509 certificate... ok"
3558
3559run_test "DTLS client auth: optional, client has no cert" \
3560 "$P_SRV dtls=1 auth_mode=optional" \
3561 "$P_CLI dtls=1 crt_file=none key_file=none" \
3562 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3563 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3564
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3565run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3566 "$P_SRV dtls=1 auth_mode=none" \
3567 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3568 0 \
3569 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3570 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3571
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3572run_test "DTLS wrong PSK: badmac alert" \
3573 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3574 "$P_CLI dtls=1 psk=abc124" \
3575 1 \
3576 -s "SSL - Verification of the message MAC failed" \
3577 -c "SSL - A fatal alert message was received from our peer"
3578
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3579# Tests for receiving fragmented handshake messages with DTLS
3580
3581requires_gnutls
3582run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3583 "$G_SRV -u --mtu 2048 -a" \
3584 "$P_CLI dtls=1 debug_level=2" \
3585 0 \
3586 -C "found fragmented DTLS handshake message" \
3587 -C "error"
3588
3589requires_gnutls
3590run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3591 "$G_SRV -u --mtu 512" \
3592 "$P_CLI dtls=1 debug_level=2" \
3593 0 \
3594 -c "found fragmented DTLS handshake message" \
3595 -C "error"
3596
3597requires_gnutls
3598run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3599 "$G_SRV -u --mtu 128" \
3600 "$P_CLI dtls=1 debug_level=2" \
3601 0 \
3602 -c "found fragmented DTLS handshake message" \
3603 -C "error"
3604
3605requires_gnutls
3606run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3607 "$G_SRV -u --mtu 128" \
3608 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3609 0 \
3610 -c "found fragmented DTLS handshake message" \
3611 -C "error"
3612
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3613requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3614run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3615 "$G_SRV -u --mtu 256" \
3616 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3617 0 \
3618 -c "found fragmented DTLS handshake message" \
3619 -c "client hello, adding renegotiation extension" \
3620 -c "found renegotiation extension" \
3621 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3622 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3623 -C "error" \
3624 -s "Extra-header:"
3625
3626requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3627run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3628 "$G_SRV -u --mtu 256" \
3629 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3630 0 \
3631 -c "found fragmented DTLS handshake message" \
3632 -c "client hello, adding renegotiation extension" \
3633 -c "found renegotiation extension" \
3634 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3635 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3636 -C "error" \
3637 -s "Extra-header:"
3638
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3639run_test "DTLS reassembly: no fragmentation (openssl server)" \
3640 "$O_SRV -dtls1 -mtu 2048" \
3641 "$P_CLI dtls=1 debug_level=2" \
3642 0 \
3643 -C "found fragmented DTLS handshake message" \
3644 -C "error"
3645
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3646run_test "DTLS reassembly: some fragmentation (openssl server)" \
3647 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3648 "$P_CLI dtls=1 debug_level=2" \
3649 0 \
3650 -c "found fragmented DTLS handshake message" \
3651 -C "error"
3652
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3653run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3654 "$O_SRV -dtls1 -mtu 256" \
3655 "$P_CLI dtls=1 debug_level=2" \
3656 0 \
3657 -c "found fragmented DTLS handshake message" \
3658 -C "error"
3659
3660run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3661 "$O_SRV -dtls1 -mtu 256" \
3662 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3663 0 \
3664 -c "found fragmented DTLS handshake message" \
3665 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3666
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3667# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3668
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3669not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3670run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3671 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3672 "$P_SRV dtls=1 debug_level=2" \
3673 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3674 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3675 -C "replayed record" \
3676 -S "replayed record" \
3677 -C "record from another epoch" \
3678 -S "record from another epoch" \
3679 -C "discarding invalid record" \
3680 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3681 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3682 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3683 -c "HTTP/1.0 200 OK"
3684
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3685not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3686run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3687 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3688 "$P_SRV dtls=1 debug_level=2" \
3689 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3690 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3691 -c "replayed record" \
3692 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3693 -c "discarding invalid record" \
3694 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3695 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3696 -s "Extra-header:" \
3697 -c "HTTP/1.0 200 OK"
3698
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3699run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3700 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3701 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3702 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3703 0 \
3704 -c "replayed record" \
3705 -S "replayed record" \
3706 -c "discarding invalid record" \
3707 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3708 -c "resend" \
3709 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3710 -s "Extra-header:" \
3711 -c "HTTP/1.0 200 OK"
3712
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3713run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3714 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3715 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3716 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3717 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3718 -c "discarding invalid record (mac)" \
3719 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3720 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3721 -c "HTTP/1.0 200 OK" \
3722 -S "too many records with bad MAC" \
3723 -S "Verification of the message MAC failed"
3724
3725run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3726 -p "$P_PXY bad_ad=1" \
3727 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3728 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3729 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3730 -C "discarding invalid record (mac)" \
3731 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3732 -S "Extra-header:" \
3733 -C "HTTP/1.0 200 OK" \
3734 -s "too many records with bad MAC" \
3735 -s "Verification of the message MAC failed"
3736
3737run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3738 -p "$P_PXY bad_ad=1" \
3739 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3740 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3741 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3742 -c "discarding invalid record (mac)" \
3743 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3744 -s "Extra-header:" \
3745 -c "HTTP/1.0 200 OK" \
3746 -S "too many records with bad MAC" \
3747 -S "Verification of the message MAC failed"
3748
3749run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3750 -p "$P_PXY bad_ad=1" \
3751 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3752 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3753 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3754 -c "discarding invalid record (mac)" \
3755 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3756 -s "Extra-header:" \
3757 -c "HTTP/1.0 200 OK" \
3758 -s "too many records with bad MAC" \
3759 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3760
3761run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3762 -p "$P_PXY delay_ccs=1" \
3763 "$P_SRV dtls=1 debug_level=1" \
3764 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3765 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3766 -c "record from another epoch" \
3767 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3768 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3769 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3770 -s "Extra-header:" \
3771 -c "HTTP/1.0 200 OK"
3772
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3773# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3774
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3775client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3776run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3777 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3778 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3779 psk=abc123" \
3780 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3781 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3782 0 \
3783 -s "Extra-header:" \
3784 -c "HTTP/1.0 200 OK"
3785
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3786client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3787run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3788 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3789 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3790 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3791 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3792 0 \
3793 -s "Extra-header:" \
3794 -c "HTTP/1.0 200 OK"
3795
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3796client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3797run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3798 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3799 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3800 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3801 0 \
3802 -s "Extra-header:" \
3803 -c "HTTP/1.0 200 OK"
3804
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3805client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3806run_test "DTLS proxy: 3d, FS, client auth" \
3807 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3808 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3809 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3810 0 \
3811 -s "Extra-header:" \
3812 -c "HTTP/1.0 200 OK"
3813
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3814client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3815run_test "DTLS proxy: 3d, FS, ticket" \
3816 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3817 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3818 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3819 0 \
3820 -s "Extra-header:" \
3821 -c "HTTP/1.0 200 OK"
3822
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3823client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3824run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3825 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3826 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3827 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3828 0 \
3829 -s "Extra-header:" \
3830 -c "HTTP/1.0 200 OK"
3831
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3832client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3833run_test "DTLS proxy: 3d, max handshake, nbio" \
3834 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3835 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3836 auth_mode=required" \
3837 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3838 0 \
3839 -s "Extra-header:" \
3840 -c "HTTP/1.0 200 OK"
3841
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3842client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3843run_test "DTLS proxy: 3d, min handshake, resumption" \
3844 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3845 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3846 psk=abc123 debug_level=3" \
3847 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3848 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3849 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3850 0 \
3851 -s "a session has been resumed" \
3852 -c "a session has been resumed" \
3853 -s "Extra-header:" \
3854 -c "HTTP/1.0 200 OK"
3855
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3856client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3857run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3858 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3859 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3860 psk=abc123 debug_level=3 nbio=2" \
3861 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3862 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3863 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3864 0 \
3865 -s "a session has been resumed" \
3866 -c "a session has been resumed" \
3867 -s "Extra-header:" \
3868 -c "HTTP/1.0 200 OK"
3869
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3870client_needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3871run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3872 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3873 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3874 psk=abc123 renegotiation=1 debug_level=2" \
3875 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3876 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3877 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3878 0 \
3879 -c "=> renegotiate" \
3880 -s "=> renegotiate" \
3881 -s "Extra-header:" \
3882 -c "HTTP/1.0 200 OK"
3883
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3884client_needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3885run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3886 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3887 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3888 psk=abc123 renegotiation=1 debug_level=2" \
3889 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3890 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3891 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3892 0 \
3893 -c "=> renegotiate" \
3894 -s "=> renegotiate" \
3895 -s "Extra-header:" \
3896 -c "HTTP/1.0 200 OK"
3897
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3898client_needs_more_time 4
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3899run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3900 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3901 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3902 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3903 debug_level=2" \
3904 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3905 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3906 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3907 0 \
3908 -c "=> renegotiate" \
3909 -s "=> renegotiate" \
3910 -s "Extra-header:" \
3911 -c "HTTP/1.0 200 OK"
3912
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3913client_needs_more_time 4
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3914run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3915 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3916 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3917 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3918 debug_level=2 nbio=2" \
3919 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3920 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3921 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3922 0 \
3923 -c "=> renegotiate" \
3924 -s "=> renegotiate" \
3925 -s "Extra-header:" \
3926 -c "HTTP/1.0 200 OK"
3927
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3928client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3929not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3930run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3931 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3932 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3933 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3934 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3935 -c "HTTP/1.0 200 OK"
3936
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3937client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3938not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3939run_test "DTLS proxy: 3d, openssl server, fragmentation" \
3940 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3941 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3942 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3943 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3944 -c "HTTP/1.0 200 OK"
3945
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3946client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3947not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3948run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
3949 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3950 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3951 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3952 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3953 -c "HTTP/1.0 200 OK"
3954
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3955requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3956client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3957not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3958run_test "DTLS proxy: 3d, gnutls server" \
3959 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3960 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3961 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3962 0 \
3963 -s "Extra-header:" \
3964 -c "Extra-header:"
3965
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3966requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3967client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3968not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3969run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
3970 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3971 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3972 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3973 0 \
3974 -s "Extra-header:" \
3975 -c "Extra-header:"
3976
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3977requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3978client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3979not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3980run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
3981 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3982 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3983 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3984 0 \
3985 -s "Extra-header:" \
3986 -c "Extra-header:"
3987
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3988# Final report
3989
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3990echo "------------------------------------------------------------------------"
3991
3992if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3993 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3994else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3995 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3996fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]3997PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]3998echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3999
4000exit $FAILS