TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 09b4f19f940833678cc918ee8d26851513d93ba5 / . / tests / ssl-opt.sh
blob: 4898c950fe9f1c372cbe578113b08acaf1f9d613 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# Copyright (c) 2016, ARM Limited, All Rights Reserved
Bence Szépkúti09b4f192020-05-26 01:54:15 +0200[diff] [blame^]6# SPDX-License-Identifier: Apache-2.0
7#
8# Licensed under the Apache License, Version 2.0 (the "License"); you may
9# not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19#
20# This file is part of Mbed TLS (https://tls.mbed.org)
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]21#
22# Purpose
23#
24# Executes tests to prove various TLS/SSL options and extensions.
25#
26# The goal is not to cover every ciphersuite/version, but instead to cover
27# specific options (max fragment length, truncated hmac, etc) or procedures
28# (session resumption from cache or ticket, renego, etc).
29#
30# The tests assume a build with default options, with exceptions expressed
31# with a dependency. The tests focus on functionality and do not consider
32# performance.
33#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]34
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]35set -u
36
Jaeden Amero34730912019-07-03 13:51:04 +0100[diff] [blame]37# Limit the size of each log to 10 GiB, in case of failures with this script
38# where it may output seemingly unlimited length error logs.
39ulimit -f 20971520
40
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]41# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]42: ${P_SRV:=../programs/ssl/ssl_server2}
43: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]44: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]45: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]46: ${GNUTLS_CLI:=gnutls-cli}
47: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]48: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]49
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]50O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]51O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]52G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard179c2272020-02-03 15:37:47 +0100[diff] [blame]53G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12u.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]54TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]55
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]56TESTS=0
57FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]58SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]59
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]60CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]61
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]62MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]63FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]64EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]65
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]66SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]67RUN_TEST_NUMBER=''
68
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]69PRESERVE_LOGS=0
70
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]71# Pick a "unique" server port in the range 10000-19999, and a proxy
72# port which is this plus 10000. Each port number may be independently
73# overridden by a command line option.
74SRV_PORT=$(($$ % 10000 + 10000))
75PXY_PORT=$((SRV_PORT + 10000))
76
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]77print_usage() {
78 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]79 printf " -h|--help\tPrint this help.\n"
80 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]81 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
82 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]83 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]84 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]85 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]86 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
87 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]88 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]89}
90
91get_options() {
92 while [ $# -gt 0 ]; do
93 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]94 -f|--filter)
95 shift; FILTER=$1
96 ;;
97 -e|--exclude)
98 shift; EXCLUDE=$1
99 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]100 -m|--memcheck)
101 MEMCHECK=1
102 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]103 -n|--number)
104 shift; RUN_TEST_NUMBER=$1
105 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]106 -s|--show-numbers)
107 SHOW_TEST_NUMBER=1
108 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]109 -p|--preserve-logs)
110 PRESERVE_LOGS=1
111 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]112 --port)
113 shift; SRV_PORT=$1
114 ;;
115 --proxy-port)
116 shift; PXY_PORT=$1
117 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]118 --seed)
119 shift; SEED="$1"
120 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]121 -h|--help)
122 print_usage
123 exit 0
124 ;;
125 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]126 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]127 print_usage
128 exit 1
129 ;;
130 esac
131 shift
132 done
133}
134
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]135# skip next test if the flag is not enabled in config.h
136requires_config_enabled() {
137 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
138 SKIP_NEXT="YES"
139 fi
140}
141
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]142# skip next test if the flag is enabled in config.h
143requires_config_disabled() {
144 if grep "^#define $1" $CONFIG_H > /dev/null; then
145 SKIP_NEXT="YES"
146 fi
147}
148
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]149# skip next test if OpenSSL doesn't support FALLBACK_SCSV
150requires_openssl_with_fallback_scsv() {
151 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
152 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
153 then
154 OPENSSL_HAS_FBSCSV="YES"
155 else
156 OPENSSL_HAS_FBSCSV="NO"
157 fi
158 fi
159 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
160 SKIP_NEXT="YES"
161 fi
162}
163
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]164# skip next test if GnuTLS isn't available
165requires_gnutls() {
166 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]167 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]168 GNUTLS_AVAILABLE="YES"
169 else
170 GNUTLS_AVAILABLE="NO"
171 fi
172 fi
173 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
174 SKIP_NEXT="YES"
175 fi
176}
177
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]178# skip next test if IPv6 isn't available on this host
179requires_ipv6() {
180 if [ -z "${HAS_IPV6:-}" ]; then
181 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
182 SRV_PID=$!
183 sleep 1
184 kill $SRV_PID >/dev/null 2>&1
185 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
186 HAS_IPV6="NO"
187 else
188 HAS_IPV6="YES"
189 fi
190 rm -r $SRV_OUT
191 fi
192
193 if [ "$HAS_IPV6" = "NO" ]; then
194 SKIP_NEXT="YES"
195 fi
196}
197
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]198# skip the next test if valgrind is in use
199not_with_valgrind() {
200 if [ "$MEMCHECK" -gt 0 ]; then
201 SKIP_NEXT="YES"
202 fi
203}
204
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]205# skip the next test if valgrind is NOT in use
206only_with_valgrind() {
207 if [ "$MEMCHECK" -eq 0 ]; then
208 SKIP_NEXT="YES"
209 fi
210}
211
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]212# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]213client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]214 CLI_DELAY_FACTOR=$1
215}
216
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]217# wait for the given seconds after the client finished in the next test
218server_needs_more_time() {
219 SRV_DELAY_SECONDS=$1
220}
221
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]222# print_name <name>
223print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]224 TESTS=$(( $TESTS + 1 ))
225 LINE=""
226
227 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
228 LINE="$TESTS "
229 fi
230
231 LINE="$LINE$1"
232 printf "$LINE "
233 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]234 for i in `seq 1 $LEN`; do printf '.'; done
235 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]236
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]237}
238
239# fail <message>
240fail() {
241 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]242 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]243
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]244 mv $SRV_OUT o-srv-${TESTS}.log
245 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]246 if [ -n "$PXY_CMD" ]; then
247 mv $PXY_OUT o-pxy-${TESTS}.log
248 fi
249 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]250
Azim Khan03da1212018-03-29 11:04:20 +0100[diff] [blame]251 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]252 echo " ! server output:"
253 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]254 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]255 echo " ! client output:"
256 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]257 if [ -n "$PXY_CMD" ]; then
258 echo " ! ========================================================"
259 echo " ! proxy output:"
260 cat o-pxy-${TESTS}.log
261 fi
262 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]263 fi
264
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]265 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]266}
267
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]268# is_polar <cmd_line>
269is_polar() {
270 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
271}
272
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]273# openssl s_server doesn't have -www with DTLS
274check_osrv_dtls() {
275 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
276 NEEDS_INPUT=1
277 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
278 else
279 NEEDS_INPUT=0
280 fi
281}
282
283# provide input to commands that need it
284provide_input() {
285 if [ $NEEDS_INPUT -eq 0 ]; then
286 return
287 fi
288
289 while true; do
290 echo "HTTP/1.0 200 OK"
291 sleep 1
292 done
293}
294
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]295# has_mem_err <log_file_name>
296has_mem_err() {
297 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
298 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
299 then
300 return 1 # false: does not have errors
301 else
302 return 0 # true: has errors
303 fi
304}
305
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]306# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]307if type lsof >/dev/null 2>/dev/null; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]308 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]309 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]310 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]311 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]312 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]313 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]314 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]315 # Make a tight loop, server normally takes less than 1s to start.
316 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
317 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]318 echo "$3 START TIMEOUT"
319 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]320 break
321 fi
322 # Linux and *BSD support decimal arguments to sleep. On other
323 # OSes this may be a tight loop.
324 sleep 0.1 2>/dev/null || true
325 done
326 }
327else
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]328 echo "Warning: lsof not available, wait_app_start = sleep"
329 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]330 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]331 }
332fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]333
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]334# Wait for server process $2 to be listening on port $1.
335wait_server_start() {
336 wait_app_start $1 $2 "SERVER" $SRV_OUT
337}
338
339# Wait for proxy process $2 to be listening on port $1.
340wait_proxy_start() {
341 wait_app_start $1 $2 "PROXY" $PXY_OUT
342}
343
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]344# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]345# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]346# acceptable bounds
347check_server_hello_time() {
348 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]349 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]350 # Get the Unix timestamp for now
351 CUR_TIME=$(date +'%s')
352 THRESHOLD_IN_SECS=300
353
354 # Check if the ServerHello time was printed
355 if [ -z "$SERVER_HELLO_TIME" ]; then
356 return 1
357 fi
358
359 # Check the time in ServerHello is within acceptable bounds
360 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
361 # The time in ServerHello is at least 5 minutes before now
362 return 1
363 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]364 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]365 return 1
366 else
367 return 0
368 fi
369}
370
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]371# wait for client to terminate and set CLI_EXIT
372# must be called right after starting the client
373wait_client_done() {
374 CLI_PID=$!
375
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]376 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
377 CLI_DELAY_FACTOR=1
378
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]379 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]380 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]381
382 wait $CLI_PID
383 CLI_EXIT=$?
384
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]385 kill $DOG_PID >/dev/null 2>&1
386 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]387
388 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]389
390 sleep $SRV_DELAY_SECONDS
391 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]392}
393
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]394# check if the given command uses dtls and sets global variable DTLS
395detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]396 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]397 DTLS=1
398 else
399 DTLS=0
400 fi
401}
402
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]403# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]404# Options: -s pattern pattern that must be present in server output
405# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]406# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]407# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]408# -S pattern pattern that must be absent in server output
409# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]410# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]411# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]412run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]413 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]414 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]415
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]416 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
417 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]418 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]419 return
420 fi
421
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]422 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]423
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]424 # Do we only run numbered tests?
425 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
426 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
427 else
428 SKIP_NEXT="YES"
429 fi
430
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]431 # should we skip?
432 if [ "X$SKIP_NEXT" = "XYES" ]; then
433 SKIP_NEXT="NO"
434 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]435 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]436 return
437 fi
438
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]439 # does this test use a proxy?
440 if [ "X$1" = "X-p" ]; then
441 PXY_CMD="$2"
442 shift 2
443 else
444 PXY_CMD=""
445 fi
446
447 # get commands and client output
448 SRV_CMD="$1"
449 CLI_CMD="$2"
450 CLI_EXPECT="$3"
451 shift 3
452
453 # fix client port
454 if [ -n "$PXY_CMD" ]; then
455 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
456 else
457 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
458 fi
459
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]460 # update DTLS variable
461 detect_dtls "$SRV_CMD"
462
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]463 # prepend valgrind to our commands if active
464 if [ "$MEMCHECK" -gt 0 ]; then
465 if is_polar "$SRV_CMD"; then
466 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
467 fi
468 if is_polar "$CLI_CMD"; then
469 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
470 fi
471 fi
472
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]473 TIMES_LEFT=2
474 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]475 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]476
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]477 # run the commands
478 if [ -n "$PXY_CMD" ]; then
479 echo "$PXY_CMD" > $PXY_OUT
480 $PXY_CMD >> $PXY_OUT 2>&1 &
481 PXY_PID=$!
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]482 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]483 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]484
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]485 check_osrv_dtls
486 echo "$SRV_CMD" > $SRV_OUT
487 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
488 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]489 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]490
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]491 echo "$CLI_CMD" > $CLI_OUT
492 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
493 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]494
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]495 # terminate the server (and the proxy)
496 kill $SRV_PID
497 wait $SRV_PID
498 if [ -n "$PXY_CMD" ]; then
499 kill $PXY_PID >/dev/null 2>&1
500 wait $PXY_PID
501 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]502
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]503 # retry only on timeouts
504 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
505 printf "RETRY "
506 else
507 TIMES_LEFT=0
508 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]509 done
510
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]511 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]512 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]513 # expected client exit to incorrectly succeed in case of catastrophic
514 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]515 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]516 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]517 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]518 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]519 return
520 fi
521 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]522 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]523 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]524 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]525 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]526 return
527 fi
528 fi
529
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]530 # check server exit code
531 if [ $? != 0 ]; then
532 fail "server fail"
533 return
534 fi
535
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]536 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]537 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
538 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]539 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]540 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]541 return
542 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]543
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]544 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]545 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]546 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]547 while [ $# -gt 0 ]
548 do
549 case $1 in
550 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]551 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]552 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]553 return
554 fi
555 ;;
556
557 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]558 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]559 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]560 return
561 fi
562 ;;
563
564 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]565 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]566 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]567 return
568 fi
569 ;;
570
571 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]572 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]573 fail "pattern '$2' MUST NOT be present in the Client output"
574 return
575 fi
576 ;;
577
578 # The filtering in the following two options (-u and -U) do the following
579 # - ignore valgrind output
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]580 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]581 # - keep one of each non-unique line
582 # - count how many lines remain
583 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
584 # if there were no duplicates.
585 "-U")
586 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
587 fail "lines following pattern '$2' must be unique in Server output"
588 return
589 fi
590 ;;
591
592 "-u")
593 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
594 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]595 return
596 fi
597 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]598 "-F")
599 if ! $2 "$SRV_OUT"; then
600 fail "function call to '$2' failed on Server output"
601 return
602 fi
603 ;;
604 "-f")
605 if ! $2 "$CLI_OUT"; then
606 fail "function call to '$2' failed on Client output"
607 return
608 fi
609 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]610
611 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]612 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]613 exit 1
614 esac
615 shift 2
616 done
617
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]618 # check valgrind's results
619 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]620 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]621 fail "Server has memory errors"
622 return
623 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]624 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]625 fail "Client has memory errors"
626 return
627 fi
628 fi
629
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]630 # if we're here, everything is ok
631 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]632 if [ "$PRESERVE_LOGS" -gt 0 ]; then
633 mv $SRV_OUT o-srv-${TESTS}.log
634 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Beckerdc6c0e42018-08-20 12:21:35 +0100[diff] [blame]635 if [ -n "$PXY_CMD" ]; then
636 mv $PXY_OUT o-pxy-${TESTS}.log
637 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]638 fi
639
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]640 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]641}
642
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]643cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]644 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]645 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
646 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
647 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
648 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]649 exit 1
650}
651
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]652#
653# MAIN
654#
655
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]656if cd $( dirname $0 ); then :; else
657 echo "cd $( dirname $0 ) failed" >&2
658 exit 1
659fi
660
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]661get_options "$@"
662
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]663# sanity checks, avoid an avalanche of errors
664if [ ! -x "$P_SRV" ]; then
665 echo "Command '$P_SRV' is not an executable file"
666 exit 1
667fi
668if [ ! -x "$P_CLI" ]; then
669 echo "Command '$P_CLI' is not an executable file"
670 exit 1
671fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]672if [ ! -x "$P_PXY" ]; then
673 echo "Command '$P_PXY' is not an executable file"
674 exit 1
675fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]676if [ "$MEMCHECK" -gt 0 ]; then
677 if which valgrind >/dev/null 2>&1; then :; else
678 echo "Memcheck not possible. Valgrind not found"
679 exit 1
680 fi
681fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]682if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
683 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]684 exit 1
685fi
686
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]687# used by watchdog
688MAIN_PID="$$"
689
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]690# We use somewhat arbitrary delays for tests:
691# - how long do we wait for the server to start (when lsof not available)?
692# - how long do we allow for the client to finish?
693# (not to check performance, just to avoid waiting indefinitely)
694# Things are slower with valgrind, so give extra time here.
695#
696# Note: without lsof, there is a trade-off between the running time of this
697# script and the risk of spurious errors because we didn't wait long enough.
698# The watchdog delay on the other hand doesn't affect normal running time of
699# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]700if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]701 START_DELAY=6
702 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]703else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]704 START_DELAY=2
705 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]706fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]707
708# some particular tests need more time:
709# - for the client, we multiply the usual watchdog limit by a factor
710# - for the server, we sleep for a number of seconds after the client exits
711# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]712CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]713SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]714
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]715# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]716# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]717P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
718P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]719P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]720O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]721O_CLI="$O_CLI -connect localhost:+SRV_PORT"
722G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]723G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]724
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]725# Allow SHA-1, because many of our test certificates use it
726P_SRV="$P_SRV allow_sha1=1"
727P_CLI="$P_CLI allow_sha1=1"
728
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]729# Also pick a unique name for intermediate files
730SRV_OUT="srv_out.$$"
731CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]732PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]733SESSION="session.$$"
734
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]735SKIP_NEXT="NO"
736
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]737trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]738
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]739# Basic test
740
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]741# Checks that:
742# - things work with all ciphersuites active (used with config-full in all.sh)
743# - the expected (highest security) parameters are selected
744# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]745run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]746 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]747 "$P_CLI" \
748 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]749 -s "Protocol is TLSv1.2" \
750 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
751 -s "client hello v3, signature_algorithm ext: 6" \
752 -s "ECDHE curve: secp521r1" \
753 -S "error" \
754 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]755
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]756run_test "Default, DTLS" \
757 "$P_SRV dtls=1" \
758 "$P_CLI dtls=1" \
759 0 \
760 -s "Protocol is DTLSv1.2" \
761 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
762
Manuel Pégourié-Gonnard45575512020-01-02 11:58:00 +0100[diff] [blame]763requires_config_enabled MBEDTLS_ZLIB_SUPPORT
764run_test "Default (compression enabled)" \
765 "$P_SRV debug_level=3" \
766 "$P_CLI debug_level=3" \
767 0 \
768 -s "Allocating compression buffer" \
769 -c "Allocating compression buffer" \
770 -s "Record expansion is unknown (compression)" \
771 -c "Record expansion is unknown (compression)" \
772 -S "error" \
773 -C "error"
774
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]775# Test current time in ServerHello
776requires_config_enabled MBEDTLS_HAVE_TIME
777run_test "Default, ServerHello contains gmt_unix_time" \
778 "$P_SRV debug_level=3" \
779 "$P_CLI debug_level=3" \
780 0 \
781 -s "Protocol is TLSv1.2" \
782 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
783 -s "client hello v3, signature_algorithm ext: 6" \
784 -s "ECDHE curve: secp521r1" \
785 -S "error" \
786 -C "error" \
787 -f "check_server_hello_time" \
788 -F "check_server_hello_time"
789
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]790# Test for uniqueness of IVs in AEAD ciphersuites
791run_test "Unique IV in GCM" \
792 "$P_SRV exchanges=20 debug_level=4" \
793 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
794 0 \
795 -u "IV used" \
796 -U "IV used"
797
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]798# Tests for rc4 option
799
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]800requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]801run_test "RC4: server disabled, client enabled" \
802 "$P_SRV" \
803 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
804 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]805 -s "SSL - The server has no ciphersuites in common"
806
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]807requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]808run_test "RC4: server half, client enabled" \
809 "$P_SRV arc4=1" \
810 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
811 1 \
812 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]813
814run_test "RC4: server enabled, client disabled" \
815 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
816 "$P_CLI" \
817 1 \
818 -s "SSL - The server has no ciphersuites in common"
819
820run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]821 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]822 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
823 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]824 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]825 -S "SSL - The server has no ciphersuites in common"
826
Hanno Becker3a333a52018-08-17 09:54:10 +0100[diff] [blame]827# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
828
829requires_gnutls
830requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
831run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
832 "$G_SRV"\
833 "$P_CLI force_version=tls1_1" \
834 0
835
836requires_gnutls
837requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
838run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
839 "$G_SRV"\
840 "$P_CLI force_version=tls1" \
841 0
842
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]843# Tests for SHA-1 support
844
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]845requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]846run_test "SHA-1 forbidden by default in server certificate" \
847 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
848 "$P_CLI debug_level=2 allow_sha1=0" \
849 1 \
850 -c "The certificate is signed with an unacceptable hash"
851
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]852requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
853run_test "SHA-1 forbidden by default in server certificate" \
854 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
855 "$P_CLI debug_level=2 allow_sha1=0" \
856 0
857
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]858run_test "SHA-1 explicitly allowed in server certificate" \
859 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
860 "$P_CLI allow_sha1=1" \
861 0
862
863run_test "SHA-256 allowed by default in server certificate" \
864 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
865 "$P_CLI allow_sha1=0" \
866 0
867
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]868requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]869run_test "SHA-1 forbidden by default in client certificate" \
870 "$P_SRV auth_mode=required allow_sha1=0" \
871 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
872 1 \
873 -s "The certificate is signed with an unacceptable hash"
874
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]875requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
876run_test "SHA-1 forbidden by default in client certificate" \
877 "$P_SRV auth_mode=required allow_sha1=0" \
878 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
879 0
880
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]881run_test "SHA-1 explicitly allowed in client certificate" \
882 "$P_SRV auth_mode=required allow_sha1=1" \
883 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
884 0
885
886run_test "SHA-256 allowed by default in client certificate" \
887 "$P_SRV auth_mode=required allow_sha1=0" \
888 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
889 0
890
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]891# Tests for Truncated HMAC extension
892
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]893run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]894 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]895 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]896 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]897 -s "dumping 'expected mac' (20 bytes)" \
898 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]899
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]900requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]901run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]902 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]903 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]904 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]905 -s "dumping 'expected mac' (20 bytes)" \
906 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]907
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]908requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]909run_test "Truncated HMAC: client enabled, server default" \
910 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]911 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]912 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]913 -s "dumping 'expected mac' (20 bytes)" \
914 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]915
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]916requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]917run_test "Truncated HMAC: client enabled, server disabled" \
918 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]919 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]920 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]921 -s "dumping 'expected mac' (20 bytes)" \
922 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]923
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]924requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]925run_test "Truncated HMAC: client disabled, server enabled" \
926 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]927 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]928 0 \
929 -s "dumping 'expected mac' (20 bytes)" \
930 -S "dumping 'expected mac' (10 bytes)"
931
932requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]933run_test "Truncated HMAC: client enabled, server enabled" \
934 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]935 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]936 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]937 -S "dumping 'expected mac' (20 bytes)" \
938 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]939
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]940run_test "Truncated HMAC, DTLS: client default, server default" \
941 "$P_SRV dtls=1 debug_level=4" \
942 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
943 0 \
944 -s "dumping 'expected mac' (20 bytes)" \
945 -S "dumping 'expected mac' (10 bytes)"
946
947requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
948run_test "Truncated HMAC, DTLS: client disabled, server default" \
949 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]950 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]951 0 \
952 -s "dumping 'expected mac' (20 bytes)" \
953 -S "dumping 'expected mac' (10 bytes)"
954
955requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
956run_test "Truncated HMAC, DTLS: client enabled, server default" \
957 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]958 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]959 0 \
960 -s "dumping 'expected mac' (20 bytes)" \
961 -S "dumping 'expected mac' (10 bytes)"
962
963requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
964run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
965 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]966 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]967 0 \
968 -s "dumping 'expected mac' (20 bytes)" \
969 -S "dumping 'expected mac' (10 bytes)"
970
971requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
972run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
973 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]974 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]975 0 \
976 -s "dumping 'expected mac' (20 bytes)" \
977 -S "dumping 'expected mac' (10 bytes)"
978
979requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
980run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
981 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]982 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]983 0 \
984 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]985 -s "dumping 'expected mac' (10 bytes)"
986
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]987# Tests for Encrypt-then-MAC extension
988
989run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]990 "$P_SRV debug_level=3 \
991 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]992 "$P_CLI debug_level=3" \
993 0 \
994 -c "client hello, adding encrypt_then_mac extension" \
995 -s "found encrypt then mac extension" \
996 -s "server hello, adding encrypt then mac extension" \
997 -c "found encrypt_then_mac extension" \
998 -c "using encrypt then mac" \
999 -s "using encrypt then mac"
1000
1001run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1002 "$P_SRV debug_level=3 etm=0 \
1003 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1004 "$P_CLI debug_level=3 etm=1" \
1005 0 \
1006 -c "client hello, adding encrypt_then_mac extension" \
1007 -s "found encrypt then mac extension" \
1008 -S "server hello, adding encrypt then mac extension" \
1009 -C "found encrypt_then_mac extension" \
1010 -C "using encrypt then mac" \
1011 -S "using encrypt then mac"
1012
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1013run_test "Encrypt then MAC: client enabled, aead cipher" \
1014 "$P_SRV debug_level=3 etm=1 \
1015 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
1016 "$P_CLI debug_level=3 etm=1" \
1017 0 \
1018 -c "client hello, adding encrypt_then_mac extension" \
1019 -s "found encrypt then mac extension" \
1020 -S "server hello, adding encrypt then mac extension" \
1021 -C "found encrypt_then_mac extension" \
1022 -C "using encrypt then mac" \
1023 -S "using encrypt then mac"
1024
1025run_test "Encrypt then MAC: client enabled, stream cipher" \
1026 "$P_SRV debug_level=3 etm=1 \
1027 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1028 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1029 0 \
1030 -c "client hello, adding encrypt_then_mac extension" \
1031 -s "found encrypt then mac extension" \
1032 -S "server hello, adding encrypt then mac extension" \
1033 -C "found encrypt_then_mac extension" \
1034 -C "using encrypt then mac" \
1035 -S "using encrypt then mac"
1036
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1037run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1038 "$P_SRV debug_level=3 etm=1 \
1039 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1040 "$P_CLI debug_level=3 etm=0" \
1041 0 \
1042 -C "client hello, adding encrypt_then_mac extension" \
1043 -S "found encrypt then mac extension" \
1044 -S "server hello, adding encrypt then mac extension" \
1045 -C "found encrypt_then_mac extension" \
1046 -C "using encrypt then mac" \
1047 -S "using encrypt then mac"
1048
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1049requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1050run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1051 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1052 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1053 "$P_CLI debug_level=3 force_version=ssl3" \
1054 0 \
1055 -C "client hello, adding encrypt_then_mac extension" \
1056 -S "found encrypt then mac extension" \
1057 -S "server hello, adding encrypt then mac extension" \
1058 -C "found encrypt_then_mac extension" \
1059 -C "using encrypt then mac" \
1060 -S "using encrypt then mac"
1061
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1062requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1063run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1064 "$P_SRV debug_level=3 force_version=ssl3 \
1065 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1066 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1067 0 \
1068 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1069 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1070 -S "server hello, adding encrypt then mac extension" \
1071 -C "found encrypt_then_mac extension" \
1072 -C "using encrypt then mac" \
1073 -S "using encrypt then mac"
1074
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1075# Tests for Extended Master Secret extension
1076
1077run_test "Extended Master Secret: default" \
1078 "$P_SRV debug_level=3" \
1079 "$P_CLI debug_level=3" \
1080 0 \
1081 -c "client hello, adding extended_master_secret extension" \
1082 -s "found extended master secret extension" \
1083 -s "server hello, adding extended master secret extension" \
1084 -c "found extended_master_secret extension" \
1085 -c "using extended master secret" \
1086 -s "using extended master secret"
1087
1088run_test "Extended Master Secret: client enabled, server disabled" \
1089 "$P_SRV debug_level=3 extended_ms=0" \
1090 "$P_CLI debug_level=3 extended_ms=1" \
1091 0 \
1092 -c "client hello, adding extended_master_secret extension" \
1093 -s "found extended master secret extension" \
1094 -S "server hello, adding extended master secret extension" \
1095 -C "found extended_master_secret extension" \
1096 -C "using extended master secret" \
1097 -S "using extended master secret"
1098
1099run_test "Extended Master Secret: client disabled, server enabled" \
1100 "$P_SRV debug_level=3 extended_ms=1" \
1101 "$P_CLI debug_level=3 extended_ms=0" \
1102 0 \
1103 -C "client hello, adding extended_master_secret extension" \
1104 -S "found extended master secret extension" \
1105 -S "server hello, adding extended master secret extension" \
1106 -C "found extended_master_secret extension" \
1107 -C "using extended master secret" \
1108 -S "using extended master secret"
1109
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1110requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1111run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1112 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1113 "$P_CLI debug_level=3 force_version=ssl3" \
1114 0 \
1115 -C "client hello, adding extended_master_secret extension" \
1116 -S "found extended master secret extension" \
1117 -S "server hello, adding extended master secret extension" \
1118 -C "found extended_master_secret extension" \
1119 -C "using extended master secret" \
1120 -S "using extended master secret"
1121
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1122requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1123run_test "Extended Master Secret: client enabled, server SSLv3" \
1124 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1125 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1126 0 \
1127 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1128 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1129 -S "server hello, adding extended master secret extension" \
1130 -C "found extended_master_secret extension" \
1131 -C "using extended master secret" \
1132 -S "using extended master secret"
1133
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1134# Tests for FALLBACK_SCSV
1135
1136run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1137 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1138 "$P_CLI debug_level=3 force_version=tls1_1" \
1139 0 \
1140 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1141 -S "received FALLBACK_SCSV" \
1142 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1143 -C "is a fatal alert message (msg 86)"
1144
1145run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1146 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1147 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1148 0 \
1149 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1150 -S "received FALLBACK_SCSV" \
1151 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1152 -C "is a fatal alert message (msg 86)"
1153
1154run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1155 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1156 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1157 1 \
1158 -c "adding FALLBACK_SCSV" \
1159 -s "received FALLBACK_SCSV" \
1160 -s "inapropriate fallback" \
1161 -c "is a fatal alert message (msg 86)"
1162
1163run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1164 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1165 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1166 0 \
1167 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1168 -s "received FALLBACK_SCSV" \
1169 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1170 -C "is a fatal alert message (msg 86)"
1171
1172requires_openssl_with_fallback_scsv
1173run_test "Fallback SCSV: default, openssl server" \
1174 "$O_SRV" \
1175 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1176 0 \
1177 -C "adding FALLBACK_SCSV" \
1178 -C "is a fatal alert message (msg 86)"
1179
1180requires_openssl_with_fallback_scsv
1181run_test "Fallback SCSV: enabled, openssl server" \
1182 "$O_SRV" \
1183 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1184 1 \
1185 -c "adding FALLBACK_SCSV" \
1186 -c "is a fatal alert message (msg 86)"
1187
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1188requires_openssl_with_fallback_scsv
1189run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1190 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1191 "$O_CLI -tls1_1" \
1192 0 \
1193 -S "received FALLBACK_SCSV" \
1194 -S "inapropriate fallback"
1195
1196requires_openssl_with_fallback_scsv
1197run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1198 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1199 "$O_CLI -tls1_1 -fallback_scsv" \
1200 1 \
1201 -s "received FALLBACK_SCSV" \
1202 -s "inapropriate fallback"
1203
1204requires_openssl_with_fallback_scsv
1205run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1206 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1207 "$O_CLI -fallback_scsv" \
1208 0 \
1209 -s "received FALLBACK_SCSV" \
1210 -S "inapropriate fallback"
1211
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1212# Test sending and receiving empty application data records
1213
1214run_test "Encrypt then MAC: empty application data record" \
1215 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1216 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1217 0 \
1218 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1219 -s "dumping 'input payload after decrypt' (0 bytes)" \
1220 -c "0 bytes written in 1 fragments"
1221
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1222run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1223 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1224 "$P_CLI auth_mode=none etm=0 request_size=0" \
1225 0 \
1226 -s "dumping 'input payload after decrypt' (0 bytes)" \
1227 -c "0 bytes written in 1 fragments"
1228
1229run_test "Encrypt then MAC, DTLS: empty application data record" \
1230 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1231 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1232 0 \
1233 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1234 -s "dumping 'input payload after decrypt' (0 bytes)" \
1235 -c "0 bytes written in 1 fragments"
1236
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1237run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1238 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1239 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1240 0 \
1241 -s "dumping 'input payload after decrypt' (0 bytes)" \
1242 -c "0 bytes written in 1 fragments"
1243
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1244## ClientHello generated with
1245## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1246## then manually twiddling the ciphersuite list.
1247## The ClientHello content is spelled out below as a hex string as
1248## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1249## The expected response is an inappropriate_fallback alert.
1250requires_openssl_with_fallback_scsv
1251run_test "Fallback SCSV: beginning of list" \
1252 "$P_SRV debug_level=2" \
1253 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1254 0 \
1255 -s "received FALLBACK_SCSV" \
1256 -s "inapropriate fallback"
1257
1258requires_openssl_with_fallback_scsv
1259run_test "Fallback SCSV: end of list" \
1260 "$P_SRV debug_level=2" \
1261 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1262 0 \
1263 -s "received FALLBACK_SCSV" \
1264 -s "inapropriate fallback"
1265
1266## Here the expected response is a valid ServerHello prefix, up to the random.
1267requires_openssl_with_fallback_scsv
1268run_test "Fallback SCSV: not in list" \
1269 "$P_SRV debug_level=2" \
1270 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1271 0 \
1272 -S "received FALLBACK_SCSV" \
1273 -S "inapropriate fallback"
1274
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1275# Tests for CBC 1/n-1 record splitting
1276
1277run_test "CBC Record splitting: TLS 1.2, no splitting" \
1278 "$P_SRV" \
1279 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1280 request_size=123 force_version=tls1_2" \
1281 0 \
1282 -s "Read from client: 123 bytes read" \
1283 -S "Read from client: 1 bytes read" \
1284 -S "122 bytes read"
1285
1286run_test "CBC Record splitting: TLS 1.1, no splitting" \
1287 "$P_SRV" \
1288 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1289 request_size=123 force_version=tls1_1" \
1290 0 \
1291 -s "Read from client: 123 bytes read" \
1292 -S "Read from client: 1 bytes read" \
1293 -S "122 bytes read"
1294
1295run_test "CBC Record splitting: TLS 1.0, splitting" \
1296 "$P_SRV" \
1297 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1298 request_size=123 force_version=tls1" \
1299 0 \
1300 -S "Read from client: 123 bytes read" \
1301 -s "Read from client: 1 bytes read" \
1302 -s "122 bytes read"
1303
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1304requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1305run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1306 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1307 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1308 request_size=123 force_version=ssl3" \
1309 0 \
1310 -S "Read from client: 123 bytes read" \
1311 -s "Read from client: 1 bytes read" \
1312 -s "122 bytes read"
1313
1314run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1315 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1316 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1317 request_size=123 force_version=tls1" \
1318 0 \
1319 -s "Read from client: 123 bytes read" \
1320 -S "Read from client: 1 bytes read" \
1321 -S "122 bytes read"
1322
1323run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1324 "$P_SRV" \
1325 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1326 request_size=123 force_version=tls1 recsplit=0" \
1327 0 \
1328 -s "Read from client: 123 bytes read" \
1329 -S "Read from client: 1 bytes read" \
1330 -S "122 bytes read"
1331
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1332run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1333 "$P_SRV nbio=2" \
1334 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1335 request_size=123 force_version=tls1" \
1336 0 \
1337 -S "Read from client: 123 bytes read" \
1338 -s "Read from client: 1 bytes read" \
1339 -s "122 bytes read"
1340
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1341# Tests for Session Tickets
1342
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1343run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1344 "$P_SRV debug_level=3 tickets=1" \
1345 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1346 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1347 -c "client hello, adding session ticket extension" \
1348 -s "found session ticket extension" \
1349 -s "server hello, adding session ticket extension" \
1350 -c "found session_ticket extension" \
1351 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1352 -S "session successfully restored from cache" \
1353 -s "session successfully restored from ticket" \
1354 -s "a session has been resumed" \
1355 -c "a session has been resumed"
1356
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1357run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1358 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1359 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1360 0 \
1361 -c "client hello, adding session ticket extension" \
1362 -s "found session ticket extension" \
1363 -s "server hello, adding session ticket extension" \
1364 -c "found session_ticket extension" \
1365 -c "parse new session ticket" \
1366 -S "session successfully restored from cache" \
1367 -s "session successfully restored from ticket" \
1368 -s "a session has been resumed" \
1369 -c "a session has been resumed"
1370
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1371run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1372 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1373 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1374 0 \
1375 -c "client hello, adding session ticket extension" \
1376 -s "found session ticket extension" \
1377 -s "server hello, adding session ticket extension" \
1378 -c "found session_ticket extension" \
1379 -c "parse new session ticket" \
1380 -S "session successfully restored from cache" \
1381 -S "session successfully restored from ticket" \
1382 -S "a session has been resumed" \
1383 -C "a session has been resumed"
1384
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1385run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1386 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1387 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1388 0 \
1389 -c "client hello, adding session ticket extension" \
1390 -c "found session_ticket extension" \
1391 -c "parse new session ticket" \
1392 -c "a session has been resumed"
1393
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1394run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1395 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1396 "( $O_CLI -sess_out $SESSION; \
1397 $O_CLI -sess_in $SESSION; \
1398 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1399 0 \
1400 -s "found session ticket extension" \
1401 -s "server hello, adding session ticket extension" \
1402 -S "session successfully restored from cache" \
1403 -s "session successfully restored from ticket" \
1404 -s "a session has been resumed"
1405
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1406# Tests for Session Tickets with DTLS
1407
1408run_test "Session resume using tickets, DTLS: basic" \
1409 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1410 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1411 0 \
1412 -c "client hello, adding session ticket extension" \
1413 -s "found session ticket extension" \
1414 -s "server hello, adding session ticket extension" \
1415 -c "found session_ticket extension" \
1416 -c "parse new session ticket" \
1417 -S "session successfully restored from cache" \
1418 -s "session successfully restored from ticket" \
1419 -s "a session has been resumed" \
1420 -c "a session has been resumed"
1421
1422run_test "Session resume using tickets, DTLS: cache disabled" \
1423 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1424 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1425 0 \
1426 -c "client hello, adding session ticket extension" \
1427 -s "found session ticket extension" \
1428 -s "server hello, adding session ticket extension" \
1429 -c "found session_ticket extension" \
1430 -c "parse new session ticket" \
1431 -S "session successfully restored from cache" \
1432 -s "session successfully restored from ticket" \
1433 -s "a session has been resumed" \
1434 -c "a session has been resumed"
1435
1436run_test "Session resume using tickets, DTLS: timeout" \
1437 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1438 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1439 0 \
1440 -c "client hello, adding session ticket extension" \
1441 -s "found session ticket extension" \
1442 -s "server hello, adding session ticket extension" \
1443 -c "found session_ticket extension" \
1444 -c "parse new session ticket" \
1445 -S "session successfully restored from cache" \
1446 -S "session successfully restored from ticket" \
1447 -S "a session has been resumed" \
1448 -C "a session has been resumed"
1449
1450run_test "Session resume using tickets, DTLS: openssl server" \
1451 "$O_SRV -dtls1" \
1452 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1453 0 \
1454 -c "client hello, adding session ticket extension" \
1455 -c "found session_ticket extension" \
1456 -c "parse new session ticket" \
1457 -c "a session has been resumed"
1458
1459run_test "Session resume using tickets, DTLS: openssl client" \
1460 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1461 "( $O_CLI -dtls1 -sess_out $SESSION; \
1462 $O_CLI -dtls1 -sess_in $SESSION; \
1463 rm -f $SESSION )" \
1464 0 \
1465 -s "found session ticket extension" \
1466 -s "server hello, adding session ticket extension" \
1467 -S "session successfully restored from cache" \
1468 -s "session successfully restored from ticket" \
1469 -s "a session has been resumed"
1470
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1471# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1472
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1473run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1474 "$P_SRV debug_level=3 tickets=0" \
1475 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1476 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1477 -c "client hello, adding session ticket extension" \
1478 -s "found session ticket extension" \
1479 -S "server hello, adding session ticket extension" \
1480 -C "found session_ticket extension" \
1481 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1482 -s "session successfully restored from cache" \
1483 -S "session successfully restored from ticket" \
1484 -s "a session has been resumed" \
1485 -c "a session has been resumed"
1486
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1487run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1488 "$P_SRV debug_level=3 tickets=1" \
1489 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1490 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1491 -C "client hello, adding session ticket extension" \
1492 -S "found session ticket extension" \
1493 -S "server hello, adding session ticket extension" \
1494 -C "found session_ticket extension" \
1495 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1496 -s "session successfully restored from cache" \
1497 -S "session successfully restored from ticket" \
1498 -s "a session has been resumed" \
1499 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1500
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1501run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1502 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1503 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1504 0 \
1505 -S "session successfully restored from cache" \
1506 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1507 -S "a session has been resumed" \
1508 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1509
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1510run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1511 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1512 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1513 0 \
1514 -s "session successfully restored from cache" \
1515 -S "session successfully restored from ticket" \
1516 -s "a session has been resumed" \
1517 -c "a session has been resumed"
1518
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1519run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1520 "$P_SRV debug_level=3 tickets=0" \
1521 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1522 0 \
1523 -s "session successfully restored from cache" \
1524 -S "session successfully restored from ticket" \
1525 -s "a session has been resumed" \
1526 -c "a session has been resumed"
1527
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1528run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1529 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1530 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1531 0 \
1532 -S "session successfully restored from cache" \
1533 -S "session successfully restored from ticket" \
1534 -S "a session has been resumed" \
1535 -C "a session has been resumed"
1536
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1537run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1538 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1539 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1540 0 \
1541 -s "session successfully restored from cache" \
1542 -S "session successfully restored from ticket" \
1543 -s "a session has been resumed" \
1544 -c "a session has been resumed"
1545
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1546run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1547 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1548 "( $O_CLI -sess_out $SESSION; \
1549 $O_CLI -sess_in $SESSION; \
1550 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1551 0 \
1552 -s "found session ticket extension" \
1553 -S "server hello, adding session ticket extension" \
1554 -s "session successfully restored from cache" \
1555 -S "session successfully restored from ticket" \
1556 -s "a session has been resumed"
1557
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1558run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1559 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1560 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1561 0 \
1562 -C "found session_ticket extension" \
1563 -C "parse new session ticket" \
1564 -c "a session has been resumed"
1565
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1566# Tests for Session Resume based on session-ID and cache, DTLS
1567
1568run_test "Session resume using cache, DTLS: tickets enabled on client" \
1569 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1570 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1571 0 \
1572 -c "client hello, adding session ticket extension" \
1573 -s "found session ticket extension" \
1574 -S "server hello, adding session ticket extension" \
1575 -C "found session_ticket extension" \
1576 -C "parse new session ticket" \
1577 -s "session successfully restored from cache" \
1578 -S "session successfully restored from ticket" \
1579 -s "a session has been resumed" \
1580 -c "a session has been resumed"
1581
1582run_test "Session resume using cache, DTLS: tickets enabled on server" \
1583 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1584 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1585 0 \
1586 -C "client hello, adding session ticket extension" \
1587 -S "found session ticket extension" \
1588 -S "server hello, adding session ticket extension" \
1589 -C "found session_ticket extension" \
1590 -C "parse new session ticket" \
1591 -s "session successfully restored from cache" \
1592 -S "session successfully restored from ticket" \
1593 -s "a session has been resumed" \
1594 -c "a session has been resumed"
1595
1596run_test "Session resume using cache, DTLS: cache_max=0" \
1597 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1598 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1599 0 \
1600 -S "session successfully restored from cache" \
1601 -S "session successfully restored from ticket" \
1602 -S "a session has been resumed" \
1603 -C "a session has been resumed"
1604
1605run_test "Session resume using cache, DTLS: cache_max=1" \
1606 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1607 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1608 0 \
1609 -s "session successfully restored from cache" \
1610 -S "session successfully restored from ticket" \
1611 -s "a session has been resumed" \
1612 -c "a session has been resumed"
1613
1614run_test "Session resume using cache, DTLS: timeout > delay" \
1615 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1616 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1617 0 \
1618 -s "session successfully restored from cache" \
1619 -S "session successfully restored from ticket" \
1620 -s "a session has been resumed" \
1621 -c "a session has been resumed"
1622
1623run_test "Session resume using cache, DTLS: timeout < delay" \
1624 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1625 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1626 0 \
1627 -S "session successfully restored from cache" \
1628 -S "session successfully restored from ticket" \
1629 -S "a session has been resumed" \
1630 -C "a session has been resumed"
1631
1632run_test "Session resume using cache, DTLS: no timeout" \
1633 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1634 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1635 0 \
1636 -s "session successfully restored from cache" \
1637 -S "session successfully restored from ticket" \
1638 -s "a session has been resumed" \
1639 -c "a session has been resumed"
1640
1641run_test "Session resume using cache, DTLS: openssl client" \
1642 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1643 "( $O_CLI -dtls1 -sess_out $SESSION; \
1644 $O_CLI -dtls1 -sess_in $SESSION; \
1645 rm -f $SESSION )" \
1646 0 \
1647 -s "found session ticket extension" \
1648 -S "server hello, adding session ticket extension" \
1649 -s "session successfully restored from cache" \
1650 -S "session successfully restored from ticket" \
1651 -s "a session has been resumed"
1652
1653run_test "Session resume using cache, DTLS: openssl server" \
1654 "$O_SRV -dtls1" \
1655 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1656 0 \
1657 -C "found session_ticket extension" \
1658 -C "parse new session ticket" \
1659 -c "a session has been resumed"
1660
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1661# Tests for Max Fragment Length extension
1662
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1663MAX_CONTENT_LEN_EXPECT='16384'
1664MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1665
1666if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1667 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1668 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1669 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1670 printf "\n"
1671 printf "The tests assume this value and if it changes, the tests in this\n"
1672 printf "script should also be adjusted.\n"
1673 printf "\n"
1674
1675 exit 1
1676fi
1677
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1678requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1679run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1680 "$P_SRV debug_level=3" \
1681 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1682 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1683 -c "Maximum fragment length is 16384" \
1684 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1685 -C "client hello, adding max_fragment_length extension" \
1686 -S "found max fragment length extension" \
1687 -S "server hello, max_fragment_length extension" \
1688 -C "found max_fragment_length extension"
1689
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1690requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1691run_test "Max fragment length: enabled, default, larger message" \
1692 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1693 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1694 0 \
1695 -c "Maximum fragment length is 16384" \
1696 -s "Maximum fragment length is 16384" \
1697 -C "client hello, adding max_fragment_length extension" \
1698 -S "found max fragment length extension" \
1699 -S "server hello, max_fragment_length extension" \
1700 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1701 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1702 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1703 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1704
1705requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1706run_test "Max fragment length, DTLS: enabled, default, larger message" \
1707 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1708 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1709 1 \
1710 -c "Maximum fragment length is 16384" \
1711 -s "Maximum fragment length is 16384" \
1712 -C "client hello, adding max_fragment_length extension" \
1713 -S "found max fragment length extension" \
1714 -S "server hello, max_fragment_length extension" \
1715 -C "found max_fragment_length extension" \
1716 -c "fragment larger than.*maximum "
1717
1718requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1719run_test "Max fragment length: disabled, larger message" \
1720 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1721 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1722 0 \
1723 -C "Maximum fragment length is 16384" \
1724 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1725 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1726 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1727 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1728
1729requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1730run_test "Max fragment length DTLS: disabled, larger message" \
1731 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1732 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1733 1 \
1734 -C "Maximum fragment length is 16384" \
1735 -S "Maximum fragment length is 16384" \
1736 -c "fragment larger than.*maximum "
1737
1738requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1739run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1740 "$P_SRV debug_level=3" \
1741 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1742 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1743 -c "Maximum fragment length is 4096" \
1744 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1745 -c "client hello, adding max_fragment_length extension" \
1746 -s "found max fragment length extension" \
1747 -s "server hello, max_fragment_length extension" \
1748 -c "found max_fragment_length extension"
1749
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1750requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1751run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1752 "$P_SRV debug_level=3 max_frag_len=4096" \
1753 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1754 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1755 -c "Maximum fragment length is 16384" \
1756 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1757 -C "client hello, adding max_fragment_length extension" \
1758 -S "found max fragment length extension" \
1759 -S "server hello, max_fragment_length extension" \
1760 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1761
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1762requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1763requires_gnutls
1764run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1765 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1766 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1767 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1768 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1769 -c "client hello, adding max_fragment_length extension" \
1770 -c "found max_fragment_length extension"
1771
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1772requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1773run_test "Max fragment length: client, message just fits" \
1774 "$P_SRV debug_level=3" \
1775 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1776 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1777 -c "Maximum fragment length is 2048" \
1778 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1779 -c "client hello, adding max_fragment_length extension" \
1780 -s "found max fragment length extension" \
1781 -s "server hello, max_fragment_length extension" \
1782 -c "found max_fragment_length extension" \
1783 -c "2048 bytes written in 1 fragments" \
1784 -s "2048 bytes read"
1785
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1786requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1787run_test "Max fragment length: client, larger message" \
1788 "$P_SRV debug_level=3" \
1789 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1790 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1791 -c "Maximum fragment length is 2048" \
1792 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1793 -c "client hello, adding max_fragment_length extension" \
1794 -s "found max fragment length extension" \
1795 -s "server hello, max_fragment_length extension" \
1796 -c "found max_fragment_length extension" \
1797 -c "2345 bytes written in 2 fragments" \
1798 -s "2048 bytes read" \
1799 -s "297 bytes read"
1800
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1801requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1802run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1803 "$P_SRV debug_level=3 dtls=1" \
1804 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1805 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1806 -c "Maximum fragment length is 2048" \
1807 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1808 -c "client hello, adding max_fragment_length extension" \
1809 -s "found max fragment length extension" \
1810 -s "server hello, max_fragment_length extension" \
1811 -c "found max_fragment_length extension" \
1812 -c "fragment larger than.*maximum"
1813
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1814# Tests for renegotiation
1815
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1816# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1817run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1818 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1819 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1820 0 \
1821 -C "client hello, adding renegotiation extension" \
1822 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1823 -S "found renegotiation extension" \
1824 -s "server hello, secure renegotiation extension" \
1825 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1826 -C "=> renegotiate" \
1827 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1828 -S "write hello request"
1829
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1830requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1831run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1832 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1833 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1834 0 \
1835 -c "client hello, adding renegotiation extension" \
1836 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1837 -s "found renegotiation extension" \
1838 -s "server hello, secure renegotiation extension" \
1839 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1840 -c "=> renegotiate" \
1841 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1842 -S "write hello request"
1843
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1844requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1845run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1846 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1847 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1848 0 \
1849 -c "client hello, adding renegotiation extension" \
1850 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1851 -s "found renegotiation extension" \
1852 -s "server hello, secure renegotiation extension" \
1853 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1854 -c "=> renegotiate" \
1855 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1856 -s "write hello request"
1857
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1858# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1859# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1860# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1861requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1862run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1863 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1864 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1865 0 \
1866 -c "client hello, adding renegotiation extension" \
1867 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1868 -s "found renegotiation extension" \
1869 -s "server hello, secure renegotiation extension" \
1870 -c "found renegotiation extension" \
1871 -c "=> renegotiate" \
1872 -s "=> renegotiate" \
1873 -S "write hello request" \
1874 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1875
1876# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1877# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1878# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1879requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1880run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1881 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1882 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1883 0 \
1884 -c "client hello, adding renegotiation extension" \
1885 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1886 -s "found renegotiation extension" \
1887 -s "server hello, secure renegotiation extension" \
1888 -c "found renegotiation extension" \
1889 -c "=> renegotiate" \
1890 -s "=> renegotiate" \
1891 -s "write hello request" \
1892 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1893
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1894requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1895run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1896 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1897 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1898 0 \
1899 -c "client hello, adding renegotiation extension" \
1900 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1901 -s "found renegotiation extension" \
1902 -s "server hello, secure renegotiation extension" \
1903 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1904 -c "=> renegotiate" \
1905 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1906 -s "write hello request"
1907
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1908requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1909run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1910 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1911 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1912 1 \
1913 -c "client hello, adding renegotiation extension" \
1914 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1915 -S "found renegotiation extension" \
1916 -s "server hello, secure renegotiation extension" \
1917 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1918 -c "=> renegotiate" \
1919 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1920 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1921 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1922 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1923
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1924requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1925run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1926 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1927 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1928 0 \
1929 -C "client hello, adding renegotiation extension" \
1930 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1931 -S "found renegotiation extension" \
1932 -s "server hello, secure renegotiation extension" \
1933 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1934 -C "=> renegotiate" \
1935 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1936 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1937 -S "SSL - An unexpected message was received from our peer" \
1938 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1939
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1940requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1941run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1942 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1943 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1944 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1945 0 \
1946 -C "client hello, adding renegotiation extension" \
1947 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1948 -S "found renegotiation extension" \
1949 -s "server hello, secure renegotiation extension" \
1950 -c "found renegotiation extension" \
1951 -C "=> renegotiate" \
1952 -S "=> renegotiate" \
1953 -s "write hello request" \
1954 -S "SSL - An unexpected message was received from our peer" \
1955 -S "failed"
1956
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1957# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1958requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1959run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1960 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1961 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1962 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1963 0 \
1964 -C "client hello, adding renegotiation extension" \
1965 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1966 -S "found renegotiation extension" \
1967 -s "server hello, secure renegotiation extension" \
1968 -c "found renegotiation extension" \
1969 -C "=> renegotiate" \
1970 -S "=> renegotiate" \
1971 -s "write hello request" \
1972 -S "SSL - An unexpected message was received from our peer" \
1973 -S "failed"
1974
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1975requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1976run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1977 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1978 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1979 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1980 0 \
1981 -C "client hello, adding renegotiation extension" \
1982 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1983 -S "found renegotiation extension" \
1984 -s "server hello, secure renegotiation extension" \
1985 -c "found renegotiation extension" \
1986 -C "=> renegotiate" \
1987 -S "=> renegotiate" \
1988 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1989 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1990
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1991requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1992run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1993 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1994 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1995 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1996 0 \
1997 -c "client hello, adding renegotiation extension" \
1998 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1999 -s "found renegotiation extension" \
2000 -s "server hello, secure renegotiation extension" \
2001 -c "found renegotiation extension" \
2002 -c "=> renegotiate" \
2003 -s "=> renegotiate" \
2004 -s "write hello request" \
2005 -S "SSL - An unexpected message was received from our peer" \
2006 -S "failed"
2007
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2008requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2009run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2010 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2011 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2012 0 \
2013 -C "client hello, adding renegotiation extension" \
2014 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2015 -S "found renegotiation extension" \
2016 -s "server hello, secure renegotiation extension" \
2017 -c "found renegotiation extension" \
2018 -S "record counter limit reached: renegotiate" \
2019 -C "=> renegotiate" \
2020 -S "=> renegotiate" \
2021 -S "write hello request" \
2022 -S "SSL - An unexpected message was received from our peer" \
2023 -S "failed"
2024
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2025# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2026requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2027run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2028 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2029 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2030 0 \
2031 -c "client hello, adding renegotiation extension" \
2032 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2033 -s "found renegotiation extension" \
2034 -s "server hello, secure renegotiation extension" \
2035 -c "found renegotiation extension" \
2036 -s "record counter limit reached: renegotiate" \
2037 -c "=> renegotiate" \
2038 -s "=> renegotiate" \
2039 -s "write hello request" \
2040 -S "SSL - An unexpected message was received from our peer" \
2041 -S "failed"
2042
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2043requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2044run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2045 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2046 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2047 0 \
2048 -c "client hello, adding renegotiation extension" \
2049 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2050 -s "found renegotiation extension" \
2051 -s "server hello, secure renegotiation extension" \
2052 -c "found renegotiation extension" \
2053 -s "record counter limit reached: renegotiate" \
2054 -c "=> renegotiate" \
2055 -s "=> renegotiate" \
2056 -s "write hello request" \
2057 -S "SSL - An unexpected message was received from our peer" \
2058 -S "failed"
2059
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2060requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2061run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2062 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2063 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2064 0 \
2065 -C "client hello, adding renegotiation extension" \
2066 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2067 -S "found renegotiation extension" \
2068 -s "server hello, secure renegotiation extension" \
2069 -c "found renegotiation extension" \
2070 -S "record counter limit reached: renegotiate" \
2071 -C "=> renegotiate" \
2072 -S "=> renegotiate" \
2073 -S "write hello request" \
2074 -S "SSL - An unexpected message was received from our peer" \
2075 -S "failed"
2076
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2077requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2078run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2079 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2080 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2081 0 \
2082 -c "client hello, adding renegotiation extension" \
2083 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2084 -s "found renegotiation extension" \
2085 -s "server hello, secure renegotiation extension" \
2086 -c "found renegotiation extension" \
2087 -c "=> renegotiate" \
2088 -s "=> renegotiate" \
2089 -S "write hello request"
2090
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2091requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2092run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2093 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2094 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2095 0 \
2096 -c "client hello, adding renegotiation extension" \
2097 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2098 -s "found renegotiation extension" \
2099 -s "server hello, secure renegotiation extension" \
2100 -c "found renegotiation extension" \
2101 -c "=> renegotiate" \
2102 -s "=> renegotiate" \
2103 -s "write hello request"
2104
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2105requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2106run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2107 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2108 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2109 0 \
2110 -c "client hello, adding renegotiation extension" \
2111 -c "found renegotiation extension" \
2112 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2113 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2114 -C "error" \
2115 -c "HTTP/1.0 200 [Oo][Kk]"
2116
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2117requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2118requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2119run_test "Renegotiation: gnutls server strict, client-initiated" \
2120 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2121 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2122 0 \
2123 -c "client hello, adding renegotiation extension" \
2124 -c "found renegotiation extension" \
2125 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2126 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2127 -C "error" \
2128 -c "HTTP/1.0 200 [Oo][Kk]"
2129
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2130requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2131requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2132run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2133 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2134 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2135 1 \
2136 -c "client hello, adding renegotiation extension" \
2137 -C "found renegotiation extension" \
2138 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2139 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2140 -c "error" \
2141 -C "HTTP/1.0 200 [Oo][Kk]"
2142
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2143requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2144requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2145run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2146 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2147 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2148 allow_legacy=0" \
2149 1 \
2150 -c "client hello, adding renegotiation extension" \
2151 -C "found renegotiation extension" \
2152 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2153 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2154 -c "error" \
2155 -C "HTTP/1.0 200 [Oo][Kk]"
2156
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2157requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2158requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2159run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2160 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2161 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2162 allow_legacy=1" \
2163 0 \
2164 -c "client hello, adding renegotiation extension" \
2165 -C "found renegotiation extension" \
2166 -c "=> renegotiate" \
2167 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2168 -C "error" \
2169 -c "HTTP/1.0 200 [Oo][Kk]"
2170
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2171requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]2172run_test "Renegotiation: DTLS, client-initiated" \
2173 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
2174 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
2175 0 \
2176 -c "client hello, adding renegotiation extension" \
2177 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2178 -s "found renegotiation extension" \
2179 -s "server hello, secure renegotiation extension" \
2180 -c "found renegotiation extension" \
2181 -c "=> renegotiate" \
2182 -s "=> renegotiate" \
2183 -S "write hello request"
2184
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2185requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2186run_test "Renegotiation: DTLS, server-initiated" \
2187 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2188 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2189 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2190 0 \
2191 -c "client hello, adding renegotiation extension" \
2192 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2193 -s "found renegotiation extension" \
2194 -s "server hello, secure renegotiation extension" \
2195 -c "found renegotiation extension" \
2196 -c "=> renegotiate" \
2197 -s "=> renegotiate" \
2198 -s "write hello request"
2199
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2200requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2201run_test "Renegotiation: DTLS, renego_period overflow" \
2202 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2203 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2204 0 \
2205 -c "client hello, adding renegotiation extension" \
2206 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2207 -s "found renegotiation extension" \
2208 -s "server hello, secure renegotiation extension" \
2209 -s "record counter limit reached: renegotiate" \
2210 -c "=> renegotiate" \
2211 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2212 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2213
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2214requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2215requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2216run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2217 "$G_SRV -u --mtu 4096" \
2218 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2219 0 \
2220 -c "client hello, adding renegotiation extension" \
2221 -c "found renegotiation extension" \
2222 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2223 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2224 -C "error" \
2225 -s "Extra-header:"
2226
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2227# Test for the "secure renegotation" extension only (no actual renegotiation)
2228
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2229requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2230run_test "Renego ext: gnutls server strict, client default" \
2231 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2232 "$P_CLI debug_level=3" \
2233 0 \
2234 -c "found renegotiation extension" \
2235 -C "error" \
2236 -c "HTTP/1.0 200 [Oo][Kk]"
2237
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2238requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2239run_test "Renego ext: gnutls server unsafe, client default" \
2240 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2241 "$P_CLI debug_level=3" \
2242 0 \
2243 -C "found renegotiation extension" \
2244 -C "error" \
2245 -c "HTTP/1.0 200 [Oo][Kk]"
2246
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2247requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2248run_test "Renego ext: gnutls server unsafe, client break legacy" \
2249 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2250 "$P_CLI debug_level=3 allow_legacy=-1" \
2251 1 \
2252 -C "found renegotiation extension" \
2253 -c "error" \
2254 -C "HTTP/1.0 200 [Oo][Kk]"
2255
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2256requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2257run_test "Renego ext: gnutls client strict, server default" \
2258 "$P_SRV debug_level=3" \
2259 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2260 0 \
2261 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2262 -s "server hello, secure renegotiation extension"
2263
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2264requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2265run_test "Renego ext: gnutls client unsafe, server default" \
2266 "$P_SRV debug_level=3" \
2267 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2268 0 \
2269 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2270 -S "server hello, secure renegotiation extension"
2271
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2272requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2273run_test "Renego ext: gnutls client unsafe, server break legacy" \
2274 "$P_SRV debug_level=3 allow_legacy=-1" \
2275 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2276 1 \
2277 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2278 -S "server hello, secure renegotiation extension"
2279
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2280# Tests for silently dropping trailing extra bytes in .der certificates
2281
2282requires_gnutls
2283run_test "DER format: no trailing bytes" \
2284 "$P_SRV crt_file=data_files/server5-der0.crt \
2285 key_file=data_files/server5.key" \
2286 "$G_CLI " \
2287 0 \
2288 -c "Handshake was completed" \
2289
2290requires_gnutls
2291run_test "DER format: with a trailing zero byte" \
2292 "$P_SRV crt_file=data_files/server5-der1a.crt \
2293 key_file=data_files/server5.key" \
2294 "$G_CLI " \
2295 0 \
2296 -c "Handshake was completed" \
2297
2298requires_gnutls
2299run_test "DER format: with a trailing random byte" \
2300 "$P_SRV crt_file=data_files/server5-der1b.crt \
2301 key_file=data_files/server5.key" \
2302 "$G_CLI " \
2303 0 \
2304 -c "Handshake was completed" \
2305
2306requires_gnutls
2307run_test "DER format: with 2 trailing random bytes" \
2308 "$P_SRV crt_file=data_files/server5-der2.crt \
2309 key_file=data_files/server5.key" \
2310 "$G_CLI " \
2311 0 \
2312 -c "Handshake was completed" \
2313
2314requires_gnutls
2315run_test "DER format: with 4 trailing random bytes" \
2316 "$P_SRV crt_file=data_files/server5-der4.crt \
2317 key_file=data_files/server5.key" \
2318 "$G_CLI " \
2319 0 \
2320 -c "Handshake was completed" \
2321
2322requires_gnutls
2323run_test "DER format: with 8 trailing random bytes" \
2324 "$P_SRV crt_file=data_files/server5-der8.crt \
2325 key_file=data_files/server5.key" \
2326 "$G_CLI " \
2327 0 \
2328 -c "Handshake was completed" \
2329
2330requires_gnutls
2331run_test "DER format: with 9 trailing random bytes" \
2332 "$P_SRV crt_file=data_files/server5-der9.crt \
2333 key_file=data_files/server5.key" \
2334 "$G_CLI " \
2335 0 \
2336 -c "Handshake was completed" \
2337
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2338# Tests for auth_mode
2339
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2340run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2341 "$P_SRV crt_file=data_files/server5-badsign.crt \
2342 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2343 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2344 1 \
2345 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2346 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2347 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2348 -c "X509 - Certificate verification failed"
2349
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2350run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2351 "$P_SRV crt_file=data_files/server5-badsign.crt \
2352 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2353 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2354 0 \
2355 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2356 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2357 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2358 -C "X509 - Certificate verification failed"
2359
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2360run_test "Authentication: server goodcert, client optional, no trusted CA" \
2361 "$P_SRV" \
2362 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2363 0 \
2364 -c "x509_verify_cert() returned" \
2365 -c "! The certificate is not correctly signed by the trusted CA" \
2366 -c "! Certificate verification flags"\
2367 -C "! mbedtls_ssl_handshake returned" \
2368 -C "X509 - Certificate verification failed" \
2369 -C "SSL - No CA Chain is set, but required to operate"
2370
2371run_test "Authentication: server goodcert, client required, no trusted CA" \
2372 "$P_SRV" \
2373 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2374 1 \
2375 -c "x509_verify_cert() returned" \
2376 -c "! The certificate is not correctly signed by the trusted CA" \
2377 -c "! Certificate verification flags"\
2378 -c "! mbedtls_ssl_handshake returned" \
2379 -c "SSL - No CA Chain is set, but required to operate"
2380
2381# The purpose of the next two tests is to test the client's behaviour when receiving a server
2382# certificate with an unsupported elliptic curve. This should usually not happen because
2383# the client informs the server about the supported curves - it does, though, in the
2384# corner case of a static ECDH suite, because the server doesn't check the curve on that
2385# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2386# different means to have the server ignoring the client's supported curve list.
2387
2388requires_config_enabled MBEDTLS_ECP_C
2389run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2390 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2391 crt_file=data_files/server5.ku-ka.crt" \
2392 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2393 1 \
2394 -c "bad certificate (EC key curve)"\
2395 -c "! Certificate verification flags"\
2396 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2397
2398requires_config_enabled MBEDTLS_ECP_C
2399run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2400 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2401 crt_file=data_files/server5.ku-ka.crt" \
2402 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2403 1 \
2404 -c "bad certificate (EC key curve)"\
2405 -c "! Certificate verification flags"\
2406 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2407
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2408run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2409 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2410 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2411 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2412 0 \
2413 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2414 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2415 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2416 -C "X509 - Certificate verification failed"
2417
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2418run_test "Authentication: client SHA256, server required" \
2419 "$P_SRV auth_mode=required" \
2420 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2421 key_file=data_files/server6.key \
2422 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2423 0 \
2424 -c "Supported Signature Algorithm found: 4," \
2425 -c "Supported Signature Algorithm found: 5,"
2426
2427run_test "Authentication: client SHA384, server required" \
2428 "$P_SRV auth_mode=required" \
2429 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2430 key_file=data_files/server6.key \
2431 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2432 0 \
2433 -c "Supported Signature Algorithm found: 4," \
2434 -c "Supported Signature Algorithm found: 5,"
2435
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2436requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2437run_test "Authentication: client has no cert, server required (SSLv3)" \
2438 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2439 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2440 key_file=data_files/server5.key" \
2441 1 \
2442 -S "skip write certificate request" \
2443 -C "skip parse certificate request" \
2444 -c "got a certificate request" \
2445 -c "got no certificate to send" \
2446 -S "x509_verify_cert() returned" \
2447 -s "client has no certificate" \
2448 -s "! mbedtls_ssl_handshake returned" \
2449 -c "! mbedtls_ssl_handshake returned" \
2450 -s "No client certification received from the client, but required by the authentication mode"
2451
2452run_test "Authentication: client has no cert, server required (TLS)" \
2453 "$P_SRV debug_level=3 auth_mode=required" \
2454 "$P_CLI debug_level=3 crt_file=none \
2455 key_file=data_files/server5.key" \
2456 1 \
2457 -S "skip write certificate request" \
2458 -C "skip parse certificate request" \
2459 -c "got a certificate request" \
2460 -c "= write certificate$" \
2461 -C "skip write certificate$" \
2462 -S "x509_verify_cert() returned" \
2463 -s "client has no certificate" \
2464 -s "! mbedtls_ssl_handshake returned" \
2465 -c "! mbedtls_ssl_handshake returned" \
2466 -s "No client certification received from the client, but required by the authentication mode"
2467
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2468run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2469 "$P_SRV debug_level=3 auth_mode=required" \
2470 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2471 key_file=data_files/server5.key" \
2472 1 \
2473 -S "skip write certificate request" \
2474 -C "skip parse certificate request" \
2475 -c "got a certificate request" \
2476 -C "skip write certificate" \
2477 -C "skip write certificate verify" \
2478 -S "skip parse certificate verify" \
2479 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2480 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2481 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2482 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2483 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2484 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2485# We don't check that the client receives the alert because it might
2486# detect that its write end of the connection is closed and abort
2487# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2488
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2489run_test "Authentication: client cert not trusted, server required" \
2490 "$P_SRV debug_level=3 auth_mode=required" \
2491 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2492 key_file=data_files/server5.key" \
2493 1 \
2494 -S "skip write certificate request" \
2495 -C "skip parse certificate request" \
2496 -c "got a certificate request" \
2497 -C "skip write certificate" \
2498 -C "skip write certificate verify" \
2499 -S "skip parse certificate verify" \
2500 -s "x509_verify_cert() returned" \
2501 -s "! The certificate is not correctly signed by the trusted CA" \
2502 -s "! mbedtls_ssl_handshake returned" \
2503 -c "! mbedtls_ssl_handshake returned" \
2504 -s "X509 - Certificate verification failed"
2505
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2506run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2507 "$P_SRV debug_level=3 auth_mode=optional" \
2508 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2509 key_file=data_files/server5.key" \
2510 0 \
2511 -S "skip write certificate request" \
2512 -C "skip parse certificate request" \
2513 -c "got a certificate request" \
2514 -C "skip write certificate" \
2515 -C "skip write certificate verify" \
2516 -S "skip parse certificate verify" \
2517 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2518 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2519 -S "! mbedtls_ssl_handshake returned" \
2520 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2521 -S "X509 - Certificate verification failed"
2522
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2523run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2524 "$P_SRV debug_level=3 auth_mode=none" \
2525 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2526 key_file=data_files/server5.key" \
2527 0 \
2528 -s "skip write certificate request" \
2529 -C "skip parse certificate request" \
2530 -c "got no certificate request" \
2531 -c "skip write certificate" \
2532 -c "skip write certificate verify" \
2533 -s "skip parse certificate verify" \
2534 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2535 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2536 -S "! mbedtls_ssl_handshake returned" \
2537 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2538 -S "X509 - Certificate verification failed"
2539
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2540run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2541 "$P_SRV debug_level=3 auth_mode=optional" \
2542 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2543 0 \
2544 -S "skip write certificate request" \
2545 -C "skip parse certificate request" \
2546 -c "got a certificate request" \
2547 -C "skip write certificate$" \
2548 -C "got no certificate to send" \
2549 -S "SSLv3 client has no certificate" \
2550 -c "skip write certificate verify" \
2551 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2552 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2553 -S "! mbedtls_ssl_handshake returned" \
2554 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2555 -S "X509 - Certificate verification failed"
2556
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2557run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2558 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2559 "$O_CLI" \
2560 0 \
2561 -S "skip write certificate request" \
2562 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2563 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2564 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2565 -S "X509 - Certificate verification failed"
2566
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2567run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2568 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2569 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2570 0 \
2571 -C "skip parse certificate request" \
2572 -c "got a certificate request" \
2573 -C "skip write certificate$" \
2574 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2575 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2576
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2577run_test "Authentication: client no cert, openssl server required" \
2578 "$O_SRV -Verify 10" \
2579 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2580 1 \
2581 -C "skip parse certificate request" \
2582 -c "got a certificate request" \
2583 -C "skip write certificate$" \
2584 -c "skip write certificate verify" \
2585 -c "! mbedtls_ssl_handshake returned"
2586
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2587requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2588run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2589 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2590 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2591 0 \
2592 -S "skip write certificate request" \
2593 -C "skip parse certificate request" \
2594 -c "got a certificate request" \
2595 -C "skip write certificate$" \
2596 -c "skip write certificate verify" \
2597 -c "got no certificate to send" \
2598 -s "SSLv3 client has no certificate" \
2599 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2600 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2601 -S "! mbedtls_ssl_handshake returned" \
2602 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2603 -S "X509 - Certificate verification failed"
2604
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2605# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2606# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2607
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2608MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2609MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2610
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2611if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2612 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2613 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2614 printf "test value of ${MAX_IM_CA}. \n"
2615 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2616 printf "The tests assume this value and if it changes, the tests in this\n"
2617 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2618 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2619
2620 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2621fi
2622
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2623run_test "Authentication: server max_int chain, client default" \
2624 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2625 key_file=data_files/dir-maxpath/09.key" \
2626 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2627 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2628 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2629
2630run_test "Authentication: server max_int+1 chain, client default" \
2631 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2632 key_file=data_files/dir-maxpath/10.key" \
2633 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2634 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2635 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2636
2637run_test "Authentication: server max_int+1 chain, client optional" \
2638 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2639 key_file=data_files/dir-maxpath/10.key" \
2640 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2641 auth_mode=optional" \
2642 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2643 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2644
2645run_test "Authentication: server max_int+1 chain, client none" \
2646 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2647 key_file=data_files/dir-maxpath/10.key" \
2648 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2649 auth_mode=none" \
2650 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2651 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2652
2653run_test "Authentication: client max_int+1 chain, server default" \
2654 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2655 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2656 key_file=data_files/dir-maxpath/10.key" \
2657 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2658 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2659
2660run_test "Authentication: client max_int+1 chain, server optional" \
2661 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2662 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2663 key_file=data_files/dir-maxpath/10.key" \
2664 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2665 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2666
2667run_test "Authentication: client max_int+1 chain, server required" \
2668 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2669 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2670 key_file=data_files/dir-maxpath/10.key" \
2671 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2672 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2673
2674run_test "Authentication: client max_int chain, server required" \
2675 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2676 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2677 key_file=data_files/dir-maxpath/09.key" \
2678 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2679 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2680
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2681# Tests for CA list in CertificateRequest messages
2682
2683run_test "Authentication: send CA list in CertificateRequest (default)" \
2684 "$P_SRV debug_level=3 auth_mode=required" \
2685 "$P_CLI crt_file=data_files/server6.crt \
2686 key_file=data_files/server6.key" \
2687 0 \
2688 -s "requested DN"
2689
2690run_test "Authentication: do not send CA list in CertificateRequest" \
2691 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2692 "$P_CLI crt_file=data_files/server6.crt \
2693 key_file=data_files/server6.key" \
2694 0 \
2695 -S "requested DN"
2696
2697run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2698 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2699 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2700 key_file=data_files/server5.key" \
2701 1 \
2702 -S "requested DN" \
2703 -s "x509_verify_cert() returned" \
2704 -s "! The certificate is not correctly signed by the trusted CA" \
2705 -s "! mbedtls_ssl_handshake returned" \
2706 -c "! mbedtls_ssl_handshake returned" \
2707 -s "X509 - Certificate verification failed"
2708
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2709# Tests for certificate selection based on SHA verson
2710
2711run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2712 "$P_SRV crt_file=data_files/server5.crt \
2713 key_file=data_files/server5.key \
2714 crt_file2=data_files/server5-sha1.crt \
2715 key_file2=data_files/server5.key" \
2716 "$P_CLI force_version=tls1_2" \
2717 0 \
2718 -c "signed using.*ECDSA with SHA256" \
2719 -C "signed using.*ECDSA with SHA1"
2720
2721run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2722 "$P_SRV crt_file=data_files/server5.crt \
2723 key_file=data_files/server5.key \
2724 crt_file2=data_files/server5-sha1.crt \
2725 key_file2=data_files/server5.key" \
2726 "$P_CLI force_version=tls1_1" \
2727 0 \
2728 -C "signed using.*ECDSA with SHA256" \
2729 -c "signed using.*ECDSA with SHA1"
2730
2731run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2732 "$P_SRV crt_file=data_files/server5.crt \
2733 key_file=data_files/server5.key \
2734 crt_file2=data_files/server5-sha1.crt \
2735 key_file2=data_files/server5.key" \
2736 "$P_CLI force_version=tls1" \
2737 0 \
2738 -C "signed using.*ECDSA with SHA256" \
2739 -c "signed using.*ECDSA with SHA1"
2740
2741run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2742 "$P_SRV crt_file=data_files/server5.crt \
2743 key_file=data_files/server5.key \
2744 crt_file2=data_files/server6.crt \
2745 key_file2=data_files/server6.key" \
2746 "$P_CLI force_version=tls1_1" \
2747 0 \
2748 -c "serial number.*09" \
2749 -c "signed using.*ECDSA with SHA256" \
2750 -C "signed using.*ECDSA with SHA1"
2751
2752run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2753 "$P_SRV crt_file=data_files/server6.crt \
2754 key_file=data_files/server6.key \
2755 crt_file2=data_files/server5.crt \
2756 key_file2=data_files/server5.key" \
2757 "$P_CLI force_version=tls1_1" \
2758 0 \
2759 -c "serial number.*0A" \
2760 -c "signed using.*ECDSA with SHA256" \
2761 -C "signed using.*ECDSA with SHA1"
2762
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2763# tests for SNI
2764
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2765run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2766 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2767 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2768 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2769 0 \
2770 -S "parse ServerName extension" \
2771 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2772 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2773
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2774run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2775 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2776 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2777 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2778 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2779 0 \
2780 -s "parse ServerName extension" \
2781 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2782 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2783
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2784run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2785 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2786 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2787 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2788 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2789 0 \
2790 -s "parse ServerName extension" \
2791 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2792 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2793
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2794run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2795 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2796 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2797 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2798 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2799 1 \
2800 -s "parse ServerName extension" \
2801 -s "ssl_sni_wrapper() returned" \
2802 -s "mbedtls_ssl_handshake returned" \
2803 -c "mbedtls_ssl_handshake returned" \
2804 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2805
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2806run_test "SNI: client auth no override: optional" \
2807 "$P_SRV debug_level=3 auth_mode=optional \
2808 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2809 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2810 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2811 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2812 -S "skip write certificate request" \
2813 -C "skip parse certificate request" \
2814 -c "got a certificate request" \
2815 -C "skip write certificate" \
2816 -C "skip write certificate verify" \
2817 -S "skip parse certificate verify"
2818
2819run_test "SNI: client auth override: none -> optional" \
2820 "$P_SRV debug_level=3 auth_mode=none \
2821 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2822 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2823 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2824 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2825 -S "skip write certificate request" \
2826 -C "skip parse certificate request" \
2827 -c "got a certificate request" \
2828 -C "skip write certificate" \
2829 -C "skip write certificate verify" \
2830 -S "skip parse certificate verify"
2831
2832run_test "SNI: client auth override: optional -> none" \
2833 "$P_SRV debug_level=3 auth_mode=optional \
2834 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2835 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2836 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2837 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2838 -s "skip write certificate request" \
2839 -C "skip parse certificate request" \
2840 -c "got no certificate request" \
2841 -c "skip write certificate" \
2842 -c "skip write certificate verify" \
2843 -s "skip parse certificate verify"
2844
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2845run_test "SNI: CA no override" \
2846 "$P_SRV debug_level=3 auth_mode=optional \
2847 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2848 ca_file=data_files/test-ca.crt \
2849 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2850 "$P_CLI debug_level=3 server_name=localhost \
2851 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2852 1 \
2853 -S "skip write certificate request" \
2854 -C "skip parse certificate request" \
2855 -c "got a certificate request" \
2856 -C "skip write certificate" \
2857 -C "skip write certificate verify" \
2858 -S "skip parse certificate verify" \
2859 -s "x509_verify_cert() returned" \
2860 -s "! The certificate is not correctly signed by the trusted CA" \
2861 -S "The certificate has been revoked (is on a CRL)"
2862
2863run_test "SNI: CA override" \
2864 "$P_SRV debug_level=3 auth_mode=optional \
2865 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2866 ca_file=data_files/test-ca.crt \
2867 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2868 "$P_CLI debug_level=3 server_name=localhost \
2869 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2870 0 \
2871 -S "skip write certificate request" \
2872 -C "skip parse certificate request" \
2873 -c "got a certificate request" \
2874 -C "skip write certificate" \
2875 -C "skip write certificate verify" \
2876 -S "skip parse certificate verify" \
2877 -S "x509_verify_cert() returned" \
2878 -S "! The certificate is not correctly signed by the trusted CA" \
2879 -S "The certificate has been revoked (is on a CRL)"
2880
2881run_test "SNI: CA override with CRL" \
2882 "$P_SRV debug_level=3 auth_mode=optional \
2883 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2884 ca_file=data_files/test-ca.crt \
2885 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2886 "$P_CLI debug_level=3 server_name=localhost \
2887 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2888 1 \
2889 -S "skip write certificate request" \
2890 -C "skip parse certificate request" \
2891 -c "got a certificate request" \
2892 -C "skip write certificate" \
2893 -C "skip write certificate verify" \
2894 -S "skip parse certificate verify" \
2895 -s "x509_verify_cert() returned" \
2896 -S "! The certificate is not correctly signed by the trusted CA" \
2897 -s "The certificate has been revoked (is on a CRL)"
2898
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2899# Tests for SNI and DTLS
2900
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2901run_test "SNI: DTLS, no SNI callback" \
2902 "$P_SRV debug_level=3 dtls=1 \
2903 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2904 "$P_CLI server_name=localhost dtls=1" \
2905 0 \
2906 -S "parse ServerName extension" \
2907 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2908 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2909
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2910run_test "SNI: DTLS, matching cert 1" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2911 "$P_SRV debug_level=3 dtls=1 \
2912 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2913 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2914 "$P_CLI server_name=localhost dtls=1" \
2915 0 \
2916 -s "parse ServerName extension" \
2917 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2918 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2919
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2920run_test "SNI: DTLS, matching cert 2" \
2921 "$P_SRV debug_level=3 dtls=1 \
2922 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2923 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2924 "$P_CLI server_name=polarssl.example dtls=1" \
2925 0 \
2926 -s "parse ServerName extension" \
2927 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2928 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2929
2930run_test "SNI: DTLS, no matching cert" \
2931 "$P_SRV debug_level=3 dtls=1 \
2932 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2933 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2934 "$P_CLI server_name=nonesuch.example dtls=1" \
2935 1 \
2936 -s "parse ServerName extension" \
2937 -s "ssl_sni_wrapper() returned" \
2938 -s "mbedtls_ssl_handshake returned" \
2939 -c "mbedtls_ssl_handshake returned" \
2940 -c "SSL - A fatal alert message was received from our peer"
2941
2942run_test "SNI: DTLS, client auth no override: optional" \
2943 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2944 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2945 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2946 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2947 0 \
2948 -S "skip write certificate request" \
2949 -C "skip parse certificate request" \
2950 -c "got a certificate request" \
2951 -C "skip write certificate" \
2952 -C "skip write certificate verify" \
2953 -S "skip parse certificate verify"
2954
2955run_test "SNI: DTLS, client auth override: none -> optional" \
2956 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2957 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2958 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2959 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2960 0 \
2961 -S "skip write certificate request" \
2962 -C "skip parse certificate request" \
2963 -c "got a certificate request" \
2964 -C "skip write certificate" \
2965 -C "skip write certificate verify" \
2966 -S "skip parse certificate verify"
2967
2968run_test "SNI: DTLS, client auth override: optional -> none" \
2969 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2970 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2971 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2972 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2973 0 \
2974 -s "skip write certificate request" \
2975 -C "skip parse certificate request" \
2976 -c "got no certificate request" \
2977 -c "skip write certificate" \
2978 -c "skip write certificate verify" \
2979 -s "skip parse certificate verify"
2980
2981run_test "SNI: DTLS, CA no override" \
2982 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2983 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2984 ca_file=data_files/test-ca.crt \
2985 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2986 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2987 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2988 1 \
2989 -S "skip write certificate request" \
2990 -C "skip parse certificate request" \
2991 -c "got a certificate request" \
2992 -C "skip write certificate" \
2993 -C "skip write certificate verify" \
2994 -S "skip parse certificate verify" \
2995 -s "x509_verify_cert() returned" \
2996 -s "! The certificate is not correctly signed by the trusted CA" \
2997 -S "The certificate has been revoked (is on a CRL)"
2998
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2999run_test "SNI: DTLS, CA override" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3000 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3001 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3002 ca_file=data_files/test-ca.crt \
3003 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
3004 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3005 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3006 0 \
3007 -S "skip write certificate request" \
3008 -C "skip parse certificate request" \
3009 -c "got a certificate request" \
3010 -C "skip write certificate" \
3011 -C "skip write certificate verify" \
3012 -S "skip parse certificate verify" \
3013 -S "x509_verify_cert() returned" \
3014 -S "! The certificate is not correctly signed by the trusted CA" \
3015 -S "The certificate has been revoked (is on a CRL)"
3016
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3017run_test "SNI: DTLS, CA override with CRL" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3018 "$P_SRV debug_level=3 auth_mode=optional \
3019 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
3020 ca_file=data_files/test-ca.crt \
3021 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
3022 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3023 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3024 1 \
3025 -S "skip write certificate request" \
3026 -C "skip parse certificate request" \
3027 -c "got a certificate request" \
3028 -C "skip write certificate" \
3029 -C "skip write certificate verify" \
3030 -S "skip parse certificate verify" \
3031 -s "x509_verify_cert() returned" \
3032 -S "! The certificate is not correctly signed by the trusted CA" \
3033 -s "The certificate has been revoked (is on a CRL)"
3034
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3035# Tests for non-blocking I/O: exercise a variety of handshake flows
3036
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3037run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3038 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3039 "$P_CLI nbio=2 tickets=0" \
3040 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3041 -S "mbedtls_ssl_handshake returned" \
3042 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3043 -c "Read from server: .* bytes read"
3044
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3045run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3046 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
3047 "$P_CLI nbio=2 tickets=0" \
3048 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3049 -S "mbedtls_ssl_handshake returned" \
3050 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3051 -c "Read from server: .* bytes read"
3052
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3053run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3054 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3055 "$P_CLI nbio=2 tickets=1" \
3056 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3057 -S "mbedtls_ssl_handshake returned" \
3058 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3059 -c "Read from server: .* bytes read"
3060
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3061run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3062 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3063 "$P_CLI nbio=2 tickets=1" \
3064 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3065 -S "mbedtls_ssl_handshake returned" \
3066 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3067 -c "Read from server: .* bytes read"
3068
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3069run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3070 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3071 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3072 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3073 -S "mbedtls_ssl_handshake returned" \
3074 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3075 -c "Read from server: .* bytes read"
3076
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3077run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3078 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3079 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3080 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3081 -S "mbedtls_ssl_handshake returned" \
3082 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3083 -c "Read from server: .* bytes read"
3084
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3085run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3086 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3087 "$P_CLI nbio=2 tickets=0 reconnect=1" \
3088 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3089 -S "mbedtls_ssl_handshake returned" \
3090 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3091 -c "Read from server: .* bytes read"
3092
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3093# Tests for version negotiation
3094
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3095run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3096 "$P_SRV" \
3097 "$P_CLI" \
3098 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3099 -S "mbedtls_ssl_handshake returned" \
3100 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3101 -s "Protocol is TLSv1.2" \
3102 -c "Protocol is TLSv1.2"
3103
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3104run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3105 "$P_SRV" \
3106 "$P_CLI max_version=tls1_1" \
3107 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3108 -S "mbedtls_ssl_handshake returned" \
3109 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3110 -s "Protocol is TLSv1.1" \
3111 -c "Protocol is TLSv1.1"
3112
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3113run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3114 "$P_SRV max_version=tls1_1" \
3115 "$P_CLI" \
3116 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3117 -S "mbedtls_ssl_handshake returned" \
3118 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3119 -s "Protocol is TLSv1.1" \
3120 -c "Protocol is TLSv1.1"
3121
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3122run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3123 "$P_SRV max_version=tls1_1" \
3124 "$P_CLI max_version=tls1_1" \
3125 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3126 -S "mbedtls_ssl_handshake returned" \
3127 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3128 -s "Protocol is TLSv1.1" \
3129 -c "Protocol is TLSv1.1"
3130
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3131run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3132 "$P_SRV min_version=tls1_1" \
3133 "$P_CLI max_version=tls1_1" \
3134 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3135 -S "mbedtls_ssl_handshake returned" \
3136 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3137 -s "Protocol is TLSv1.1" \
3138 -c "Protocol is TLSv1.1"
3139
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3140run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3141 "$P_SRV max_version=tls1_1" \
3142 "$P_CLI min_version=tls1_1" \
3143 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3144 -S "mbedtls_ssl_handshake returned" \
3145 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3146 -s "Protocol is TLSv1.1" \
3147 -c "Protocol is TLSv1.1"
3148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3149run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3150 "$P_SRV max_version=tls1_1" \
3151 "$P_CLI min_version=tls1_2" \
3152 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3153 -s "mbedtls_ssl_handshake returned" \
3154 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3155 -c "SSL - Handshake protocol not within min/max boundaries"
3156
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3157run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3158 "$P_SRV min_version=tls1_2" \
3159 "$P_CLI max_version=tls1_1" \
3160 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3161 -s "mbedtls_ssl_handshake returned" \
3162 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3163 -s "SSL - Handshake protocol not within min/max boundaries"
3164
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3165# Tests for ALPN extension
3166
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3167run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3168 "$P_SRV debug_level=3" \
3169 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3170 0 \
3171 -C "client hello, adding alpn extension" \
3172 -S "found alpn extension" \
3173 -C "got an alert message, type: \\[2:120]" \
3174 -S "server hello, adding alpn extension" \
3175 -C "found alpn extension " \
3176 -C "Application Layer Protocol is" \
3177 -S "Application Layer Protocol is"
3178
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3179run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3180 "$P_SRV debug_level=3" \
3181 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3182 0 \
3183 -c "client hello, adding alpn extension" \
3184 -s "found alpn extension" \
3185 -C "got an alert message, type: \\[2:120]" \
3186 -S "server hello, adding alpn extension" \
3187 -C "found alpn extension " \
3188 -c "Application Layer Protocol is (none)" \
3189 -S "Application Layer Protocol is"
3190
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3191run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3192 "$P_SRV debug_level=3 alpn=abc,1234" \
3193 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3194 0 \
3195 -C "client hello, adding alpn extension" \
3196 -S "found alpn extension" \
3197 -C "got an alert message, type: \\[2:120]" \
3198 -S "server hello, adding alpn extension" \
3199 -C "found alpn extension " \
3200 -C "Application Layer Protocol is" \
3201 -s "Application Layer Protocol is (none)"
3202
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3203run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3204 "$P_SRV debug_level=3 alpn=abc,1234" \
3205 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3206 0 \
3207 -c "client hello, adding alpn extension" \
3208 -s "found alpn extension" \
3209 -C "got an alert message, type: \\[2:120]" \
3210 -s "server hello, adding alpn extension" \
3211 -c "found alpn extension" \
3212 -c "Application Layer Protocol is abc" \
3213 -s "Application Layer Protocol is abc"
3214
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3215run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3216 "$P_SRV debug_level=3 alpn=abc,1234" \
3217 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3218 0 \
3219 -c "client hello, adding alpn extension" \
3220 -s "found alpn extension" \
3221 -C "got an alert message, type: \\[2:120]" \
3222 -s "server hello, adding alpn extension" \
3223 -c "found alpn extension" \
3224 -c "Application Layer Protocol is abc" \
3225 -s "Application Layer Protocol is abc"
3226
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3227run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3228 "$P_SRV debug_level=3 alpn=abc,1234" \
3229 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3230 0 \
3231 -c "client hello, adding alpn extension" \
3232 -s "found alpn extension" \
3233 -C "got an alert message, type: \\[2:120]" \
3234 -s "server hello, adding alpn extension" \
3235 -c "found alpn extension" \
3236 -c "Application Layer Protocol is 1234" \
3237 -s "Application Layer Protocol is 1234"
3238
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3239run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3240 "$P_SRV debug_level=3 alpn=abc,123" \
3241 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3242 1 \
3243 -c "client hello, adding alpn extension" \
3244 -s "found alpn extension" \
3245 -c "got an alert message, type: \\[2:120]" \
3246 -S "server hello, adding alpn extension" \
3247 -C "found alpn extension" \
3248 -C "Application Layer Protocol is 1234" \
3249 -S "Application Layer Protocol is 1234"
3250
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3251
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3252# Tests for keyUsage in leaf certificates, part 1:
3253# server-side certificate/suite selection
3254
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3255run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3256 "$P_SRV key_file=data_files/server2.key \
3257 crt_file=data_files/server2.ku-ds.crt" \
3258 "$P_CLI" \
3259 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3260 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3261
3262
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3263run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3264 "$P_SRV key_file=data_files/server2.key \
3265 crt_file=data_files/server2.ku-ke.crt" \
3266 "$P_CLI" \
3267 0 \
3268 -c "Ciphersuite is TLS-RSA-WITH-"
3269
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3270run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3271 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3272 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3273 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3274 1 \
3275 -C "Ciphersuite is "
3276
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3277run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3278 "$P_SRV key_file=data_files/server5.key \
3279 crt_file=data_files/server5.ku-ds.crt" \
3280 "$P_CLI" \
3281 0 \
3282 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3283
3284
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3285run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3286 "$P_SRV key_file=data_files/server5.key \
3287 crt_file=data_files/server5.ku-ka.crt" \
3288 "$P_CLI" \
3289 0 \
3290 -c "Ciphersuite is TLS-ECDH-"
3291
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3292run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3293 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3294 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3295 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3296 1 \
3297 -C "Ciphersuite is "
3298
3299# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3300# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3301
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3302run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3303 "$O_SRV -key data_files/server2.key \
3304 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3305 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3306 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3307 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3308 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3309 -C "Processing of the Certificate handshake message failed" \
3310 -c "Ciphersuite is TLS-"
3311
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3312run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3313 "$O_SRV -key data_files/server2.key \
3314 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3315 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3316 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3317 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3318 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3319 -C "Processing of the Certificate handshake message failed" \
3320 -c "Ciphersuite is TLS-"
3321
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3322run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3323 "$O_SRV -key data_files/server2.key \
3324 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3325 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3326 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3327 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3328 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3329 -C "Processing of the Certificate handshake message failed" \
3330 -c "Ciphersuite is TLS-"
3331
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3332run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3333 "$O_SRV -key data_files/server2.key \
3334 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3335 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3336 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3337 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3338 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3339 -c "Processing of the Certificate handshake message failed" \
3340 -C "Ciphersuite is TLS-"
3341
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3342run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3343 "$O_SRV -key data_files/server2.key \
3344 -cert data_files/server2.ku-ke.crt" \
3345 "$P_CLI debug_level=1 auth_mode=optional \
3346 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3347 0 \
3348 -c "bad certificate (usage extensions)" \
3349 -C "Processing of the Certificate handshake message failed" \
3350 -c "Ciphersuite is TLS-" \
3351 -c "! Usage does not match the keyUsage extension"
3352
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3353run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3354 "$O_SRV -key data_files/server2.key \
3355 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3356 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3357 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3358 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3359 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3360 -C "Processing of the Certificate handshake message failed" \
3361 -c "Ciphersuite is TLS-"
3362
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3363run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3364 "$O_SRV -key data_files/server2.key \
3365 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3366 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3367 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3368 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3369 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3370 -c "Processing of the Certificate handshake message failed" \
3371 -C "Ciphersuite is TLS-"
3372
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3373run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3374 "$O_SRV -key data_files/server2.key \
3375 -cert data_files/server2.ku-ds.crt" \
3376 "$P_CLI debug_level=1 auth_mode=optional \
3377 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3378 0 \
3379 -c "bad certificate (usage extensions)" \
3380 -C "Processing of the Certificate handshake message failed" \
3381 -c "Ciphersuite is TLS-" \
3382 -c "! Usage does not match the keyUsage extension"
3383
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3384# Tests for keyUsage in leaf certificates, part 3:
3385# server-side checking of client cert
3386
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3387run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3388 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3389 "$O_CLI -key data_files/server2.key \
3390 -cert data_files/server2.ku-ds.crt" \
3391 0 \
3392 -S "bad certificate (usage extensions)" \
3393 -S "Processing of the Certificate handshake message failed"
3394
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3395run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3396 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3397 "$O_CLI -key data_files/server2.key \
3398 -cert data_files/server2.ku-ke.crt" \
3399 0 \
3400 -s "bad certificate (usage extensions)" \
3401 -S "Processing of the Certificate handshake message failed"
3402
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3403run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3404 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3405 "$O_CLI -key data_files/server2.key \
3406 -cert data_files/server2.ku-ke.crt" \
3407 1 \
3408 -s "bad certificate (usage extensions)" \
3409 -s "Processing of the Certificate handshake message failed"
3410
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3411run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3412 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3413 "$O_CLI -key data_files/server5.key \
3414 -cert data_files/server5.ku-ds.crt" \
3415 0 \
3416 -S "bad certificate (usage extensions)" \
3417 -S "Processing of the Certificate handshake message failed"
3418
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3419run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3420 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3421 "$O_CLI -key data_files/server5.key \
3422 -cert data_files/server5.ku-ka.crt" \
3423 0 \
3424 -s "bad certificate (usage extensions)" \
3425 -S "Processing of the Certificate handshake message failed"
3426
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3427# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3428
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3429run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3430 "$P_SRV key_file=data_files/server5.key \
3431 crt_file=data_files/server5.eku-srv.crt" \
3432 "$P_CLI" \
3433 0
3434
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3435run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3436 "$P_SRV key_file=data_files/server5.key \
3437 crt_file=data_files/server5.eku-srv.crt" \
3438 "$P_CLI" \
3439 0
3440
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3441run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3442 "$P_SRV key_file=data_files/server5.key \
3443 crt_file=data_files/server5.eku-cs_any.crt" \
3444 "$P_CLI" \
3445 0
3446
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3447run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3448 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3449 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3450 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3451 1
3452
3453# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3454
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3455run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3456 "$O_SRV -key data_files/server5.key \
3457 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3458 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3459 0 \
3460 -C "bad certificate (usage extensions)" \
3461 -C "Processing of the Certificate handshake message failed" \
3462 -c "Ciphersuite is TLS-"
3463
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3464run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3465 "$O_SRV -key data_files/server5.key \
3466 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3467 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3468 0 \
3469 -C "bad certificate (usage extensions)" \
3470 -C "Processing of the Certificate handshake message failed" \
3471 -c "Ciphersuite is TLS-"
3472
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3473run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3474 "$O_SRV -key data_files/server5.key \
3475 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3476 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3477 0 \
3478 -C "bad certificate (usage extensions)" \
3479 -C "Processing of the Certificate handshake message failed" \
3480 -c "Ciphersuite is TLS-"
3481
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3482run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3483 "$O_SRV -key data_files/server5.key \
3484 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3485 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3486 1 \
3487 -c "bad certificate (usage extensions)" \
3488 -c "Processing of the Certificate handshake message failed" \
3489 -C "Ciphersuite is TLS-"
3490
3491# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3492
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3493run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3494 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3495 "$O_CLI -key data_files/server5.key \
3496 -cert data_files/server5.eku-cli.crt" \
3497 0 \
3498 -S "bad certificate (usage extensions)" \
3499 -S "Processing of the Certificate handshake message failed"
3500
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3501run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3502 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3503 "$O_CLI -key data_files/server5.key \
3504 -cert data_files/server5.eku-srv_cli.crt" \
3505 0 \
3506 -S "bad certificate (usage extensions)" \
3507 -S "Processing of the Certificate handshake message failed"
3508
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3509run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3510 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3511 "$O_CLI -key data_files/server5.key \
3512 -cert data_files/server5.eku-cs_any.crt" \
3513 0 \
3514 -S "bad certificate (usage extensions)" \
3515 -S "Processing of the Certificate handshake message failed"
3516
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3517run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3518 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3519 "$O_CLI -key data_files/server5.key \
3520 -cert data_files/server5.eku-cs.crt" \
3521 0 \
3522 -s "bad certificate (usage extensions)" \
3523 -S "Processing of the Certificate handshake message failed"
3524
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3525run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3526 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3527 "$O_CLI -key data_files/server5.key \
3528 -cert data_files/server5.eku-cs.crt" \
3529 1 \
3530 -s "bad certificate (usage extensions)" \
3531 -s "Processing of the Certificate handshake message failed"
3532
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3533# Tests for DHM parameters loading
3534
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3535run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3536 "$P_SRV" \
3537 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3538 debug_level=3" \
3539 0 \
3540 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3541 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3542
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3543run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3544 "$P_SRV dhm_file=data_files/dhparams.pem" \
3545 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3546 debug_level=3" \
3547 0 \
3548 -c "value of 'DHM: P ' (1024 bits)" \
3549 -c "value of 'DHM: G ' (2 bits)"
3550
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3551# Tests for DHM client-side size checking
3552
3553run_test "DHM size: server default, client default, OK" \
3554 "$P_SRV" \
3555 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3556 debug_level=1" \
3557 0 \
3558 -C "DHM prime too short:"
3559
3560run_test "DHM size: server default, client 2048, OK" \
3561 "$P_SRV" \
3562 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3563 debug_level=1 dhmlen=2048" \
3564 0 \
3565 -C "DHM prime too short:"
3566
3567run_test "DHM size: server 1024, client default, OK" \
3568 "$P_SRV dhm_file=data_files/dhparams.pem" \
3569 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3570 debug_level=1" \
3571 0 \
3572 -C "DHM prime too short:"
3573
3574run_test "DHM size: server 1000, client default, rejected" \
3575 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3576 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3577 debug_level=1" \
3578 1 \
3579 -c "DHM prime too short:"
3580
3581run_test "DHM size: server default, client 2049, rejected" \
3582 "$P_SRV" \
3583 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3584 debug_level=1 dhmlen=2049" \
3585 1 \
3586 -c "DHM prime too short:"
3587
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3588# Tests for PSK callback
3589
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3590run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3591 "$P_SRV psk=abc123 psk_identity=foo" \
3592 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3593 psk_identity=foo psk=abc123" \
3594 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3595 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3596 -S "SSL - Unknown identity received" \
3597 -S "SSL - Verification of the message MAC failed"
3598
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3599run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3600 "$P_SRV" \
3601 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3602 psk_identity=foo psk=abc123" \
3603 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3604 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3605 -S "SSL - Unknown identity received" \
3606 -S "SSL - Verification of the message MAC failed"
3607
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3608run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3609 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3610 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3611 psk_identity=foo psk=abc123" \
3612 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3613 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3614 -s "SSL - Unknown identity received" \
3615 -S "SSL - Verification of the message MAC failed"
3616
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3617run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3618 "$P_SRV psk_list=abc,dead,def,beef" \
3619 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3620 psk_identity=abc psk=dead" \
3621 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3622 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3623 -S "SSL - Unknown identity received" \
3624 -S "SSL - Verification of the message MAC failed"
3625
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3626run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3627 "$P_SRV psk_list=abc,dead,def,beef" \
3628 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3629 psk_identity=def psk=beef" \
3630 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3631 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3632 -S "SSL - Unknown identity received" \
3633 -S "SSL - Verification of the message MAC failed"
3634
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3635run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3636 "$P_SRV psk_list=abc,dead,def,beef" \
3637 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3638 psk_identity=ghi psk=beef" \
3639 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3640 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3641 -s "SSL - Unknown identity received" \
3642 -S "SSL - Verification of the message MAC failed"
3643
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3644run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3645 "$P_SRV psk_list=abc,dead,def,beef" \
3646 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3647 psk_identity=abc psk=beef" \
3648 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3649 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3650 -S "SSL - Unknown identity received" \
3651 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3652
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3653# Tests for EC J-PAKE
3654
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3655requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3656run_test "ECJPAKE: client not configured" \
3657 "$P_SRV debug_level=3" \
3658 "$P_CLI debug_level=3" \
3659 0 \
3660 -C "add ciphersuite: c0ff" \
3661 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3662 -S "found ecjpake kkpp extension" \
3663 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3664 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3665 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3666 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3667 -S "None of the common ciphersuites is usable"
3668
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3669requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3670run_test "ECJPAKE: server not configured" \
3671 "$P_SRV debug_level=3" \
3672 "$P_CLI debug_level=3 ecjpake_pw=bla \
3673 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3674 1 \
3675 -c "add ciphersuite: c0ff" \
3676 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3677 -s "found ecjpake kkpp extension" \
3678 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3679 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3680 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3681 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3682 -s "None of the common ciphersuites is usable"
3683
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3684requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3685run_test "ECJPAKE: working, TLS" \
3686 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3687 "$P_CLI debug_level=3 ecjpake_pw=bla \
3688 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3689 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3690 -c "add ciphersuite: c0ff" \
3691 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3692 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3693 -s "found ecjpake kkpp extension" \
3694 -S "skip ecjpake kkpp extension" \
3695 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3696 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3697 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3698 -S "None of the common ciphersuites is usable" \
3699 -S "SSL - Verification of the message MAC failed"
3700
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3701server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3702requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3703run_test "ECJPAKE: password mismatch, TLS" \
3704 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3705 "$P_CLI debug_level=3 ecjpake_pw=bad \
3706 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3707 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3708 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3709 -s "SSL - Verification of the message MAC failed"
3710
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3711requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3712run_test "ECJPAKE: working, DTLS" \
3713 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3714 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3715 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3716 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3717 -c "re-using cached ecjpake parameters" \
3718 -S "SSL - Verification of the message MAC failed"
3719
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3720requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3721run_test "ECJPAKE: working, DTLS, no cookie" \
3722 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3723 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3724 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3725 0 \
3726 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3727 -S "SSL - Verification of the message MAC failed"
3728
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3729server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3730requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3731run_test "ECJPAKE: password mismatch, DTLS" \
3732 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3733 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3734 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3735 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3736 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3737 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3738
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3739# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3740requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3741run_test "ECJPAKE: working, DTLS, nolog" \
3742 "$P_SRV dtls=1 ecjpake_pw=bla" \
3743 "$P_CLI dtls=1 ecjpake_pw=bla \
3744 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3745 0
3746
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3747# Tests for ciphersuites per version
3748
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3749requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3750requires_config_enabled MBEDTLS_CAMELLIA_C
3751requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3752run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3753 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3754 "$P_CLI force_version=ssl3" \
3755 0 \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3756 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3757
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3758requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
3759requires_config_enabled MBEDTLS_CAMELLIA_C
3760requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3761run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3762 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3763 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3764 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3765 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3766
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3767requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
3768requires_config_enabled MBEDTLS_CAMELLIA_C
3769requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3770run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3771 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3772 "$P_CLI force_version=tls1_1" \
3773 0 \
3774 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3775
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3776requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
3777requires_config_enabled MBEDTLS_CAMELLIA_C
3778requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3779run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3780 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3781 "$P_CLI force_version=tls1_2" \
3782 0 \
3783 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3784
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3785# Test for ClientHello without extensions
3786
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3787requires_gnutls
Manuel Pégourié-Gonnard37abf122020-01-30 12:45:14 +0100[diff] [blame]3788run_test "ClientHello without extensions" \
Manuel Pégourié-Gonnarda92990a2020-01-30 11:19:45 +0100[diff] [blame]3789 "$P_SRV debug_level=3" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3790 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3791 0 \
3792 -s "dumping 'client hello extensions' (0 bytes)"
3793
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3794# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3795
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3796run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3797 "$P_SRV" \
3798 "$P_CLI request_size=100" \
3799 0 \
3800 -s "Read from client: 100 bytes read$"
3801
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3802run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3803 "$P_SRV" \
3804 "$P_CLI request_size=500" \
3805 0 \
3806 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3807
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3808# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3809
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3810requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3811run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3812 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3813 "$P_CLI request_size=1 force_version=ssl3 \
3814 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3815 0 \
3816 -s "Read from client: 1 bytes read"
3817
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3818requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3819run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3820 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3821 "$P_CLI request_size=1 force_version=ssl3 \
3822 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3823 0 \
3824 -s "Read from client: 1 bytes read"
3825
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3826run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3827 "$P_SRV" \
3828 "$P_CLI request_size=1 force_version=tls1 \
3829 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3830 0 \
3831 -s "Read from client: 1 bytes read"
3832
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3833run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3834 "$P_SRV" \
3835 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3836 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3837 0 \
3838 -s "Read from client: 1 bytes read"
3839
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3840requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3841run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3842 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3843 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3844 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3845 0 \
3846 -s "Read from client: 1 bytes read"
3847
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3848requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3849run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3850 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3851 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3852 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3853 0 \
3854 -s "Read from client: 1 bytes read"
3855
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3856run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3857 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3858 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3859 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3860 0 \
3861 -s "Read from client: 1 bytes read"
3862
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3863run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3864 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3865 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3866 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3867 0 \
3868 -s "Read from client: 1 bytes read"
3869
3870requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3871run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3872 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3873 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3874 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3875 0 \
3876 -s "Read from client: 1 bytes read"
3877
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3878requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3879run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3880 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3881 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3882 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3883 0 \
3884 -s "Read from client: 1 bytes read"
3885
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3886run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3887 "$P_SRV" \
3888 "$P_CLI request_size=1 force_version=tls1_1 \
3889 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3890 0 \
3891 -s "Read from client: 1 bytes read"
3892
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3893run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3894 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3895 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3896 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3897 0 \
3898 -s "Read from client: 1 bytes read"
3899
3900requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3901run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3902 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3903 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3904 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3905 0 \
3906 -s "Read from client: 1 bytes read"
3907
3908requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3909run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3910 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3911 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3912 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3913 0 \
3914 -s "Read from client: 1 bytes read"
3915
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3916run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3917 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3918 "$P_CLI request_size=1 force_version=tls1_1 \
3919 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3920 0 \
3921 -s "Read from client: 1 bytes read"
3922
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3923run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3924 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3925 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3926 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3927 0 \
3928 -s "Read from client: 1 bytes read"
3929
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3930requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3931run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3932 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3933 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3934 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3935 0 \
3936 -s "Read from client: 1 bytes read"
3937
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3938requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3939run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3940 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3941 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3942 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3943 0 \
3944 -s "Read from client: 1 bytes read"
3945
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3946run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3947 "$P_SRV" \
3948 "$P_CLI request_size=1 force_version=tls1_2 \
3949 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3950 0 \
3951 -s "Read from client: 1 bytes read"
3952
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3953run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3954 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3955 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3956 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3957 0 \
3958 -s "Read from client: 1 bytes read"
3959
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3960run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3961 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3962 "$P_CLI request_size=1 force_version=tls1_2 \
3963 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3964 0 \
3965 -s "Read from client: 1 bytes read"
3966
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3967requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3968run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3969 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3970 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3971 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3972 0 \
3973 -s "Read from client: 1 bytes read"
3974
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3975requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3976run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3977 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3978 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3979 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3980 0 \
3981 -s "Read from client: 1 bytes read"
3982
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3983run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3984 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3985 "$P_CLI request_size=1 force_version=tls1_2 \
3986 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3987 0 \
3988 -s "Read from client: 1 bytes read"
3989
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3990run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3991 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3992 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3993 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3994 0 \
3995 -s "Read from client: 1 bytes read"
3996
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3997requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3998run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3999 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4000 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4001 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4002 0 \
4003 -s "Read from client: 1 bytes read"
4004
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4005requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4006run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4007 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4008 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4009 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4010 0 \
4011 -s "Read from client: 1 bytes read"
4012
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4013run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4014 "$P_SRV" \
4015 "$P_CLI request_size=1 force_version=tls1_2 \
4016 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4017 0 \
4018 -s "Read from client: 1 bytes read"
4019
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4020run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4021 "$P_SRV" \
4022 "$P_CLI request_size=1 force_version=tls1_2 \
4023 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4024 0 \
4025 -s "Read from client: 1 bytes read"
4026
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4027# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4028
4029requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4030run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4031 "$P_SRV dtls=1 force_version=dtls1" \
4032 "$P_CLI dtls=1 request_size=1 \
4033 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4034 0 \
4035 -s "Read from client: 1 bytes read"
4036
4037requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4038run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4039 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
4040 "$P_CLI dtls=1 request_size=1 \
4041 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4042 0 \
4043 -s "Read from client: 1 bytes read"
4044
4045requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4046requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4047run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4048 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
4049 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4050 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4051 0 \
4052 -s "Read from client: 1 bytes read"
4053
4054requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4055requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4056run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4057 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4058 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4059 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4060 0 \
4061 -s "Read from client: 1 bytes read"
4062
4063requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4064run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4065 "$P_SRV dtls=1 force_version=dtls1_2" \
4066 "$P_CLI dtls=1 request_size=1 \
4067 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4068 0 \
4069 -s "Read from client: 1 bytes read"
4070
4071requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4072run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4073 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4074 "$P_CLI dtls=1 request_size=1 \
4075 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4076 0 \
4077 -s "Read from client: 1 bytes read"
4078
4079requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4080requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4081run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4082 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4083 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4084 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4085 0 \
4086 -s "Read from client: 1 bytes read"
4087
4088requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4089requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4090run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4091 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4092 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4093 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4094 0 \
4095 -s "Read from client: 1 bytes read"
4096
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4097# Tests for small server packets
4098
4099requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4100run_test "Small server packet SSLv3 BlockCipher" \
4101 "$P_SRV response_size=1 min_version=ssl3" \
4102 "$P_CLI force_version=ssl3 \
4103 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4104 0 \
4105 -c "Read from server: 1 bytes read"
4106
4107requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4108run_test "Small server packet SSLv3 StreamCipher" \
4109 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4110 "$P_CLI force_version=ssl3 \
4111 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4112 0 \
4113 -c "Read from server: 1 bytes read"
4114
4115run_test "Small server packet TLS 1.0 BlockCipher" \
4116 "$P_SRV response_size=1" \
4117 "$P_CLI force_version=tls1 \
4118 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4119 0 \
4120 -c "Read from server: 1 bytes read"
4121
4122run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
4123 "$P_SRV response_size=1" \
4124 "$P_CLI force_version=tls1 etm=0 \
4125 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4126 0 \
4127 -c "Read from server: 1 bytes read"
4128
4129requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4130run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
4131 "$P_SRV response_size=1 trunc_hmac=1" \
4132 "$P_CLI force_version=tls1 \
4133 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4134 0 \
4135 -c "Read from server: 1 bytes read"
4136
4137requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4138run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
4139 "$P_SRV response_size=1 trunc_hmac=1" \
4140 "$P_CLI force_version=tls1 \
4141 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4142 0 \
4143 -c "Read from server: 1 bytes read"
4144
4145run_test "Small server packet TLS 1.0 StreamCipher" \
4146 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4147 "$P_CLI force_version=tls1 \
4148 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4149 0 \
4150 -c "Read from server: 1 bytes read"
4151
4152run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
4153 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4154 "$P_CLI force_version=tls1 \
4155 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4156 0 \
4157 -c "Read from server: 1 bytes read"
4158
4159requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4160run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
4161 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4162 "$P_CLI force_version=tls1 \
4163 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4164 0 \
4165 -c "Read from server: 1 bytes read"
4166
4167requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4168run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4169 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4170 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4171 trunc_hmac=1 etm=0" \
4172 0 \
4173 -c "Read from server: 1 bytes read"
4174
4175run_test "Small server packet TLS 1.1 BlockCipher" \
4176 "$P_SRV response_size=1" \
4177 "$P_CLI force_version=tls1_1 \
4178 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4179 0 \
4180 -c "Read from server: 1 bytes read"
4181
4182run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
4183 "$P_SRV response_size=1" \
4184 "$P_CLI force_version=tls1_1 \
4185 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4186 0 \
4187 -c "Read from server: 1 bytes read"
4188
4189requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4190run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
4191 "$P_SRV response_size=1 trunc_hmac=1" \
4192 "$P_CLI force_version=tls1_1 \
4193 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4194 0 \
4195 -c "Read from server: 1 bytes read"
4196
4197requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4198run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4199 "$P_SRV response_size=1 trunc_hmac=1" \
4200 "$P_CLI force_version=tls1_1 \
4201 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4202 0 \
4203 -c "Read from server: 1 bytes read"
4204
4205run_test "Small server packet TLS 1.1 StreamCipher" \
4206 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4207 "$P_CLI force_version=tls1_1 \
4208 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4209 0 \
4210 -c "Read from server: 1 bytes read"
4211
4212run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
4213 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4214 "$P_CLI force_version=tls1_1 \
4215 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4216 0 \
4217 -c "Read from server: 1 bytes read"
4218
4219requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4220run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
4221 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4222 "$P_CLI force_version=tls1_1 \
4223 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4224 0 \
4225 -c "Read from server: 1 bytes read"
4226
4227requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4228run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4229 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4230 "$P_CLI force_version=tls1_1 \
4231 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4232 0 \
4233 -c "Read from server: 1 bytes read"
4234
4235run_test "Small server packet TLS 1.2 BlockCipher" \
4236 "$P_SRV response_size=1" \
4237 "$P_CLI force_version=tls1_2 \
4238 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4239 0 \
4240 -c "Read from server: 1 bytes read"
4241
4242run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
4243 "$P_SRV response_size=1" \
4244 "$P_CLI force_version=tls1_2 \
4245 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4246 0 \
4247 -c "Read from server: 1 bytes read"
4248
4249run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
4250 "$P_SRV response_size=1" \
4251 "$P_CLI force_version=tls1_2 \
4252 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4253 0 \
4254 -c "Read from server: 1 bytes read"
4255
4256requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4257run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
4258 "$P_SRV response_size=1 trunc_hmac=1" \
4259 "$P_CLI force_version=tls1_2 \
4260 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4261 0 \
4262 -c "Read from server: 1 bytes read"
4263
4264requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4265run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4266 "$P_SRV response_size=1 trunc_hmac=1" \
4267 "$P_CLI force_version=tls1_2 \
4268 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4269 0 \
4270 -c "Read from server: 1 bytes read"
4271
4272run_test "Small server packet TLS 1.2 StreamCipher" \
4273 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4274 "$P_CLI force_version=tls1_2 \
4275 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4276 0 \
4277 -c "Read from server: 1 bytes read"
4278
4279run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
4280 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4281 "$P_CLI force_version=tls1_2 \
4282 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4283 0 \
4284 -c "Read from server: 1 bytes read"
4285
4286requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4287run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
4288 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4289 "$P_CLI force_version=tls1_2 \
4290 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4291 0 \
4292 -c "Read from server: 1 bytes read"
4293
4294requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4295run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4296 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4297 "$P_CLI force_version=tls1_2 \
4298 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4299 0 \
4300 -c "Read from server: 1 bytes read"
4301
4302run_test "Small server packet TLS 1.2 AEAD" \
4303 "$P_SRV response_size=1" \
4304 "$P_CLI force_version=tls1_2 \
4305 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4306 0 \
4307 -c "Read from server: 1 bytes read"
4308
4309run_test "Small server packet TLS 1.2 AEAD shorter tag" \
4310 "$P_SRV response_size=1" \
4311 "$P_CLI force_version=tls1_2 \
4312 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4313 0 \
4314 -c "Read from server: 1 bytes read"
4315
4316# Tests for small server packets in DTLS
4317
4318requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4319run_test "Small server packet DTLS 1.0" \
4320 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
4321 "$P_CLI dtls=1 \
4322 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4323 0 \
4324 -c "Read from server: 1 bytes read"
4325
4326requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4327run_test "Small server packet DTLS 1.0, without EtM" \
4328 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
4329 "$P_CLI dtls=1 \
4330 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4331 0 \
4332 -c "Read from server: 1 bytes read"
4333
4334requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4335requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4336run_test "Small server packet DTLS 1.0, truncated hmac" \
4337 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
4338 "$P_CLI dtls=1 trunc_hmac=1 \
4339 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4340 0 \
4341 -c "Read from server: 1 bytes read"
4342
4343requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4344requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4345run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
4346 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
4347 "$P_CLI dtls=1 \
4348 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4349 0 \
4350 -c "Read from server: 1 bytes read"
4351
4352requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4353run_test "Small server packet DTLS 1.2" \
4354 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
4355 "$P_CLI dtls=1 \
4356 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4357 0 \
4358 -c "Read from server: 1 bytes read"
4359
4360requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4361run_test "Small server packet DTLS 1.2, without EtM" \
4362 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
4363 "$P_CLI dtls=1 \
4364 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4365 0 \
4366 -c "Read from server: 1 bytes read"
4367
4368requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4369requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4370run_test "Small server packet DTLS 1.2, truncated hmac" \
4371 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
4372 "$P_CLI dtls=1 \
4373 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4374 0 \
4375 -c "Read from server: 1 bytes read"
4376
4377requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4378requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4379run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
4380 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
4381 "$P_CLI dtls=1 \
4382 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4383 0 \
4384 -c "Read from server: 1 bytes read"
4385
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]4386# A test for extensions in SSLv3
4387
4388requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4389run_test "SSLv3 with extensions, server side" \
4390 "$P_SRV min_version=ssl3 debug_level=3" \
4391 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
4392 0 \
4393 -S "dumping 'client hello extensions'" \
4394 -S "server hello, total extension length:"
4395
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4396# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4397
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4398requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4399run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4400 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4401 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4402 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4403 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4404 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4405 -s "Read from client: 16384 bytes read"
4406
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4407requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4408run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4409 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4410 "$P_CLI request_size=16384 force_version=ssl3 \
4411 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4412 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4413 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4414 -s "Read from client: 16384 bytes read"
4415
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4416run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4417 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4418 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4419 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4420 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4421 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4422 -s "Read from client: 16384 bytes read"
4423
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4424run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4425 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4426 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
4427 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4428 0 \
4429 -s "Read from client: 16384 bytes read"
4430
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4431requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4432run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4433 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4434 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4435 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4436 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4437 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4438 -s "Read from client: 16384 bytes read"
4439
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4440requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4441run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4442 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4443 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4444 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4445 0 \
4446 -s "Read from client: 16384 bytes read"
4447
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4448run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4449 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4450 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4451 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4452 0 \
4453 -s "Read from client: 16384 bytes read"
4454
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4455run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4456 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4457 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4458 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4459 0 \
4460 -s "Read from client: 16384 bytes read"
4461
4462requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4463run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4464 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4465 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4466 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4467 0 \
4468 -s "Read from client: 16384 bytes read"
4469
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4470requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4471run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4472 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4473 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4474 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4475 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4476 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4477 -s "Read from client: 16384 bytes read"
4478
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4479run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4480 "$P_SRV" \
4481 "$P_CLI request_size=16384 force_version=tls1_1 \
4482 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4483 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4484 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4485 -s "Read from client: 16384 bytes read"
4486
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4487run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4488 "$P_SRV" \
4489 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4490 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4491 0 \
4492 -s "Read from client: 16384 bytes read"
4493
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4494requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4495run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4496 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4497 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4498 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4499 0 \
4500 -s "Read from client: 16384 bytes read"
4501
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4502requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4503run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4504 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4505 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4506 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4507 0 \
4508 -s "Read from client: 16384 bytes read"
4509
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4510run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4511 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4512 "$P_CLI request_size=16384 force_version=tls1_1 \
4513 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4514 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4515 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4516 -s "Read from client: 16384 bytes read"
4517
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4518run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4519 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4520 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4521 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4522 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4523 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4524 -s "Read from client: 16384 bytes read"
4525
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4526requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4527run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4528 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4529 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4530 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4531 0 \
4532 -s "Read from client: 16384 bytes read"
4533
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4534requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4535run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4536 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4537 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4538 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4539 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4540 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4541 -s "Read from client: 16384 bytes read"
4542
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4543run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4544 "$P_SRV" \
4545 "$P_CLI request_size=16384 force_version=tls1_2 \
4546 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4547 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4548 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4549 -s "Read from client: 16384 bytes read"
4550
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4551run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4552 "$P_SRV" \
4553 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4554 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4555 0 \
4556 -s "Read from client: 16384 bytes read"
4557
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4558run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4559 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4560 "$P_CLI request_size=16384 force_version=tls1_2 \
4561 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4562 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4563 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4564 -s "Read from client: 16384 bytes read"
4565
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4566requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4567run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4568 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4569 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4570 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4571 0 \
4572 -s "Read from client: 16384 bytes read"
4573
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4574requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4575run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4576 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4577 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4578 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4579 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4580 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4581 -s "Read from client: 16384 bytes read"
4582
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4583run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4584 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4585 "$P_CLI request_size=16384 force_version=tls1_2 \
4586 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4587 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4588 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4589 -s "Read from client: 16384 bytes read"
4590
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4591run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4592 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4593 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4594 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4595 0 \
4596 -s "Read from client: 16384 bytes read"
4597
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4598requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4599run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4600 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4601 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4602 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4603 0 \
4604 -s "Read from client: 16384 bytes read"
4605
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4606requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4607run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4608 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4609 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4610 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4611 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4612 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4613 -s "Read from client: 16384 bytes read"
4614
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4615run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4616 "$P_SRV" \
4617 "$P_CLI request_size=16384 force_version=tls1_2 \
4618 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4619 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4620 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4621 -s "Read from client: 16384 bytes read"
4622
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4623run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4624 "$P_SRV" \
4625 "$P_CLI request_size=16384 force_version=tls1_2 \
4626 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4627 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4628 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4629 -s "Read from client: 16384 bytes read"
4630
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4631# Tests for ECC extensions (rfc 4492)
4632
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4633requires_config_enabled MBEDTLS_AES_C
4634requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4635requires_config_enabled MBEDTLS_SHA256_C
4636requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4637run_test "Force a non ECC ciphersuite in the client side" \
4638 "$P_SRV debug_level=3" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4639 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4640 0 \
4641 -C "client hello, adding supported_elliptic_curves extension" \
4642 -C "client hello, adding supported_point_formats extension" \
4643 -S "found supported elliptic curves extension" \
4644 -S "found supported point formats extension"
4645
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4646requires_config_enabled MBEDTLS_AES_C
4647requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4648requires_config_enabled MBEDTLS_SHA256_C
4649requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4650run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4651 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4652 "$P_CLI debug_level=3" \
4653 0 \
4654 -C "found supported_point_formats extension" \
4655 -S "server hello, supported_point_formats extension"
4656
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4657requires_config_enabled MBEDTLS_AES_C
4658requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4659requires_config_enabled MBEDTLS_SHA256_C
4660requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4661run_test "Force an ECC ciphersuite in the client side" \
4662 "$P_SRV debug_level=3" \
4663 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4664 0 \
4665 -c "client hello, adding supported_elliptic_curves extension" \
4666 -c "client hello, adding supported_point_formats extension" \
4667 -s "found supported elliptic curves extension" \
4668 -s "found supported point formats extension"
4669
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4670requires_config_enabled MBEDTLS_AES_C
4671requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4672requires_config_enabled MBEDTLS_SHA256_C
4673requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4674run_test "Force an ECC ciphersuite in the server side" \
4675 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4676 "$P_CLI debug_level=3" \
4677 0 \
4678 -c "found supported_point_formats extension" \
4679 -s "server hello, supported_point_formats extension"
4680
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4681# Test for large server packets
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4682requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4683run_test "Large server packet SSLv3 StreamCipher" \
4684 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4685 "$P_CLI force_version=ssl3 \
4686 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4687 0 \
4688 -c "Read from server: 16384 bytes read"
4689
Andrzej Kurekc8958212018-08-27 08:00:13 -0400[diff] [blame]4690# Checking next 4 tests logs for 1n-1 split against BEAST too
4691requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4692run_test "Large server packet SSLv3 BlockCipher" \
4693 "$P_SRV response_size=16384 min_version=ssl3" \
4694 "$P_CLI force_version=ssl3 recsplit=0 \
4695 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4696 0 \
4697 -c "Read from server: 1 bytes read"\
4698 -c "16383 bytes read"\
4699 -C "Read from server: 16384 bytes read"
4700
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4701run_test "Large server packet TLS 1.0 BlockCipher" \
4702 "$P_SRV response_size=16384" \
4703 "$P_CLI force_version=tls1 recsplit=0 \
4704 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4705 0 \
4706 -c "Read from server: 1 bytes read"\
4707 -c "16383 bytes read"\
4708 -C "Read from server: 16384 bytes read"
4709
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4710run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
4711 "$P_SRV response_size=16384" \
4712 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
4713 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4714 0 \
4715 -c "Read from server: 1 bytes read"\
4716 -c "16383 bytes read"\
4717 -C "Read from server: 16384 bytes read"
4718
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4719requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4720run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
4721 "$P_SRV response_size=16384" \
4722 "$P_CLI force_version=tls1 recsplit=0 \
4723 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4724 trunc_hmac=1" \
4725 0 \
4726 -c "Read from server: 1 bytes read"\
4727 -c "16383 bytes read"\
4728 -C "Read from server: 16384 bytes read"
4729
4730requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4731run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
4732 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4733 "$P_CLI force_version=tls1 \
4734 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4735 trunc_hmac=1" \
4736 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4737 -s "16384 bytes written in 1 fragments" \
4738 -c "Read from server: 16384 bytes read"
4739
4740run_test "Large server packet TLS 1.0 StreamCipher" \
4741 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4742 "$P_CLI force_version=tls1 \
4743 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4744 0 \
4745 -s "16384 bytes written in 1 fragments" \
4746 -c "Read from server: 16384 bytes read"
4747
4748run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
4749 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4750 "$P_CLI force_version=tls1 \
4751 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4752 0 \
4753 -s "16384 bytes written in 1 fragments" \
4754 -c "Read from server: 16384 bytes read"
4755
4756requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4757run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
4758 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4759 "$P_CLI force_version=tls1 \
4760 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4761 0 \
4762 -s "16384 bytes written in 1 fragments" \
4763 -c "Read from server: 16384 bytes read"
4764
4765requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4766run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4767 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4768 "$P_CLI force_version=tls1 \
4769 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4770 0 \
4771 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4772 -c "Read from server: 16384 bytes read"
4773
4774run_test "Large server packet TLS 1.1 BlockCipher" \
4775 "$P_SRV response_size=16384" \
4776 "$P_CLI force_version=tls1_1 \
4777 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4778 0 \
4779 -c "Read from server: 16384 bytes read"
4780
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4781run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
4782 "$P_SRV response_size=16384" \
4783 "$P_CLI force_version=tls1_1 etm=0 \
4784 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4785 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4786 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4787 -c "Read from server: 16384 bytes read"
4788
4789requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4790run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
4791 "$P_SRV response_size=16384" \
4792 "$P_CLI force_version=tls1_1 \
4793 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4794 trunc_hmac=1" \
4795 0 \
4796 -c "Read from server: 16384 bytes read"
4797
4798requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4799run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4800 "$P_SRV response_size=16384 trunc_hmac=1" \
4801 "$P_CLI force_version=tls1_1 \
4802 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4803 0 \
4804 -s "16384 bytes written in 1 fragments" \
4805 -c "Read from server: 16384 bytes read"
4806
4807run_test "Large server packet TLS 1.1 StreamCipher" \
4808 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4809 "$P_CLI force_version=tls1_1 \
4810 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4811 0 \
4812 -c "Read from server: 16384 bytes read"
4813
4814run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
4815 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4816 "$P_CLI force_version=tls1_1 \
4817 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4818 0 \
4819 -s "16384 bytes written in 1 fragments" \
4820 -c "Read from server: 16384 bytes read"
4821
4822requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4823run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
4824 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4825 "$P_CLI force_version=tls1_1 \
4826 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4827 trunc_hmac=1" \
4828 0 \
4829 -c "Read from server: 16384 bytes read"
4830
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4831run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4832 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4833 "$P_CLI force_version=tls1_1 \
4834 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4835 0 \
4836 -s "16384 bytes written in 1 fragments" \
4837 -c "Read from server: 16384 bytes read"
4838
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4839run_test "Large server packet TLS 1.2 BlockCipher" \
4840 "$P_SRV response_size=16384" \
4841 "$P_CLI force_version=tls1_2 \
4842 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4843 0 \
4844 -c "Read from server: 16384 bytes read"
4845
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4846run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
4847 "$P_SRV response_size=16384" \
4848 "$P_CLI force_version=tls1_2 etm=0 \
4849 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4850 0 \
4851 -s "16384 bytes written in 1 fragments" \
4852 -c "Read from server: 16384 bytes read"
4853
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4854run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
4855 "$P_SRV response_size=16384" \
4856 "$P_CLI force_version=tls1_2 \
4857 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4858 0 \
4859 -c "Read from server: 16384 bytes read"
4860
4861requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4862run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
4863 "$P_SRV response_size=16384" \
4864 "$P_CLI force_version=tls1_2 \
4865 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4866 trunc_hmac=1" \
4867 0 \
4868 -c "Read from server: 16384 bytes read"
4869
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4870run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4871 "$P_SRV response_size=16384 trunc_hmac=1" \
4872 "$P_CLI force_version=tls1_2 \
4873 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4874 0 \
4875 -s "16384 bytes written in 1 fragments" \
4876 -c "Read from server: 16384 bytes read"
4877
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4878run_test "Large server packet TLS 1.2 StreamCipher" \
4879 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4880 "$P_CLI force_version=tls1_2 \
4881 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4882 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4883 -s "16384 bytes written in 1 fragments" \
4884 -c "Read from server: 16384 bytes read"
4885
4886run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
4887 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4888 "$P_CLI force_version=tls1_2 \
4889 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4890 0 \
4891 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4892 -c "Read from server: 16384 bytes read"
4893
4894requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4895run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
4896 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4897 "$P_CLI force_version=tls1_2 \
4898 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4899 trunc_hmac=1" \
4900 0 \
4901 -c "Read from server: 16384 bytes read"
4902
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4903requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4904run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4905 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4906 "$P_CLI force_version=tls1_2 \
4907 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4908 0 \
4909 -s "16384 bytes written in 1 fragments" \
4910 -c "Read from server: 16384 bytes read"
4911
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4912run_test "Large server packet TLS 1.2 AEAD" \
4913 "$P_SRV response_size=16384" \
4914 "$P_CLI force_version=tls1_2 \
4915 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4916 0 \
4917 -c "Read from server: 16384 bytes read"
4918
4919run_test "Large server packet TLS 1.2 AEAD shorter tag" \
4920 "$P_SRV response_size=16384" \
4921 "$P_CLI force_version=tls1_2 \
4922 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4923 0 \
4924 -c "Read from server: 16384 bytes read"
4925
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4926# Tests for DTLS HelloVerifyRequest
4927
4928run_test "DTLS cookie: enabled" \
4929 "$P_SRV dtls=1 debug_level=2" \
4930 "$P_CLI dtls=1 debug_level=2" \
4931 0 \
4932 -s "cookie verification failed" \
4933 -s "cookie verification passed" \
4934 -S "cookie verification skipped" \
4935 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4936 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4937 -S "SSL - The requested feature is not available"
4938
4939run_test "DTLS cookie: disabled" \
4940 "$P_SRV dtls=1 debug_level=2 cookies=0" \
4941 "$P_CLI dtls=1 debug_level=2" \
4942 0 \
4943 -S "cookie verification failed" \
4944 -S "cookie verification passed" \
4945 -s "cookie verification skipped" \
4946 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4947 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4948 -S "SSL - The requested feature is not available"
4949
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4950run_test "DTLS cookie: default (failing)" \
4951 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4952 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4953 1 \
4954 -s "cookie verification failed" \
4955 -S "cookie verification passed" \
4956 -S "cookie verification skipped" \
4957 -C "received hello verify request" \
4958 -S "hello verification requested" \
4959 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4960
4961requires_ipv6
4962run_test "DTLS cookie: enabled, IPv6" \
4963 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4964 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
4965 0 \
4966 -s "cookie verification failed" \
4967 -s "cookie verification passed" \
4968 -S "cookie verification skipped" \
4969 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4970 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4971 -S "SSL - The requested feature is not available"
4972
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4973run_test "DTLS cookie: enabled, nbio" \
4974 "$P_SRV dtls=1 nbio=2 debug_level=2" \
4975 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4976 0 \
4977 -s "cookie verification failed" \
4978 -s "cookie verification passed" \
4979 -S "cookie verification skipped" \
4980 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4981 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4982 -S "SSL - The requested feature is not available"
4983
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4984# Tests for client reconnecting from the same port with DTLS
4985
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4986not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4987run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]4988 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
4989 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4990 0 \
4991 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4992 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4993 -S "Client initiated reconnection from same port"
4994
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4995not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4996run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]4997 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
4998 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4999 0 \
5000 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5001 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5002 -s "Client initiated reconnection from same port"
5003
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5004not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
5005run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5006 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
5007 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5008 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5009 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5010 -s "Client initiated reconnection from same port"
5011
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5012only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
5013run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
5014 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
5015 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
5016 0 \
5017 -S "The operation timed out" \
5018 -s "Client initiated reconnection from same port"
5019
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5020run_test "DTLS client reconnect from same port: no cookies" \
5021 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]5022 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
5023 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5024 -s "The operation timed out" \
5025 -S "Client initiated reconnection from same port"
5026
Manuel Pégourié-Gonnarda58b0462020-03-13 11:11:02 +0100[diff] [blame]5027run_test "DTLS client reconnect from same port: attacker-injected" \
5028 -p "$P_PXY inject_clihlo=1" \
5029 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
5030 "$P_CLI dtls=1 exchanges=2" \
5031 0 \
5032 -s "possible client reconnect from the same port" \
5033 -S "Client initiated reconnection from same port"
5034
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5035# Tests for various cases of client authentication with DTLS
5036# (focused on handshake flows and message parsing)
5037
5038run_test "DTLS client auth: required" \
5039 "$P_SRV dtls=1 auth_mode=required" \
5040 "$P_CLI dtls=1" \
5041 0 \
5042 -s "Verifying peer X.509 certificate... ok"
5043
5044run_test "DTLS client auth: optional, client has no cert" \
5045 "$P_SRV dtls=1 auth_mode=optional" \
5046 "$P_CLI dtls=1 crt_file=none key_file=none" \
5047 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5048 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5049
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5050run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5051 "$P_SRV dtls=1 auth_mode=none" \
5052 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
5053 0 \
5054 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5055 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5056
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]5057run_test "DTLS wrong PSK: badmac alert" \
5058 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
5059 "$P_CLI dtls=1 psk=abc124" \
5060 1 \
5061 -s "SSL - Verification of the message MAC failed" \
5062 -c "SSL - A fatal alert message was received from our peer"
5063
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]5064# Tests for receiving fragmented handshake messages with DTLS
5065
5066requires_gnutls
5067run_test "DTLS reassembly: no fragmentation (gnutls server)" \
5068 "$G_SRV -u --mtu 2048 -a" \
5069 "$P_CLI dtls=1 debug_level=2" \
5070 0 \
5071 -C "found fragmented DTLS handshake message" \
5072 -C "error"
5073
5074requires_gnutls
5075run_test "DTLS reassembly: some fragmentation (gnutls server)" \
5076 "$G_SRV -u --mtu 512" \
5077 "$P_CLI dtls=1 debug_level=2" \
5078 0 \
5079 -c "found fragmented DTLS handshake message" \
5080 -C "error"
5081
5082requires_gnutls
5083run_test "DTLS reassembly: more fragmentation (gnutls server)" \
5084 "$G_SRV -u --mtu 128" \
5085 "$P_CLI dtls=1 debug_level=2" \
5086 0 \
5087 -c "found fragmented DTLS handshake message" \
5088 -C "error"
5089
5090requires_gnutls
5091run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
5092 "$G_SRV -u --mtu 128" \
5093 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5094 0 \
5095 -c "found fragmented DTLS handshake message" \
5096 -C "error"
5097
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5098requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5099requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5100run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
5101 "$G_SRV -u --mtu 256" \
5102 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
5103 0 \
5104 -c "found fragmented DTLS handshake message" \
5105 -c "client hello, adding renegotiation extension" \
5106 -c "found renegotiation extension" \
5107 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5108 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5109 -C "error" \
5110 -s "Extra-header:"
5111
5112requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5113requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5114run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
5115 "$G_SRV -u --mtu 256" \
5116 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
5117 0 \
5118 -c "found fragmented DTLS handshake message" \
5119 -c "client hello, adding renegotiation extension" \
5120 -c "found renegotiation extension" \
5121 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5122 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5123 -C "error" \
5124 -s "Extra-header:"
5125
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5126run_test "DTLS reassembly: no fragmentation (openssl server)" \
5127 "$O_SRV -dtls1 -mtu 2048" \
5128 "$P_CLI dtls=1 debug_level=2" \
5129 0 \
5130 -C "found fragmented DTLS handshake message" \
5131 -C "error"
5132
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5133run_test "DTLS reassembly: some fragmentation (openssl server)" \
5134 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5135 "$P_CLI dtls=1 debug_level=2" \
5136 0 \
5137 -c "found fragmented DTLS handshake message" \
5138 -C "error"
5139
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5140run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5141 "$O_SRV -dtls1 -mtu 256" \
5142 "$P_CLI dtls=1 debug_level=2" \
5143 0 \
5144 -c "found fragmented DTLS handshake message" \
5145 -C "error"
5146
5147run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
5148 "$O_SRV -dtls1 -mtu 256" \
5149 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5150 0 \
5151 -c "found fragmented DTLS handshake message" \
5152 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5153
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5154# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5155
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5156not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5157run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5158 -p "$P_PXY" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5159 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5160 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5161 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5162 -C "replayed record" \
5163 -S "replayed record" \
5164 -C "record from another epoch" \
5165 -S "record from another epoch" \
5166 -C "discarding invalid record" \
5167 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5168 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5169 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5170 -c "HTTP/1.0 200 OK"
5171
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5172not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5173run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5174 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5175 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5176 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5177 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5178 -c "replayed record" \
5179 -s "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5180 -c "record from another epoch" \
5181 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5182 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5183 -s "Extra-header:" \
5184 -c "HTTP/1.0 200 OK"
5185
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5186run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
5187 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5188 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
5189 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5190 0 \
5191 -c "replayed record" \
5192 -S "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5193 -c "record from another epoch" \
5194 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5195 -c "resend" \
5196 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5197 -s "Extra-header:" \
5198 -c "HTTP/1.0 200 OK"
5199
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5200run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5201 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5202 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5203 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5204 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5205 -c "discarding invalid record (mac)" \
5206 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5207 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5208 -c "HTTP/1.0 200 OK" \
5209 -S "too many records with bad MAC" \
5210 -S "Verification of the message MAC failed"
5211
5212run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
5213 -p "$P_PXY bad_ad=1" \
5214 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
5215 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5216 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5217 -C "discarding invalid record (mac)" \
5218 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5219 -S "Extra-header:" \
5220 -C "HTTP/1.0 200 OK" \
5221 -s "too many records with bad MAC" \
5222 -s "Verification of the message MAC failed"
5223
5224run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
5225 -p "$P_PXY bad_ad=1" \
5226 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
5227 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5228 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5229 -c "discarding invalid record (mac)" \
5230 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5231 -s "Extra-header:" \
5232 -c "HTTP/1.0 200 OK" \
5233 -S "too many records with bad MAC" \
5234 -S "Verification of the message MAC failed"
5235
5236run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
5237 -p "$P_PXY bad_ad=1" \
5238 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
5239 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
5240 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5241 -c "discarding invalid record (mac)" \
5242 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5243 -s "Extra-header:" \
5244 -c "HTTP/1.0 200 OK" \
5245 -s "too many records with bad MAC" \
5246 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5247
5248run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5249 -p "$P_PXY delay_ccs=1" \
5250 "$P_SRV dtls=1 debug_level=1" \
5251 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5252 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5253 -c "record from another epoch" \
5254 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5255 -s "Extra-header:" \
5256 -c "HTTP/1.0 200 OK"
5257
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5258# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5259
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5260client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5261run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5262 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5263 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5264 psk=abc123" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5265 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5266 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5267 0 \
5268 -s "Extra-header:" \
5269 -c "HTTP/1.0 200 OK"
5270
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5271client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5272run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
5273 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5274 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5275 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5276 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5277 0 \
5278 -s "Extra-header:" \
5279 -c "HTTP/1.0 200 OK"
5280
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5281client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5282run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
5283 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5284 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5285 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5286 0 \
5287 -s "Extra-header:" \
5288 -c "HTTP/1.0 200 OK"
5289
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5290client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5291run_test "DTLS proxy: 3d, FS, client auth" \
5292 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5293 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=required" \
5294 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5295 0 \
5296 -s "Extra-header:" \
5297 -c "HTTP/1.0 200 OK"
5298
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5299client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5300run_test "DTLS proxy: 3d, FS, ticket" \
5301 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5302 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=none" \
5303 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5304 0 \
5305 -s "Extra-header:" \
5306 -c "HTTP/1.0 200 OK"
5307
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5308client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5309run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
5310 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5311 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=required" \
5312 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5313 0 \
5314 -s "Extra-header:" \
5315 -c "HTTP/1.0 200 OK"
5316
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5317client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5318run_test "DTLS proxy: 3d, max handshake, nbio" \
5319 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5320 "$P_SRV dtls=1 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5321 auth_mode=required" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5322 "$P_CLI dtls=1 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5323 0 \
5324 -s "Extra-header:" \
5325 -c "HTTP/1.0 200 OK"
5326
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5327client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5328run_test "DTLS proxy: 3d, min handshake, resumption" \
5329 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5330 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5331 psk=abc123 debug_level=3" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5332 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5333 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5334 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5335 0 \
5336 -s "a session has been resumed" \
5337 -c "a session has been resumed" \
5338 -s "Extra-header:" \
5339 -c "HTTP/1.0 200 OK"
5340
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5341client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5342run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
5343 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5344 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5345 psk=abc123 debug_level=3 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5346 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5347 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5348 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
5349 0 \
5350 -s "a session has been resumed" \
5351 -c "a session has been resumed" \
5352 -s "Extra-header:" \
5353 -c "HTTP/1.0 200 OK"
5354
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5355client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5356requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5357run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5358 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5359 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5360 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5361 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5362 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5363 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5364 0 \
5365 -c "=> renegotiate" \
5366 -s "=> renegotiate" \
5367 -s "Extra-header:" \
5368 -c "HTTP/1.0 200 OK"
5369
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5370client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5371requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5372run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
5373 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5374 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5375 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5376 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5377 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5378 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5379 0 \
5380 -c "=> renegotiate" \
5381 -s "=> renegotiate" \
5382 -s "Extra-header:" \
5383 -c "HTTP/1.0 200 OK"
5384
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5385client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5386requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5387run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5388 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5389 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5390 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5391 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5392 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5393 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5394 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5395 0 \
5396 -c "=> renegotiate" \
5397 -s "=> renegotiate" \
5398 -s "Extra-header:" \
5399 -c "HTTP/1.0 200 OK"
5400
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5401client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5402requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5403run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5404 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5405 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5406 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5407 debug_level=2 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5408 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5409 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5410 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5411 0 \
5412 -c "=> renegotiate" \
5413 -s "=> renegotiate" \
5414 -s "Extra-header:" \
5415 -c "HTTP/1.0 200 OK"
5416
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5417client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5418not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5419run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5420 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5421 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5422 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5423 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5424 -c "HTTP/1.0 200 OK"
5425
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5426client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5427not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5428run_test "DTLS proxy: 3d, openssl server, fragmentation" \
5429 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5430 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5431 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5432 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5433 -c "HTTP/1.0 200 OK"
5434
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5435client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5436not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5437run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
5438 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5439 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5440 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5441 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5442 -c "HTTP/1.0 200 OK"
5443
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5444requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5445client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5446not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5447run_test "DTLS proxy: 3d, gnutls server" \
5448 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5449 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5450 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5451 0 \
5452 -s "Extra-header:" \
5453 -c "Extra-header:"
5454
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5455requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5456client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5457not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5458run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
5459 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5460 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5461 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5462 0 \
5463 -s "Extra-header:" \
5464 -c "Extra-header:"
5465
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5466requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5467client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5468not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5469run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
5470 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5471 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5472 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5473 0 \
5474 -s "Extra-header:" \
5475 -c "Extra-header:"
5476
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5477# Final report
5478
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5479echo "------------------------------------------------------------------------"
5480
5481if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5482 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5483else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5484 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5485fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]5486PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]5487echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5488
5489exit $FAILS