TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1bca5ef096f1416ee89f1e487b83000e17fbc867 / . / tests / ssl-opt.sh
blob: bd4b6a8a8c34dd89aa6255c4f4b4158cab92f64a [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
9# Assumes all options are compiled in.
10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]16: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]17: ${GNUTLS_CLI:=gnutls-cli}
18: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskinea1cf6c82017-05-17 14:50:38 +0200[diff] [blame]19: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]20
Manuel Pégourié-Gonnard6461f362015-06-29 16:20:13 +0200[diff] [blame]21O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]22O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]23G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]24G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskinea1cf6c82017-05-17 14:50:38 +0200[diff] [blame]25TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]26
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]27TESTS=0
28FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]29SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]30
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]31CONFIG_H='../include/polarssl/config.h'
32
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]33MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]34FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]35EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]36
37print_usage() {
38 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]39 printf " -h|--help\tPrint this help.\n"
40 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
41 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
42 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]43}
44
45get_options() {
46 while [ $# -gt 0 ]; do
47 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]48 -f|--filter)
49 shift; FILTER=$1
50 ;;
51 -e|--exclude)
52 shift; EXCLUDE=$1
53 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]54 -m|--memcheck)
55 MEMCHECK=1
56 ;;
57 -h|--help)
58 print_usage
59 exit 0
60 ;;
61 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]62 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]63 print_usage
64 exit 1
65 ;;
66 esac
67 shift
68 done
69}
70
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]71# skip next test if the flag is not enabled in config.h
72requires_config_enabled() {
73 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
74 SKIP_NEXT="YES"
75 fi
76}
77
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]78# skip next test if the flag is enabled in config.h
79requires_config_disabled() {
80 if grep "^#define $1" $CONFIG_H > /dev/null; then
81 SKIP_NEXT="YES"
82 fi
83}
84
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]85# skip next test if OpenSSL can't send SSLv2 ClientHello
86requires_openssl_with_sslv2() {
87 if [ -z "${OPENSSL_HAS_SSL2:-}" ]; then
Manuel Pégourié-Gonnarda4afadf2014-08-30 22:09:36 +0200[diff] [blame]88 if $OPENSSL_CMD ciphers -ssl2 >/dev/null 2>&1; then
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]89 OPENSSL_HAS_SSL2="YES"
90 else
91 OPENSSL_HAS_SSL2="NO"
92 fi
93 fi
94 if [ "$OPENSSL_HAS_SSL2" = "NO" ]; then
95 SKIP_NEXT="YES"
96 fi
97}
98
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]99# skip next test if OpenSSL doesn't support FALLBACK_SCSV
100requires_openssl_with_fallback_scsv() {
101 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
102 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
103 then
104 OPENSSL_HAS_FBSCSV="YES"
105 else
106 OPENSSL_HAS_FBSCSV="NO"
107 fi
108 fi
109 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
110 SKIP_NEXT="YES"
111 fi
112}
113
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]114# skip next test if GnuTLS isn't available
115requires_gnutls() {
116 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
117 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null; then
118 GNUTLS_AVAILABLE="YES"
119 else
120 GNUTLS_AVAILABLE="NO"
121 fi
122 fi
123 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
124 SKIP_NEXT="YES"
125 fi
126}
127
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]128# print_name <name>
129print_name() {
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]130 printf "$1 "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]131 LEN=$(( 72 - `echo "$1" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]132 for i in `seq 1 $LEN`; do printf '.'; done
133 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]134
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]135 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]136}
137
138# fail <message>
139fail() {
140 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]141 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]142
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]143 mv $SRV_OUT o-srv-${TESTS}.log
144 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]145 echo " ! outputs saved to o-srv-${TESTS}.log and o-cli-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]146
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]147 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
148 echo " ! server output:"
149 cat o-srv-${TESTS}.log
150 echo " ! ============================================================"
151 echo " ! client output:"
152 cat o-cli-${TESTS}.log
153 fi
154
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]155 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]156}
157
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]158# is_polar <cmd_line>
159is_polar() {
160 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
161}
162
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]163# has_mem_err <log_file_name>
164has_mem_err() {
165 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
166 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
167 then
168 return 1 # false: does not have errors
169 else
170 return 0 # true: has errors
171 fi
172}
173
Gilles Peskine80f6be72017-12-19 13:35:10 +0100[diff] [blame]174# Wait for process $2 to be listening on port $1
175if type lsof >/dev/null 2>/dev/null; then
176 wait_server_start() {
177 START_TIME=$(date +%s)
178 while ! lsof -a -n -b -i "TCP:$1" -p "$2" >/dev/null 2>/dev/null; do
179 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
180 echo "SERVERSTART TIMEOUT"
181 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
182 break
183 fi
184 # Linux and *BSD support decimal arguments to sleep. On other
185 # OSes this may be a tight loop.
186 sleep 0.1 2>/dev/null || true
Manuel Pégourié-Gonnard84690c32015-08-04 20:34:39 +0200[diff] [blame]187 done
Gilles Peskine80f6be72017-12-19 13:35:10 +0100[diff] [blame]188 }
189else
190 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]191 sleep "$START_DELAY"
Gilles Peskine80f6be72017-12-19 13:35:10 +0100[diff] [blame]192 }
193fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]194
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]195# wait for client to terminate and set CLI_EXIT
196# must be called right after starting the client
197wait_client_done() {
198 CLI_PID=$!
199
200 ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) &
201 WATCHDOG_PID=$!
202
203 wait $CLI_PID
204 CLI_EXIT=$?
205
206 kill $WATCHDOG_PID
207 wait $WATCHDOG_PID
208
209 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
210}
211
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]212# Usage: run_test name srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]213# Options: -s pattern pattern that must be present in server output
214# -c pattern pattern that must be present in client output
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]215# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]216# -S pattern pattern that must be absent in server output
217# -C pattern pattern that must be absent in client output
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]218# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]219run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]220 NAME="$1"
221 SRV_CMD="$2"
222 CLI_CMD="$3"
223 CLI_EXPECT="$4"
224 shift 4
225
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]226 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
227 else
Manuel Pégourié-Gonnard33e8d342017-07-10 11:55:31 +0200[diff] [blame]228 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]229 return
230 fi
231
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]232 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]233
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]234 # should we skip?
235 if [ "X$SKIP_NEXT" = "XYES" ]; then
236 SKIP_NEXT="NO"
237 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]238 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]239 return
240 fi
241
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]242 # prepend valgrind to our commands if active
243 if [ "$MEMCHECK" -gt 0 ]; then
244 if is_polar "$SRV_CMD"; then
245 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
246 fi
247 if is_polar "$CLI_CMD"; then
248 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
249 fi
250 fi
251
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]252 # run the commands
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]253 echo "$SRV_CMD" > $SRV_OUT
254 $SRV_CMD >> $SRV_OUT 2>&1 &
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]255 SRV_PID=$!
Gilles Peskine80f6be72017-12-19 13:35:10 +0100[diff] [blame]256 wait_server_start "$PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]257
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]258 echo "$CLI_CMD" > $CLI_OUT
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]259 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
260 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]261
Manuel Pégourié-Gonnard74b11702014-08-14 15:47:33 +0200[diff] [blame]262 # kill the server
263 kill $SRV_PID
264 wait $SRV_PID
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]265
266 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]267 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]268 # expected client exit to incorrectly succeed in case of catastrophic
269 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]270 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]271 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]272 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]273 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]274 return
275 fi
276 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]277 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]278 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]279 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]280 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]281 return
282 fi
283 fi
284
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]285 # check server exit code
286 if [ $? != 0 ]; then
287 fail "server fail"
288 return
289 fi
290
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]291 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]292 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
293 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]294 then
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]295 fail "bad client exit code"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]296 return
297 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]298
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]299 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]300 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]301 while [ $# -gt 0 ]
302 do
303 case $1 in
304 "-s")
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]305 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
306 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]307 return
308 fi
309 ;;
310
311 "-c")
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]312 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
313 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]314 return
315 fi
316 ;;
317
318 "-S")
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]319 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
320 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]321 return
322 fi
323 ;;
324
325 "-C")
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]326 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
327 fail "pattern '$2' MUST NOT be present in the Client output"
328 return
329 fi
330 ;;
331
332 # The filtering in the following two options (-u and -U) do the following
333 # - ignore valgrind output
334 # - filter out everything but lines right after the pattern occurances
335 # - keep one of each non-unique line
336 # - count how many lines remain
337 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
338 # if there were no duplicates.
339 "-U")
340 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
341 fail "lines following pattern '$2' must be unique in Server output"
342 return
343 fi
344 ;;
345
346 "-u")
347 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
348 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]349 return
350 fi
351 ;;
352
353 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]354 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]355 exit 1
356 esac
357 shift 2
358 done
359
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]360 # check valgrind's results
361 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]362 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]363 fail "Server has memory errors"
364 return
365 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]366 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]367 fail "Client has memory errors"
368 return
369 fi
370 fi
371
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]372 # if we're here, everything is ok
373 echo "PASS"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]374 rm -f $SRV_OUT $CLI_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]375}
376
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]377cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]378 rm -f $CLI_OUT $SRV_OUT $SESSION
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]379 kill $SRV_PID >/dev/null 2>&1
380 kill $WATCHDOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]381 exit 1
382}
383
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]384#
385# MAIN
386#
387
Manuel Pégourié-Gonnard751286b2015-03-10 13:41:04 +0000[diff] [blame]388if cd $( dirname $0 ); then :; else
389 echo "cd $( dirname $0 ) failed" >&2
390 exit 1
391fi
392
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]393get_options "$@"
394
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]395# sanity checks, avoid an avalanche of errors
396if [ ! -x "$P_SRV" ]; then
397 echo "Command '$P_SRV' is not an executable file"
398 exit 1
399fi
400if [ ! -x "$P_CLI" ]; then
401 echo "Command '$P_CLI' is not an executable file"
402 exit 1
403fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]404if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
405 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]406 exit 1
407fi
408
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]409# used by watchdog
410MAIN_PID="$$"
411
Manuel Pégourié-Gonnard1bca5ef2018-01-22 10:22:09 +0100[diff] [blame^]412# We use somewhat arbitrary delays for tests:
413# - how long do we wait for the server to start (when lsof not available)?
414# - how long do we allow for the client to finish?
415# (not to check performance, just to avoid waiting indefinitely)
416# Things are slower with valgrind, so give extra time here.
417#
418# Note: without lsof, there is a trade-off between the running time of this
419# script and the risk of spurious errors because we didn't wait long enough.
420# The watchdog delay on the other hand doesn't affect normal running time of
421# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]422if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard1bca5ef2018-01-22 10:22:09 +0100[diff] [blame^]423 START_DELAY=6
424 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]425else
Manuel Pégourié-Gonnard1bca5ef2018-01-22 10:22:09 +0100[diff] [blame^]426 START_DELAY=2
427 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]428fi
429
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]430# Pick a "unique" port in the range 10000-19999.
431PORT="0000$$"
Manuel Pégourié-Gonnarddc370e42015-01-22 10:24:59 +0000[diff] [blame]432PORT="1$( printf $PORT | tail -c 4 )"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]433
434# fix commands to use this port
435P_SRV="$P_SRV server_port=$PORT"
436P_CLI="$P_CLI server_port=$PORT"
437O_SRV="$O_SRV -accept $PORT"
438O_CLI="$O_CLI -connect localhost:$PORT"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]439G_SRV="$G_SRV -p $PORT"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]440G_CLI="$G_CLI -p $PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]441
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]442# Also pick a unique name for intermediate files
443SRV_OUT="srv_out.$$"
444CLI_OUT="cli_out.$$"
445SESSION="session.$$"
446
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]447SKIP_NEXT="NO"
448
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]449trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]450
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]451# Basic test
452
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]453# Checks that:
454# - things work with all ciphersuites active (used with config-full in all.sh)
455# - the expected (highest security) parameters are selected
456# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]457run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]458 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]459 "$P_CLI" \
460 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]461 -s "Protocol is TLSv1.2" \
462 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
463 -s "client hello v3, signature_algorithm ext: 6" \
464 -s "ECDHE curve: secp521r1" \
465 -S "error" \
466 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]467
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]468# Test for uniqueness of IVs in AEAD ciphersuites
469run_test "Unique IV in GCM" \
470 "$P_SRV exchanges=20 debug_level=4" \
471 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
472 0 \
473 -u "IV used" \
474 -U "IV used"
475
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]476# Tests for rc4 option
477
478run_test "RC4: server disabled, client enabled" \
479 "$P_SRV" \
480 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
481 1 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]482 -s "SSL - None of the common ciphersuites is usable"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]483
484run_test "RC4: server enabled, client disabled" \
485 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
486 "$P_CLI" \
487 1 \
488 -s "SSL - The server has no ciphersuites in common"
489
490run_test "RC4: both enabled" \
491 "$P_SRV arc4=1" \
492 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
493 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]494 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]495 -S "SSL - The server has no ciphersuites in common"
496
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]497# Test for SSLv2 ClientHello
498
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]499requires_openssl_with_sslv2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]500run_test "SSLv2 ClientHello: reference" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]501 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]502 "$O_CLI -no_ssl2" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]503 0 \
504 -S "parse client hello v2" \
505 -S "ssl_handshake returned"
506
507# Adding a SSL2-only suite makes OpenSSL client send SSLv2 ClientHello
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]508requires_openssl_with_sslv2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]509run_test "SSLv2 ClientHello: actual test" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]510 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]511 "$O_CLI -cipher 'DES-CBC-MD5:ALL'" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]512 0 \
513 -s "parse client hello v2" \
514 -S "ssl_handshake returned"
515
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]516# Tests for Truncated HMAC extension
517
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]518run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]519 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]520 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]521 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]522 -s "dumping 'computed mac' (20 bytes)" \
523 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]524
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]525run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]526 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]527 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
528 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]529 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]530 -s "dumping 'computed mac' (20 bytes)" \
531 -S "dumping 'computed mac' (10 bytes)"
532
533run_test "Truncated HMAC: client enabled, server default" \
534 "$P_SRV debug_level=4" \
535 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
536 trunc_hmac=1" \
537 0 \
538 -S "dumping 'computed mac' (20 bytes)" \
539 -s "dumping 'computed mac' (10 bytes)"
540
541run_test "Truncated HMAC: client enabled, server disabled" \
542 "$P_SRV debug_level=4 trunc_hmac=0" \
543 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
544 trunc_hmac=1" \
545 0 \
546 -s "dumping 'computed mac' (20 bytes)" \
547 -S "dumping 'computed mac' (10 bytes)"
548
549run_test "Truncated HMAC: client enabled, server enabled" \
550 "$P_SRV debug_level=4 trunc_hmac=1" \
551 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
552 trunc_hmac=1" \
553 0 \
554 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]555 -s "dumping 'computed mac' (10 bytes)"
556
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]557# Tests for Encrypt-then-MAC extension
558
559run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]560 "$P_SRV debug_level=3 \
561 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]562 "$P_CLI debug_level=3" \
563 0 \
564 -c "client hello, adding encrypt_then_mac extension" \
565 -s "found encrypt then mac extension" \
566 -s "server hello, adding encrypt then mac extension" \
567 -c "found encrypt_then_mac extension" \
568 -c "using encrypt then mac" \
569 -s "using encrypt then mac"
570
571run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]572 "$P_SRV debug_level=3 etm=0 \
573 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]574 "$P_CLI debug_level=3 etm=1" \
575 0 \
576 -c "client hello, adding encrypt_then_mac extension" \
577 -s "found encrypt then mac extension" \
578 -S "server hello, adding encrypt then mac extension" \
579 -C "found encrypt_then_mac extension" \
580 -C "using encrypt then mac" \
581 -S "using encrypt then mac"
582
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]583run_test "Encrypt then MAC: client enabled, aead cipher" \
584 "$P_SRV debug_level=3 etm=1 \
585 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
586 "$P_CLI debug_level=3 etm=1" \
587 0 \
588 -c "client hello, adding encrypt_then_mac extension" \
589 -s "found encrypt then mac extension" \
590 -S "server hello, adding encrypt then mac extension" \
591 -C "found encrypt_then_mac extension" \
592 -C "using encrypt then mac" \
593 -S "using encrypt then mac"
594
595run_test "Encrypt then MAC: client enabled, stream cipher" \
596 "$P_SRV debug_level=3 etm=1 \
597 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]598 "$P_CLI debug_level=3 etm=1 arc4=1" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]599 0 \
600 -c "client hello, adding encrypt_then_mac extension" \
601 -s "found encrypt then mac extension" \
602 -S "server hello, adding encrypt then mac extension" \
603 -C "found encrypt_then_mac extension" \
604 -C "using encrypt then mac" \
605 -S "using encrypt then mac"
606
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]607run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]608 "$P_SRV debug_level=3 etm=1 \
609 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]610 "$P_CLI debug_level=3 etm=0" \
611 0 \
612 -C "client hello, adding encrypt_then_mac extension" \
613 -S "found encrypt then mac extension" \
614 -S "server hello, adding encrypt then mac extension" \
615 -C "found encrypt_then_mac extension" \
616 -C "using encrypt then mac" \
617 -S "using encrypt then mac"
618
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]619requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]620run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]621 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]622 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]623 "$P_CLI debug_level=3 force_version=ssl3" \
624 0 \
625 -C "client hello, adding encrypt_then_mac extension" \
626 -S "found encrypt then mac extension" \
627 -S "server hello, adding encrypt then mac extension" \
628 -C "found encrypt_then_mac extension" \
629 -C "using encrypt then mac" \
630 -S "using encrypt then mac"
631
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]632requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]633run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]634 "$P_SRV debug_level=3 force_version=ssl3 \
635 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]636 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]637 0 \
638 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath8abaa8b2016-05-06 13:48:23 +0100[diff] [blame]639 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]640 -S "server hello, adding encrypt then mac extension" \
641 -C "found encrypt_then_mac extension" \
642 -C "using encrypt then mac" \
643 -S "using encrypt then mac"
644
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]645# Tests for Extended Master Secret extension
646
647run_test "Extended Master Secret: default" \
648 "$P_SRV debug_level=3" \
649 "$P_CLI debug_level=3" \
650 0 \
651 -c "client hello, adding extended_master_secret extension" \
652 -s "found extended master secret extension" \
653 -s "server hello, adding extended master secret extension" \
654 -c "found extended_master_secret extension" \
655 -c "using extended master secret" \
656 -s "using extended master secret"
657
658run_test "Extended Master Secret: client enabled, server disabled" \
659 "$P_SRV debug_level=3 extended_ms=0" \
660 "$P_CLI debug_level=3 extended_ms=1" \
661 0 \
662 -c "client hello, adding extended_master_secret extension" \
663 -s "found extended master secret extension" \
664 -S "server hello, adding extended master secret extension" \
665 -C "found extended_master_secret extension" \
666 -C "using extended master secret" \
667 -S "using extended master secret"
668
669run_test "Extended Master Secret: client disabled, server enabled" \
670 "$P_SRV debug_level=3 extended_ms=1" \
671 "$P_CLI debug_level=3 extended_ms=0" \
672 0 \
673 -C "client hello, adding extended_master_secret extension" \
674 -S "found extended master secret extension" \
675 -S "server hello, adding extended master secret extension" \
676 -C "found extended_master_secret extension" \
677 -C "using extended master secret" \
678 -S "using extended master secret"
679
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]680requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]681run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]682 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]683 "$P_CLI debug_level=3 force_version=ssl3" \
684 0 \
685 -C "client hello, adding extended_master_secret extension" \
686 -S "found extended master secret extension" \
687 -S "server hello, adding extended master secret extension" \
688 -C "found extended_master_secret extension" \
689 -C "using extended master secret" \
690 -S "using extended master secret"
691
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]692requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]693run_test "Extended Master Secret: client enabled, server SSLv3" \
694 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]695 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]696 0 \
697 -c "client hello, adding extended_master_secret extension" \
Janos Follath8abaa8b2016-05-06 13:48:23 +0100[diff] [blame]698 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]699 -S "server hello, adding extended master secret extension" \
700 -C "found extended_master_secret extension" \
701 -C "using extended master secret" \
702 -S "using extended master secret"
703
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]704# Tests for FALLBACK_SCSV
705
706run_test "Fallback SCSV: default" \
707 "$P_SRV" \
708 "$P_CLI debug_level=3 force_version=tls1_1" \
709 0 \
710 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]711 -S "received FALLBACK_SCSV" \
712 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]713 -C "is a fatal alert message (msg 86)"
714
715run_test "Fallback SCSV: explicitly disabled" \
716 "$P_SRV" \
717 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
718 0 \
719 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]720 -S "received FALLBACK_SCSV" \
721 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]722 -C "is a fatal alert message (msg 86)"
723
724run_test "Fallback SCSV: enabled" \
725 "$P_SRV" \
726 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]727 1 \
728 -c "adding FALLBACK_SCSV" \
729 -s "received FALLBACK_SCSV" \
730 -s "inapropriate fallback" \
731 -c "is a fatal alert message (msg 86)"
732
733run_test "Fallback SCSV: enabled, max version" \
734 "$P_SRV" \
735 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]736 0 \
737 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]738 -s "received FALLBACK_SCSV" \
739 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]740 -C "is a fatal alert message (msg 86)"
741
742requires_openssl_with_fallback_scsv
743run_test "Fallback SCSV: default, openssl server" \
744 "$O_SRV" \
745 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
746 0 \
747 -C "adding FALLBACK_SCSV" \
748 -C "is a fatal alert message (msg 86)"
749
750requires_openssl_with_fallback_scsv
751run_test "Fallback SCSV: enabled, openssl server" \
752 "$O_SRV" \
753 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
754 1 \
755 -c "adding FALLBACK_SCSV" \
756 -c "is a fatal alert message (msg 86)"
757
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]758requires_openssl_with_fallback_scsv
759run_test "Fallback SCSV: disabled, openssl client" \
760 "$P_SRV" \
761 "$O_CLI -tls1_1" \
762 0 \
763 -S "received FALLBACK_SCSV" \
764 -S "inapropriate fallback"
765
766requires_openssl_with_fallback_scsv
767run_test "Fallback SCSV: enabled, openssl client" \
768 "$P_SRV" \
769 "$O_CLI -tls1_1 -fallback_scsv" \
770 1 \
771 -s "received FALLBACK_SCSV" \
772 -s "inapropriate fallback"
773
774requires_openssl_with_fallback_scsv
775run_test "Fallback SCSV: enabled, max version, openssl client" \
776 "$P_SRV" \
777 "$O_CLI -fallback_scsv" \
778 0 \
779 -s "received FALLBACK_SCSV" \
780 -S "inapropriate fallback"
781
Gilles Peskinea1cf6c82017-05-17 14:50:38 +0200[diff] [blame]782## ClientHello generated with
783## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
784## then manually twiddling the ciphersuite list.
785## The ClientHello content is spelled out below as a hex string as
786## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
787## The expected response is an inappropriate_fallback alert.
788requires_openssl_with_fallback_scsv
789run_test "Fallback SCSV: beginning of list" \
790 "$P_SRV debug_level=2" \
791 "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
792 0 \
793 -s "received FALLBACK_SCSV" \
794 -s "inapropriate fallback"
795
796requires_openssl_with_fallback_scsv
797run_test "Fallback SCSV: end of list" \
798 "$P_SRV debug_level=2" \
799 "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
800 0 \
801 -s "received FALLBACK_SCSV" \
802 -s "inapropriate fallback"
803
804## Here the expected response is a valid ServerHello prefix, up to the random.
805requires_openssl_with_fallback_scsv
806run_test "Fallback SCSV: not in list" \
807 "$P_SRV debug_level=2" \
808 "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
809 0 \
810 -S "received FALLBACK_SCSV" \
811 -S "inapropriate fallback"
812
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]813# Tests for CBC 1/n-1 record splitting
814
815run_test "CBC Record splitting: TLS 1.2, no splitting" \
816 "$P_SRV" \
817 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
818 request_size=123 force_version=tls1_2" \
819 0 \
820 -s "Read from client: 123 bytes read" \
821 -S "Read from client: 1 bytes read" \
822 -S "122 bytes read"
823
824run_test "CBC Record splitting: TLS 1.1, no splitting" \
825 "$P_SRV" \
826 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
827 request_size=123 force_version=tls1_1" \
828 0 \
829 -s "Read from client: 123 bytes read" \
830 -S "Read from client: 1 bytes read" \
831 -S "122 bytes read"
832
833run_test "CBC Record splitting: TLS 1.0, splitting" \
834 "$P_SRV" \
835 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
836 request_size=123 force_version=tls1" \
837 0 \
838 -S "Read from client: 123 bytes read" \
839 -s "Read from client: 1 bytes read" \
840 -s "122 bytes read"
841
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]842requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]843run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]844 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]845 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
846 request_size=123 force_version=ssl3" \
847 0 \
848 -S "Read from client: 123 bytes read" \
849 -s "Read from client: 1 bytes read" \
850 -s "122 bytes read"
851
852run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]853 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]854 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
855 request_size=123 force_version=tls1" \
856 0 \
857 -s "Read from client: 123 bytes read" \
858 -S "Read from client: 1 bytes read" \
859 -S "122 bytes read"
860
861run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
862 "$P_SRV" \
863 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
864 request_size=123 force_version=tls1 recsplit=0" \
865 0 \
866 -s "Read from client: 123 bytes read" \
867 -S "Read from client: 1 bytes read" \
868 -S "122 bytes read"
869
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]870run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
871 "$P_SRV nbio=2" \
872 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
873 request_size=123 force_version=tls1" \
874 0 \
875 -S "Read from client: 123 bytes read" \
876 -s "Read from client: 1 bytes read" \
877 -s "122 bytes read"
878
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]879# Tests for Session Tickets
880
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]881run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]882 "$P_SRV debug_level=3 tickets=1" \
883 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]884 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]885 -c "client hello, adding session ticket extension" \
886 -s "found session ticket extension" \
887 -s "server hello, adding session ticket extension" \
888 -c "found session_ticket extension" \
889 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]890 -S "session successfully restored from cache" \
891 -s "session successfully restored from ticket" \
892 -s "a session has been resumed" \
893 -c "a session has been resumed"
894
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]895run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]896 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
897 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]898 0 \
899 -c "client hello, adding session ticket extension" \
900 -s "found session ticket extension" \
901 -s "server hello, adding session ticket extension" \
902 -c "found session_ticket extension" \
903 -c "parse new session ticket" \
904 -S "session successfully restored from cache" \
905 -s "session successfully restored from ticket" \
906 -s "a session has been resumed" \
907 -c "a session has been resumed"
908
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]909run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]910 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
911 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]912 0 \
913 -c "client hello, adding session ticket extension" \
914 -s "found session ticket extension" \
915 -s "server hello, adding session ticket extension" \
916 -c "found session_ticket extension" \
917 -c "parse new session ticket" \
918 -S "session successfully restored from cache" \
919 -S "session successfully restored from ticket" \
920 -S "a session has been resumed" \
921 -C "a session has been resumed"
922
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]923run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]924 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]925 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]926 0 \
927 -c "client hello, adding session ticket extension" \
928 -c "found session_ticket extension" \
929 -c "parse new session ticket" \
930 -c "a session has been resumed"
931
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]932run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]933 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]934 "( $O_CLI -sess_out $SESSION; \
935 $O_CLI -sess_in $SESSION; \
936 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]937 0 \
938 -s "found session ticket extension" \
939 -s "server hello, adding session ticket extension" \
940 -S "session successfully restored from cache" \
941 -s "session successfully restored from ticket" \
942 -s "a session has been resumed"
943
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]944# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]945
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]946run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]947 "$P_SRV debug_level=3 tickets=0" \
948 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]949 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]950 -c "client hello, adding session ticket extension" \
951 -s "found session ticket extension" \
952 -S "server hello, adding session ticket extension" \
953 -C "found session_ticket extension" \
954 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]955 -s "session successfully restored from cache" \
956 -S "session successfully restored from ticket" \
957 -s "a session has been resumed" \
958 -c "a session has been resumed"
959
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]960run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]961 "$P_SRV debug_level=3 tickets=1" \
962 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]963 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]964 -C "client hello, adding session ticket extension" \
965 -S "found session ticket extension" \
966 -S "server hello, adding session ticket extension" \
967 -C "found session_ticket extension" \
968 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]969 -s "session successfully restored from cache" \
970 -S "session successfully restored from ticket" \
971 -s "a session has been resumed" \
972 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]973
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]974run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]975 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
976 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]977 0 \
978 -S "session successfully restored from cache" \
979 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]980 -S "a session has been resumed" \
981 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]982
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]983run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]984 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
985 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]986 0 \
987 -s "session successfully restored from cache" \
988 -S "session successfully restored from ticket" \
989 -s "a session has been resumed" \
990 -c "a session has been resumed"
991
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]992run_test "Session resume using cache: timemout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]993 "$P_SRV debug_level=3 tickets=0" \
994 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]995 0 \
996 -s "session successfully restored from cache" \
997 -S "session successfully restored from ticket" \
998 -s "a session has been resumed" \
999 -c "a session has been resumed"
1000
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1001run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1002 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1003 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1004 0 \
1005 -S "session successfully restored from cache" \
1006 -S "session successfully restored from ticket" \
1007 -S "a session has been resumed" \
1008 -C "a session has been resumed"
1009
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1010run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1011 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1012 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1013 0 \
1014 -s "session successfully restored from cache" \
1015 -S "session successfully restored from ticket" \
1016 -s "a session has been resumed" \
1017 -c "a session has been resumed"
1018
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1019run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1020 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1021 "( $O_CLI -sess_out $SESSION; \
1022 $O_CLI -sess_in $SESSION; \
1023 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1024 0 \
1025 -s "found session ticket extension" \
1026 -S "server hello, adding session ticket extension" \
1027 -s "session successfully restored from cache" \
1028 -S "session successfully restored from ticket" \
1029 -s "a session has been resumed"
1030
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1031run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1032 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1033 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1034 0 \
1035 -C "found session_ticket extension" \
1036 -C "parse new session ticket" \
1037 -c "a session has been resumed"
1038
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1039# Tests for Max Fragment Length extension
1040
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1041run_test "Max fragment length: not used, reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1042 "$P_SRV debug_level=3" \
1043 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1044 0 \
1045 -C "client hello, adding max_fragment_length extension" \
1046 -S "found max fragment length extension" \
1047 -S "server hello, max_fragment_length extension" \
1048 -C "found max_fragment_length extension"
1049
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1050run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1051 "$P_SRV debug_level=3" \
1052 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1053 0 \
1054 -c "client hello, adding max_fragment_length extension" \
1055 -s "found max fragment length extension" \
1056 -s "server hello, max_fragment_length extension" \
1057 -c "found max_fragment_length extension"
1058
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1059run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1060 "$P_SRV debug_level=3 max_frag_len=4096" \
1061 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1062 0 \
1063 -C "client hello, adding max_fragment_length extension" \
1064 -S "found max fragment length extension" \
1065 -S "server hello, max_fragment_length extension" \
1066 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1067
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1068requires_gnutls
1069run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1070 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1071 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1072 0 \
1073 -c "client hello, adding max_fragment_length extension" \
1074 -c "found max_fragment_length extension"
1075
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1076# Tests for renegotiation
1077
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1078run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1079 "$P_SRV debug_level=3 exchanges=2" \
1080 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1081 0 \
1082 -C "client hello, adding renegotiation extension" \
1083 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1084 -S "found renegotiation extension" \
1085 -s "server hello, secure renegotiation extension" \
1086 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1087 -C "=> renegotiate" \
1088 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1089 -S "write hello request"
1090
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1091requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1092run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1093 "$P_SRV debug_level=3 exchanges=2 renegotiation=1" \
1094 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1095 0 \
1096 -c "client hello, adding renegotiation extension" \
1097 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1098 -s "found renegotiation extension" \
1099 -s "server hello, secure renegotiation extension" \
1100 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1101 -c "=> renegotiate" \
1102 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1103 -S "write hello request"
1104
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1105requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1106run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1107 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1108 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1109 0 \
1110 -c "client hello, adding renegotiation extension" \
1111 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1112 -s "found renegotiation extension" \
1113 -s "server hello, secure renegotiation extension" \
1114 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1115 -c "=> renegotiate" \
1116 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1117 -s "write hello request"
1118
Janos Follathea111c52017-10-05 12:29:42 +0100[diff] [blame]1119# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1120# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1121# algorithm stronger than SHA-1 is enabled in config.h
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1122requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Janos Follathea111c52017-10-05 12:29:42 +0100[diff] [blame]1123run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1124 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1125 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1126 0 \
1127 -c "client hello, adding renegotiation extension" \
1128 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1129 -s "found renegotiation extension" \
1130 -s "server hello, secure renegotiation extension" \
1131 -c "found renegotiation extension" \
1132 -c "=> renegotiate" \
1133 -s "=> renegotiate" \
1134 -S "write hello request" \
1135 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1136
1137# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1138# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1139# algorithm stronger than SHA-1 is enabled in config.h
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1140requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Janos Follathea111c52017-10-05 12:29:42 +0100[diff] [blame]1141run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1142 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1143 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1144 0 \
1145 -c "client hello, adding renegotiation extension" \
1146 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1147 -s "found renegotiation extension" \
1148 -s "server hello, secure renegotiation extension" \
1149 -c "found renegotiation extension" \
1150 -c "=> renegotiate" \
1151 -s "=> renegotiate" \
1152 -s "write hello request" \
1153 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1154
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1155requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1156run_test "Renegotiation: double" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1157 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1158 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1159 0 \
1160 -c "client hello, adding renegotiation extension" \
1161 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1162 -s "found renegotiation extension" \
1163 -s "server hello, secure renegotiation extension" \
1164 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1165 -c "=> renegotiate" \
1166 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1167 -s "write hello request"
1168
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1169requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1170run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1171 "$P_SRV debug_level=3 exchanges=2 renegotiation=0" \
1172 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1173 1 \
1174 -c "client hello, adding renegotiation extension" \
1175 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1176 -S "found renegotiation extension" \
1177 -s "server hello, secure renegotiation extension" \
1178 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1179 -c "=> renegotiate" \
1180 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1181 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1182 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1183 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1184
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1185requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1186run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1187 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1188 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1189 0 \
1190 -C "client hello, adding renegotiation extension" \
1191 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1192 -S "found renegotiation extension" \
1193 -s "server hello, secure renegotiation extension" \
1194 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1195 -C "=> renegotiate" \
1196 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1197 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1198 -S "SSL - An unexpected message was received from our peer" \
1199 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1200
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1201requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1202run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1203 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1204 renego_delay=-1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1205 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1206 0 \
1207 -C "client hello, adding renegotiation extension" \
1208 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1209 -S "found renegotiation extension" \
1210 -s "server hello, secure renegotiation extension" \
1211 -c "found renegotiation extension" \
1212 -C "=> renegotiate" \
1213 -S "=> renegotiate" \
1214 -s "write hello request" \
1215 -S "SSL - An unexpected message was received from our peer" \
1216 -S "failed"
1217
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1218# delay 2 for 1 alert record + 1 application data record
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1219requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1220run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1221 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1222 renego_delay=2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1223 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1224 0 \
1225 -C "client hello, adding renegotiation extension" \
1226 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1227 -S "found renegotiation extension" \
1228 -s "server hello, secure renegotiation extension" \
1229 -c "found renegotiation extension" \
1230 -C "=> renegotiate" \
1231 -S "=> renegotiate" \
1232 -s "write hello request" \
1233 -S "SSL - An unexpected message was received from our peer" \
1234 -S "failed"
1235
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1236requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1237run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1238 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1239 renego_delay=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1240 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1241 0 \
1242 -C "client hello, adding renegotiation extension" \
1243 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1244 -S "found renegotiation extension" \
1245 -s "server hello, secure renegotiation extension" \
1246 -c "found renegotiation extension" \
1247 -C "=> renegotiate" \
1248 -S "=> renegotiate" \
1249 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1250 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1251
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1252requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1253run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1254 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1255 renego_delay=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1256 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1257 0 \
1258 -c "client hello, adding renegotiation extension" \
1259 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1260 -s "found renegotiation extension" \
1261 -s "server hello, secure renegotiation extension" \
1262 -c "found renegotiation extension" \
1263 -c "=> renegotiate" \
1264 -s "=> renegotiate" \
1265 -s "write hello request" \
1266 -S "SSL - An unexpected message was received from our peer" \
1267 -S "failed"
1268
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1269requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1270run_test "Renegotiation: periodic, just below period" \
1271 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
1272 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1273 0 \
1274 -C "client hello, adding renegotiation extension" \
1275 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1276 -S "found renegotiation extension" \
1277 -s "server hello, secure renegotiation extension" \
1278 -c "found renegotiation extension" \
1279 -S "record counter limit reached: renegotiate" \
1280 -C "=> renegotiate" \
1281 -S "=> renegotiate" \
1282 -S "write hello request" \
1283 -S "SSL - An unexpected message was received from our peer" \
1284 -S "failed"
1285
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1286# one extra exchange to be able to complete renego
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1287requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1288run_test "Renegotiation: periodic, just above period" \
1289 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1290 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1291 0 \
1292 -c "client hello, adding renegotiation extension" \
1293 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1294 -s "found renegotiation extension" \
1295 -s "server hello, secure renegotiation extension" \
1296 -c "found renegotiation extension" \
1297 -s "record counter limit reached: renegotiate" \
1298 -c "=> renegotiate" \
1299 -s "=> renegotiate" \
1300 -s "write hello request" \
1301 -S "SSL - An unexpected message was received from our peer" \
1302 -S "failed"
1303
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1304requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1305run_test "Renegotiation: periodic, two times period" \
1306 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1307 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1308 0 \
1309 -c "client hello, adding renegotiation extension" \
1310 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1311 -s "found renegotiation extension" \
1312 -s "server hello, secure renegotiation extension" \
1313 -c "found renegotiation extension" \
1314 -s "record counter limit reached: renegotiate" \
1315 -c "=> renegotiate" \
1316 -s "=> renegotiate" \
1317 -s "write hello request" \
1318 -S "SSL - An unexpected message was received from our peer" \
1319 -S "failed"
1320
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1321requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1322run_test "Renegotiation: periodic, above period, disabled" \
1323 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3" \
1324 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1325 0 \
1326 -C "client hello, adding renegotiation extension" \
1327 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1328 -S "found renegotiation extension" \
1329 -s "server hello, secure renegotiation extension" \
1330 -c "found renegotiation extension" \
1331 -S "record counter limit reached: renegotiate" \
1332 -C "=> renegotiate" \
1333 -S "=> renegotiate" \
1334 -S "write hello request" \
1335 -S "SSL - An unexpected message was received from our peer" \
1336 -S "failed"
1337
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1338requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1339run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1340 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
1341 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1342 0 \
1343 -c "client hello, adding renegotiation extension" \
1344 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1345 -s "found renegotiation extension" \
1346 -s "server hello, secure renegotiation extension" \
1347 -c "found renegotiation extension" \
1348 -c "=> renegotiate" \
1349 -s "=> renegotiate" \
1350 -S "write hello request"
1351
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1352requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1353run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1354 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
1355 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1356 0 \
1357 -c "client hello, adding renegotiation extension" \
1358 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1359 -s "found renegotiation extension" \
1360 -s "server hello, secure renegotiation extension" \
1361 -c "found renegotiation extension" \
1362 -c "=> renegotiate" \
1363 -s "=> renegotiate" \
1364 -s "write hello request"
1365
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1366requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1367run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1368 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1369 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1370 0 \
1371 -c "client hello, adding renegotiation extension" \
1372 -c "found renegotiation extension" \
1373 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1374 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1375 -C "error" \
1376 -c "HTTP/1.0 200 [Oo][Kk]"
1377
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1378requires_gnutls
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1379requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1380run_test "Renegotiation: gnutls server strict, client-initiated" \
1381 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1382 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1383 0 \
1384 -c "client hello, adding renegotiation extension" \
1385 -c "found renegotiation extension" \
1386 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1387 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1388 -C "error" \
1389 -c "HTTP/1.0 200 [Oo][Kk]"
1390
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1391requires_gnutls
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1392requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1393run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1394 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1395 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1396 1 \
1397 -c "client hello, adding renegotiation extension" \
1398 -C "found renegotiation extension" \
1399 -c "=> renegotiate" \
1400 -c "ssl_handshake() returned" \
1401 -c "error" \
1402 -C "HTTP/1.0 200 [Oo][Kk]"
1403
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1404requires_gnutls
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1405requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1406run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1407 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1408 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1409 allow_legacy=0" \
1410 1 \
1411 -c "client hello, adding renegotiation extension" \
1412 -C "found renegotiation extension" \
1413 -c "=> renegotiate" \
1414 -c "ssl_handshake() returned" \
1415 -c "error" \
1416 -C "HTTP/1.0 200 [Oo][Kk]"
1417
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1418requires_gnutls
Hanno Beckere8f3d932017-10-25 09:38:00 +0100[diff] [blame]1419requires_config_disabled POLARSSL_SSL_DISABLE_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1420run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1421 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1422 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1423 allow_legacy=1" \
1424 0 \
1425 -c "client hello, adding renegotiation extension" \
1426 -C "found renegotiation extension" \
1427 -c "=> renegotiate" \
1428 -C "ssl_hanshake() returned" \
1429 -C "error" \
1430 -c "HTTP/1.0 200 [Oo][Kk]"
1431
1432# Test for the "secure renegotation" extension only (no actual renegotiation)
1433
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1434requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1435run_test "Renego ext: gnutls server strict, client default" \
1436 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1437 "$P_CLI debug_level=3" \
1438 0 \
1439 -c "found renegotiation extension" \
1440 -C "error" \
1441 -c "HTTP/1.0 200 [Oo][Kk]"
1442
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1443requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1444run_test "Renego ext: gnutls server unsafe, client default" \
1445 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1446 "$P_CLI debug_level=3" \
1447 0 \
1448 -C "found renegotiation extension" \
1449 -C "error" \
1450 -c "HTTP/1.0 200 [Oo][Kk]"
1451
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1452requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1453run_test "Renego ext: gnutls server unsafe, client break legacy" \
1454 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1455 "$P_CLI debug_level=3 allow_legacy=-1" \
1456 1 \
1457 -C "found renegotiation extension" \
1458 -c "error" \
1459 -C "HTTP/1.0 200 [Oo][Kk]"
1460
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1461requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1462run_test "Renego ext: gnutls client strict, server default" \
1463 "$P_SRV debug_level=3" \
1464 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1465 0 \
1466 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1467 -s "server hello, secure renegotiation extension"
1468
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1469requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1470run_test "Renego ext: gnutls client unsafe, server default" \
1471 "$P_SRV debug_level=3" \
1472 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1473 0 \
1474 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1475 -S "server hello, secure renegotiation extension"
1476
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1477requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1478run_test "Renego ext: gnutls client unsafe, server break legacy" \
1479 "$P_SRV debug_level=3 allow_legacy=-1" \
1480 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1481 1 \
1482 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1483 -S "server hello, secure renegotiation extension"
1484
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1485# Tests for auth_mode
1486
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1487run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1488 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1489 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1490 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1491 1 \
1492 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1493 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1494 -c "! ssl_handshake returned" \
1495 -c "X509 - Certificate verification failed"
1496
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1497run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1498 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1499 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1500 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1501 0 \
1502 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1503 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1504 -C "! ssl_handshake returned" \
1505 -C "X509 - Certificate verification failed"
1506
Hanno Becker6fd6d242017-05-25 17:51:31 +0100[diff] [blame]1507run_test "Authentication: server goodcert, client optional, no trusted CA" \
1508 "$P_SRV" \
1509 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1510 0 \
1511 -c "x509_verify_cert() returned" \
1512 -c "! The certificate is not correctly signed by the trusted CA" \
1513 -c "! Certificate verification flags"\
1514 -C "! ssl_handshake returned" \
1515 -C "X509 - Certificate verification failed" \
1516 -C "SSL - No CA Chain is set, but required to operate"
1517
1518run_test "Authentication: server goodcert, client required, no trusted CA" \
1519 "$P_SRV" \
1520 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1521 1 \
1522 -c "x509_verify_cert() returned" \
1523 -c "! The certificate is not correctly signed by the trusted CA" \
1524 -c "! Certificate verification flags"\
1525 -c "! ssl_handshake returned" \
1526 -c "SSL - No CA Chain is set, but required to operate"
1527
1528# The purpose of the next two tests is to test the client's behaviour when receiving a server
1529# certificate with an unsupported elliptic curve. This should usually not happen because
1530# the client informs the server about the supported curves - it does, though, in the
1531# corner case of a static ECDH suite, because the server doesn't check the curve on that
1532# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1533# different means to have the server ignoring the client's supported curve list.
1534
1535requires_config_enabled POLARSSL_SSL_SET_CURVES
1536run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1537 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1538 crt_file=data_files/server5.ku-ka.crt" \
1539 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1540 1 \
1541 -c "bad certificate (EC key curve)"\
1542 -c "! Certificate verification flags"\
1543 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1544
1545requires_config_enabled POLARSSL_SSL_SET_CURVES
1546run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1547 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1548 crt_file=data_files/server5.ku-ka.crt" \
1549 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1550 1 \
1551 -c "bad certificate (EC key curve)"\
1552 -c "! Certificate verification flags"\
1553 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1554
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1555run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1556 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1557 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1558 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1559 0 \
1560 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1561 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1562 -C "! ssl_handshake returned" \
1563 -C "X509 - Certificate verification failed"
1564
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1565run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1566 "$P_SRV debug_level=3 auth_mode=required" \
1567 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1568 key_file=data_files/server5.key" \
1569 1 \
1570 -S "skip write certificate request" \
1571 -C "skip parse certificate request" \
1572 -c "got a certificate request" \
1573 -C "skip write certificate" \
1574 -C "skip write certificate verify" \
1575 -S "skip parse certificate verify" \
1576 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1577 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1578 -s "! ssl_handshake returned" \
1579 -c "! ssl_handshake returned" \
1580 -s "X509 - Certificate verification failed"
1581
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1582run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1583 "$P_SRV debug_level=3 auth_mode=optional" \
1584 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1585 key_file=data_files/server5.key" \
1586 0 \
1587 -S "skip write certificate request" \
1588 -C "skip parse certificate request" \
1589 -c "got a certificate request" \
1590 -C "skip write certificate" \
1591 -C "skip write certificate verify" \
1592 -S "skip parse certificate verify" \
1593 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1594 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1595 -S "! ssl_handshake returned" \
1596 -C "! ssl_handshake returned" \
1597 -S "X509 - Certificate verification failed"
1598
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1599run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1600 "$P_SRV debug_level=3 auth_mode=none" \
1601 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1602 key_file=data_files/server5.key" \
1603 0 \
1604 -s "skip write certificate request" \
1605 -C "skip parse certificate request" \
1606 -c "got no certificate request" \
1607 -c "skip write certificate" \
1608 -c "skip write certificate verify" \
1609 -s "skip parse certificate verify" \
1610 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1611 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1612 -S "! ssl_handshake returned" \
1613 -C "! ssl_handshake returned" \
1614 -S "X509 - Certificate verification failed"
1615
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1616run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1617 "$P_SRV debug_level=3 auth_mode=optional" \
1618 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1619 0 \
1620 -S "skip write certificate request" \
1621 -C "skip parse certificate request" \
1622 -c "got a certificate request" \
1623 -C "skip write certificate$" \
1624 -C "got no certificate to send" \
1625 -S "SSLv3 client has no certificate" \
1626 -c "skip write certificate verify" \
1627 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1628 -s "! Certificate was missing" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1629 -S "! ssl_handshake returned" \
1630 -C "! ssl_handshake returned" \
1631 -S "X509 - Certificate verification failed"
1632
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1633run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1634 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1635 "$O_CLI" \
1636 0 \
1637 -S "skip write certificate request" \
1638 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1639 -s "! Certificate was missing" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1640 -S "! ssl_handshake returned" \
1641 -S "X509 - Certificate verification failed"
1642
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1643run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1644 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1645 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1646 0 \
1647 -C "skip parse certificate request" \
1648 -c "got a certificate request" \
1649 -C "skip write certificate$" \
1650 -c "skip write certificate verify" \
1651 -C "! ssl_handshake returned"
1652
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]1653requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1654run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1655 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]1656 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1657 0 \
1658 -S "skip write certificate request" \
1659 -C "skip parse certificate request" \
1660 -c "got a certificate request" \
1661 -C "skip write certificate$" \
1662 -c "skip write certificate verify" \
1663 -c "got no certificate to send" \
1664 -s "SSLv3 client has no certificate" \
1665 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1666 -s "! Certificate was missing" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1667 -S "! ssl_handshake returned" \
1668 -C "! ssl_handshake returned" \
1669 -S "X509 - Certificate verification failed"
1670
Manuel Pégourié-Gonnarda68d5912017-07-10 11:31:43 +0200[diff] [blame]1671run_test "Authentication: server max_int chain, client default" \
1672 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
1673 key_file=data_files/dir-maxpath/09.key" \
1674 "$P_CLI server_name=CA09 server_addr=127.0.0.1 \
1675 ca_file=data_files/dir-maxpath/00.crt" \
1676 0 \
1677 -C "X509 - A fatal error occured"
1678
1679run_test "Authentication: server max_int+1 chain, client default" \
1680 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
1681 key_file=data_files/dir-maxpath/10.key" \
1682 "$P_CLI server_name=CA10 server_addr=127.0.0.1 \
1683 ca_file=data_files/dir-maxpath/00.crt" \
1684 1 \
1685 -c "X509 - A fatal error occured"
1686
1687run_test "Authentication: server max_int+1 chain, client optional" \
1688 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
1689 key_file=data_files/dir-maxpath/10.key" \
1690 "$P_CLI server_name=CA10 server_addr=127.0.0.1 \
1691 ca_file=data_files/dir-maxpath/00.crt \
1692 auth_mode=optional" \
1693 1 \
1694 -c "X509 - A fatal error occured"
1695
1696run_test "Authentication: server max_int+1 chain, client none" \
1697 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
1698 key_file=data_files/dir-maxpath/10.key" \
1699 "$P_CLI server_name=CA10 server_addr=127.0.0.1 ca_file=data_files/dir-maxpath/00.crt \
1700 auth_mode=none" \
1701 0 \
1702 -C "X509 - A fatal error occured"
1703
1704run_test "Authentication: client max_int+1 chain, server none" \
1705 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=none" \
1706 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
1707 key_file=data_files/dir-maxpath/10.key" \
1708 0 \
1709 -S "X509 - A fatal error occured"
1710
1711run_test "Authentication: client max_int+1 chain, server optional" \
1712 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
1713 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
1714 key_file=data_files/dir-maxpath/10.key" \
1715 1 \
1716 -s "X509 - A fatal error occured"
1717
1718run_test "Authentication: client max_int+1 chain, server required" \
1719 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
1720 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
1721 key_file=data_files/dir-maxpath/10.key" \
1722 1 \
1723 -s "X509 - A fatal error occured"
1724
1725run_test "Authentication: client max_int chain, server required" \
1726 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
1727 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
1728 key_file=data_files/dir-maxpath/09.key" \
1729 0 \
1730 -S "X509 - A fatal error occured"
1731
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]1732# Tests for certificate selection based on SHA verson
1733
1734run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
1735 "$P_SRV crt_file=data_files/server5.crt \
1736 key_file=data_files/server5.key \
1737 crt_file2=data_files/server5-sha1.crt \
1738 key_file2=data_files/server5.key" \
1739 "$P_CLI force_version=tls1_2" \
1740 0 \
1741 -c "signed using.*ECDSA with SHA256" \
1742 -C "signed using.*ECDSA with SHA1"
1743
1744run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
1745 "$P_SRV crt_file=data_files/server5.crt \
1746 key_file=data_files/server5.key \
1747 crt_file2=data_files/server5-sha1.crt \
1748 key_file2=data_files/server5.key" \
1749 "$P_CLI force_version=tls1_1" \
1750 0 \
1751 -C "signed using.*ECDSA with SHA256" \
1752 -c "signed using.*ECDSA with SHA1"
1753
1754run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
1755 "$P_SRV crt_file=data_files/server5.crt \
1756 key_file=data_files/server5.key \
1757 crt_file2=data_files/server5-sha1.crt \
1758 key_file2=data_files/server5.key" \
1759 "$P_CLI force_version=tls1" \
1760 0 \
1761 -C "signed using.*ECDSA with SHA256" \
1762 -c "signed using.*ECDSA with SHA1"
1763
1764run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
1765 "$P_SRV crt_file=data_files/server5.crt \
1766 key_file=data_files/server5.key \
1767 crt_file2=data_files/server6.crt \
1768 key_file2=data_files/server6.key" \
1769 "$P_CLI force_version=tls1_1" \
1770 0 \
1771 -c "serial number.*09" \
1772 -c "signed using.*ECDSA with SHA256" \
1773 -C "signed using.*ECDSA with SHA1"
1774
1775run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
1776 "$P_SRV crt_file=data_files/server6.crt \
1777 key_file=data_files/server6.key \
1778 crt_file2=data_files/server5.crt \
1779 key_file2=data_files/server5.key" \
1780 "$P_CLI force_version=tls1_1" \
1781 0 \
1782 -c "serial number.*0A" \
1783 -c "signed using.*ECDSA with SHA256" \
1784 -C "signed using.*ECDSA with SHA1"
1785
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1786# tests for SNI
1787
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1788run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1789 "$P_SRV debug_level=3 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1790 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1791 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1792 server_name=localhost" \
1793 0 \
1794 -S "parse ServerName extension" \
1795 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
1796 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
1797
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1798run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1799 "$P_SRV debug_level=3 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1800 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1801 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1802 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1803 server_name=localhost" \
1804 0 \
1805 -s "parse ServerName extension" \
1806 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
1807 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
1808
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1809run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1810 "$P_SRV debug_level=3 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1811 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1812 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1813 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1814 server_name=polarssl.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1815 0 \
1816 -s "parse ServerName extension" \
1817 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1818 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1819
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1820run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1821 "$P_SRV debug_level=3 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1822 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1823 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1824 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1825 server_name=nonesuch.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1826 1 \
1827 -s "parse ServerName extension" \
1828 -s "ssl_sni_wrapper() returned" \
1829 -s "ssl_handshake returned" \
1830 -c "ssl_handshake returned" \
1831 -c "SSL - A fatal alert message was received from our peer"
1832
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1833# Tests for non-blocking I/O: exercise a variety of handshake flows
1834
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1835run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1836 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
1837 "$P_CLI nbio=2 tickets=0" \
1838 0 \
1839 -S "ssl_handshake returned" \
1840 -C "ssl_handshake returned" \
1841 -c "Read from server: .* bytes read"
1842
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1843run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1844 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
1845 "$P_CLI nbio=2 tickets=0" \
1846 0 \
1847 -S "ssl_handshake returned" \
1848 -C "ssl_handshake returned" \
1849 -c "Read from server: .* bytes read"
1850
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1851run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1852 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
1853 "$P_CLI nbio=2 tickets=1" \
1854 0 \
1855 -S "ssl_handshake returned" \
1856 -C "ssl_handshake returned" \
1857 -c "Read from server: .* bytes read"
1858
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1859run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1860 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
1861 "$P_CLI nbio=2 tickets=1" \
1862 0 \
1863 -S "ssl_handshake returned" \
1864 -C "ssl_handshake returned" \
1865 -c "Read from server: .* bytes read"
1866
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1867run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1868 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
1869 "$P_CLI nbio=2 tickets=1 reconnect=1" \
1870 0 \
1871 -S "ssl_handshake returned" \
1872 -C "ssl_handshake returned" \
1873 -c "Read from server: .* bytes read"
1874
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1875run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1876 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
1877 "$P_CLI nbio=2 tickets=1 reconnect=1" \
1878 0 \
1879 -S "ssl_handshake returned" \
1880 -C "ssl_handshake returned" \
1881 -c "Read from server: .* bytes read"
1882
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1883run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1884 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
1885 "$P_CLI nbio=2 tickets=0 reconnect=1" \
1886 0 \
1887 -S "ssl_handshake returned" \
1888 -C "ssl_handshake returned" \
1889 -c "Read from server: .* bytes read"
1890
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1891# Tests for version negotiation
1892
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1893run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1894 "$P_SRV" \
1895 "$P_CLI" \
1896 0 \
1897 -S "ssl_handshake returned" \
1898 -C "ssl_handshake returned" \
1899 -s "Protocol is TLSv1.2" \
1900 -c "Protocol is TLSv1.2"
1901
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1902run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1903 "$P_SRV" \
1904 "$P_CLI max_version=tls1_1" \
1905 0 \
1906 -S "ssl_handshake returned" \
1907 -C "ssl_handshake returned" \
1908 -s "Protocol is TLSv1.1" \
1909 -c "Protocol is TLSv1.1"
1910
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1911run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1912 "$P_SRV max_version=tls1_1" \
1913 "$P_CLI" \
1914 0 \
1915 -S "ssl_handshake returned" \
1916 -C "ssl_handshake returned" \
1917 -s "Protocol is TLSv1.1" \
1918 -c "Protocol is TLSv1.1"
1919
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1920run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1921 "$P_SRV max_version=tls1_1" \
1922 "$P_CLI max_version=tls1_1" \
1923 0 \
1924 -S "ssl_handshake returned" \
1925 -C "ssl_handshake returned" \
1926 -s "Protocol is TLSv1.1" \
1927 -c "Protocol is TLSv1.1"
1928
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1929run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1930 "$P_SRV min_version=tls1_1" \
1931 "$P_CLI max_version=tls1_1" \
1932 0 \
1933 -S "ssl_handshake returned" \
1934 -C "ssl_handshake returned" \
1935 -s "Protocol is TLSv1.1" \
1936 -c "Protocol is TLSv1.1"
1937
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1938run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1939 "$P_SRV max_version=tls1_1" \
1940 "$P_CLI min_version=tls1_1" \
1941 0 \
1942 -S "ssl_handshake returned" \
1943 -C "ssl_handshake returned" \
1944 -s "Protocol is TLSv1.1" \
1945 -c "Protocol is TLSv1.1"
1946
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1947run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1948 "$P_SRV max_version=tls1_1" \
1949 "$P_CLI min_version=tls1_2" \
1950 1 \
1951 -s "ssl_handshake returned" \
1952 -c "ssl_handshake returned" \
1953 -c "SSL - Handshake protocol not within min/max boundaries"
1954
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1955run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1956 "$P_SRV min_version=tls1_2" \
1957 "$P_CLI max_version=tls1_1" \
1958 1 \
1959 -s "ssl_handshake returned" \
1960 -c "ssl_handshake returned" \
1961 -s "SSL - Handshake protocol not within min/max boundaries"
1962
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1963# Tests for ALPN extension
1964
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]1965if grep '^#define POLARSSL_SSL_ALPN' $CONFIG_H >/dev/null; then
1966
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1967run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1968 "$P_SRV debug_level=3" \
1969 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1970 0 \
1971 -C "client hello, adding alpn extension" \
1972 -S "found alpn extension" \
1973 -C "got an alert message, type: \\[2:120]" \
1974 -S "server hello, adding alpn extension" \
1975 -C "found alpn extension " \
1976 -C "Application Layer Protocol is" \
1977 -S "Application Layer Protocol is"
1978
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1979run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1980 "$P_SRV debug_level=3" \
1981 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1982 0 \
1983 -c "client hello, adding alpn extension" \
1984 -s "found alpn extension" \
1985 -C "got an alert message, type: \\[2:120]" \
1986 -S "server hello, adding alpn extension" \
1987 -C "found alpn extension " \
1988 -c "Application Layer Protocol is (none)" \
1989 -S "Application Layer Protocol is"
1990
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1991run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1992 "$P_SRV debug_level=3 alpn=abc,1234" \
1993 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1994 0 \
1995 -C "client hello, adding alpn extension" \
1996 -S "found alpn extension" \
1997 -C "got an alert message, type: \\[2:120]" \
1998 -S "server hello, adding alpn extension" \
1999 -C "found alpn extension " \
2000 -C "Application Layer Protocol is" \
2001 -s "Application Layer Protocol is (none)"
2002
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2003run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2004 "$P_SRV debug_level=3 alpn=abc,1234" \
2005 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2006 0 \
2007 -c "client hello, adding alpn extension" \
2008 -s "found alpn extension" \
2009 -C "got an alert message, type: \\[2:120]" \
2010 -s "server hello, adding alpn extension" \
2011 -c "found alpn extension" \
2012 -c "Application Layer Protocol is abc" \
2013 -s "Application Layer Protocol is abc"
2014
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2015run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2016 "$P_SRV debug_level=3 alpn=abc,1234" \
2017 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2018 0 \
2019 -c "client hello, adding alpn extension" \
2020 -s "found alpn extension" \
2021 -C "got an alert message, type: \\[2:120]" \
2022 -s "server hello, adding alpn extension" \
2023 -c "found alpn extension" \
2024 -c "Application Layer Protocol is abc" \
2025 -s "Application Layer Protocol is abc"
2026
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2027run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2028 "$P_SRV debug_level=3 alpn=abc,1234" \
2029 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2030 0 \
2031 -c "client hello, adding alpn extension" \
2032 -s "found alpn extension" \
2033 -C "got an alert message, type: \\[2:120]" \
2034 -s "server hello, adding alpn extension" \
2035 -c "found alpn extension" \
2036 -c "Application Layer Protocol is 1234" \
2037 -s "Application Layer Protocol is 1234"
2038
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2039run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2040 "$P_SRV debug_level=3 alpn=abc,123" \
2041 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2042 1 \
2043 -c "client hello, adding alpn extension" \
2044 -s "found alpn extension" \
2045 -c "got an alert message, type: \\[2:120]" \
2046 -S "server hello, adding alpn extension" \
2047 -C "found alpn extension" \
2048 -C "Application Layer Protocol is 1234" \
2049 -S "Application Layer Protocol is 1234"
2050
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2051fi
2052
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2053# Tests for keyUsage in leaf certificates, part 1:
2054# server-side certificate/suite selection
2055
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2056run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2057 "$P_SRV key_file=data_files/server2.key \
2058 crt_file=data_files/server2.ku-ds.crt" \
2059 "$P_CLI" \
2060 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2061 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2062
2063
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2064run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2065 "$P_SRV key_file=data_files/server2.key \
2066 crt_file=data_files/server2.ku-ke.crt" \
2067 "$P_CLI" \
2068 0 \
2069 -c "Ciphersuite is TLS-RSA-WITH-"
2070
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2071run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2072 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2073 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2074 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2075 1 \
2076 -C "Ciphersuite is "
2077
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2078run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2079 "$P_SRV key_file=data_files/server5.key \
2080 crt_file=data_files/server5.ku-ds.crt" \
2081 "$P_CLI" \
2082 0 \
2083 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2084
2085
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2086run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2087 "$P_SRV key_file=data_files/server5.key \
2088 crt_file=data_files/server5.ku-ka.crt" \
2089 "$P_CLI" \
2090 0 \
2091 -c "Ciphersuite is TLS-ECDH-"
2092
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2093run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2094 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2095 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2096 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2097 1 \
2098 -C "Ciphersuite is "
2099
2100# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2101# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2102
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2103run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2104 "$O_SRV -key data_files/server2.key \
2105 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2106 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2107 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2108 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2109 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2110 -C "Processing of the Certificate handshake message failed" \
2111 -c "Ciphersuite is TLS-"
2112
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2113run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2114 "$O_SRV -key data_files/server2.key \
2115 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2116 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2117 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2118 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2119 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2120 -C "Processing of the Certificate handshake message failed" \
2121 -c "Ciphersuite is TLS-"
2122
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2123run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2124 "$O_SRV -key data_files/server2.key \
2125 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2126 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2127 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2128 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2129 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2130 -C "Processing of the Certificate handshake message failed" \
2131 -c "Ciphersuite is TLS-"
2132
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2133run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2134 "$O_SRV -key data_files/server2.key \
2135 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2136 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2137 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2138 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2139 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2140 -c "Processing of the Certificate handshake message failed" \
2141 -C "Ciphersuite is TLS-"
2142
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +0200[diff] [blame]2143run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2144 "$O_SRV -key data_files/server2.key \
2145 -cert data_files/server2.ku-ke.crt" \
2146 "$P_CLI debug_level=1 auth_mode=optional \
2147 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2148 0 \
2149 -c "bad certificate (usage extensions)" \
2150 -C "Processing of the Certificate handshake message failed" \
2151 -c "Ciphersuite is TLS-" \
2152 -c "! Usage does not match the keyUsage extension"
2153
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2154run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2155 "$O_SRV -key data_files/server2.key \
2156 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2157 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2158 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2159 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2160 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2161 -C "Processing of the Certificate handshake message failed" \
2162 -c "Ciphersuite is TLS-"
2163
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2164run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2165 "$O_SRV -key data_files/server2.key \
2166 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2167 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2168 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2169 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2170 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2171 -c "Processing of the Certificate handshake message failed" \
2172 -C "Ciphersuite is TLS-"
2173
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +0200[diff] [blame]2174run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2175 "$O_SRV -key data_files/server2.key \
2176 -cert data_files/server2.ku-ds.crt" \
2177 "$P_CLI debug_level=1 auth_mode=optional \
2178 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2179 0 \
2180 -c "bad certificate (usage extensions)" \
2181 -C "Processing of the Certificate handshake message failed" \
2182 -c "Ciphersuite is TLS-" \
2183 -c "! Usage does not match the keyUsage extension"
2184
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2185# Tests for keyUsage in leaf certificates, part 3:
2186# server-side checking of client cert
2187
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2188run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2189 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2190 "$O_CLI -key data_files/server2.key \
2191 -cert data_files/server2.ku-ds.crt" \
2192 0 \
2193 -S "bad certificate (usage extensions)" \
2194 -S "Processing of the Certificate handshake message failed"
2195
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2196run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2197 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2198 "$O_CLI -key data_files/server2.key \
2199 -cert data_files/server2.ku-ke.crt" \
2200 0 \
2201 -s "bad certificate (usage extensions)" \
2202 -S "Processing of the Certificate handshake message failed"
2203
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2204run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2205 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2206 "$O_CLI -key data_files/server2.key \
2207 -cert data_files/server2.ku-ke.crt" \
2208 1 \
2209 -s "bad certificate (usage extensions)" \
2210 -s "Processing of the Certificate handshake message failed"
2211
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2212run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2213 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2214 "$O_CLI -key data_files/server5.key \
2215 -cert data_files/server5.ku-ds.crt" \
2216 0 \
2217 -S "bad certificate (usage extensions)" \
2218 -S "Processing of the Certificate handshake message failed"
2219
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2220run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2221 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2222 "$O_CLI -key data_files/server5.key \
2223 -cert data_files/server5.ku-ka.crt" \
2224 0 \
2225 -s "bad certificate (usage extensions)" \
2226 -S "Processing of the Certificate handshake message failed"
2227
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2228# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2229
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2230run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2231 "$P_SRV key_file=data_files/server5.key \
2232 crt_file=data_files/server5.eku-srv.crt" \
2233 "$P_CLI" \
2234 0
2235
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2236run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2237 "$P_SRV key_file=data_files/server5.key \
2238 crt_file=data_files/server5.eku-srv.crt" \
2239 "$P_CLI" \
2240 0
2241
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2242run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2243 "$P_SRV key_file=data_files/server5.key \
2244 crt_file=data_files/server5.eku-cs_any.crt" \
2245 "$P_CLI" \
2246 0
2247
2248# add psk to leave an option for client to send SERVERQUIT
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2249run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2250 "$P_SRV psk=abc123 key_file=data_files/server5.key \
2251 crt_file=data_files/server5.eku-cli.crt" \
2252 "$P_CLI psk=badbad" \
2253 1
2254
2255# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2256
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2257run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2258 "$O_SRV -key data_files/server5.key \
2259 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2260 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2261 0 \
2262 -C "bad certificate (usage extensions)" \
2263 -C "Processing of the Certificate handshake message failed" \
2264 -c "Ciphersuite is TLS-"
2265
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2266run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2267 "$O_SRV -key data_files/server5.key \
2268 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2269 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2270 0 \
2271 -C "bad certificate (usage extensions)" \
2272 -C "Processing of the Certificate handshake message failed" \
2273 -c "Ciphersuite is TLS-"
2274
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2275run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2276 "$O_SRV -key data_files/server5.key \
2277 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2278 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2279 0 \
2280 -C "bad certificate (usage extensions)" \
2281 -C "Processing of the Certificate handshake message failed" \
2282 -c "Ciphersuite is TLS-"
2283
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2284run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2285 "$O_SRV -key data_files/server5.key \
2286 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2287 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2288 1 \
2289 -c "bad certificate (usage extensions)" \
2290 -c "Processing of the Certificate handshake message failed" \
2291 -C "Ciphersuite is TLS-"
2292
2293# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2294
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2295run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2296 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2297 "$O_CLI -key data_files/server5.key \
2298 -cert data_files/server5.eku-cli.crt" \
2299 0 \
2300 -S "bad certificate (usage extensions)" \
2301 -S "Processing of the Certificate handshake message failed"
2302
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2303run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2304 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2305 "$O_CLI -key data_files/server5.key \
2306 -cert data_files/server5.eku-srv_cli.crt" \
2307 0 \
2308 -S "bad certificate (usage extensions)" \
2309 -S "Processing of the Certificate handshake message failed"
2310
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2311run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2312 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2313 "$O_CLI -key data_files/server5.key \
2314 -cert data_files/server5.eku-cs_any.crt" \
2315 0 \
2316 -S "bad certificate (usage extensions)" \
2317 -S "Processing of the Certificate handshake message failed"
2318
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2319run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2320 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2321 "$O_CLI -key data_files/server5.key \
2322 -cert data_files/server5.eku-cs.crt" \
2323 0 \
2324 -s "bad certificate (usage extensions)" \
2325 -S "Processing of the Certificate handshake message failed"
2326
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2327run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2328 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2329 "$O_CLI -key data_files/server5.key \
2330 -cert data_files/server5.eku-cs.crt" \
2331 1 \
2332 -s "bad certificate (usage extensions)" \
2333 -s "Processing of the Certificate handshake message failed"
2334
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2335# Tests for DHM parameters loading
2336
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2337run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2338 "$P_SRV" \
2339 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2340 debug_level=3" \
2341 0 \
2342 -c "value of 'DHM: P ' (2048 bits)" \
2343 -c "value of 'DHM: G ' (2048 bits)"
2344
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2345run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2346 "$P_SRV dhm_file=data_files/dhparams.pem" \
2347 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2348 debug_level=3" \
2349 0 \
2350 -c "value of 'DHM: P ' (1024 bits)" \
2351 -c "value of 'DHM: G ' (2 bits)"
2352
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2353# Tests for PSK callback
2354
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2355run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2356 "$P_SRV psk=abc123 psk_identity=foo" \
2357 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2358 psk_identity=foo psk=abc123" \
2359 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2360 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2361 -S "SSL - Unknown identity received" \
2362 -S "SSL - Verification of the message MAC failed"
2363
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2364run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2365 "$P_SRV" \
2366 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2367 psk_identity=foo psk=abc123" \
2368 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2369 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2370 -S "SSL - Unknown identity received" \
2371 -S "SSL - Verification of the message MAC failed"
2372
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2373run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2374 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2375 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2376 psk_identity=foo psk=abc123" \
2377 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2378 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2379 -s "SSL - Unknown identity received" \
2380 -S "SSL - Verification of the message MAC failed"
2381
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2382run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2383 "$P_SRV psk_list=abc,dead,def,beef" \
2384 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2385 psk_identity=abc psk=dead" \
2386 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2387 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2388 -S "SSL - Unknown identity received" \
2389 -S "SSL - Verification of the message MAC failed"
2390
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2391run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2392 "$P_SRV psk_list=abc,dead,def,beef" \
2393 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2394 psk_identity=def psk=beef" \
2395 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2396 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2397 -S "SSL - Unknown identity received" \
2398 -S "SSL - Verification of the message MAC failed"
2399
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2400run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2401 "$P_SRV psk_list=abc,dead,def,beef" \
2402 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2403 psk_identity=ghi psk=beef" \
2404 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2405 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2406 -s "SSL - Unknown identity received" \
2407 -S "SSL - Verification of the message MAC failed"
2408
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2409run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2410 "$P_SRV psk_list=abc,dead,def,beef" \
2411 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2412 psk_identity=abc psk=beef" \
2413 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2414 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2415 -S "SSL - Unknown identity received" \
2416 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2417
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2418# Tests for ciphersuites per version
2419
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2420requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2421run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2422 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2423 "$P_CLI force_version=ssl3" \
2424 0 \
2425 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
2426
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2427run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2428 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
2429 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2430 0 \
2431 -c "Ciphersuite is TLS-RSA-WITH-RC4-128-SHA"
2432
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2433run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2434 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
2435 "$P_CLI force_version=tls1_1" \
2436 0 \
2437 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
2438
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2439run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2440 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
2441 "$P_CLI force_version=tls1_2" \
2442 0 \
2443 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
2444
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2445# Tests for ssl_get_bytes_avail()
2446
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2447run_test "ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2448 "$P_SRV" \
2449 "$P_CLI request_size=100" \
2450 0 \
2451 -s "Read from client: 100 bytes read$"
2452
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2453run_test "ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2454 "$P_SRV" \
2455 "$P_CLI request_size=500" \
2456 0 \
2457 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2458
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2459# Tests for small packets
2460
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2461requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2462run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2463 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2464 "$P_CLI request_size=1 force_version=ssl3 \
2465 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2466 0 \
2467 -s "Read from client: 1 bytes read"
2468
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2469requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2470run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2471 "$P_SRV min_version=ssl3 arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2472 "$P_CLI request_size=1 force_version=ssl3 \
2473 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2474 0 \
2475 -s "Read from client: 1 bytes read"
2476
2477run_test "Small packet TLS 1.0 BlockCipher" \
2478 "$P_SRV" \
2479 "$P_CLI request_size=1 force_version=tls1 \
2480 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2481 0 \
2482 -s "Read from client: 1 bytes read"
2483
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]2484run_test "Small packet TLS 1.0 BlockCipher without EtM" \
2485 "$P_SRV" \
2486 "$P_CLI request_size=1 force_version=tls1 etm=0 \
2487 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2488 0 \
2489 -s "Read from client: 1 bytes read"
2490
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2491run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
2492 "$P_SRV" \
2493 "$P_CLI request_size=1 force_version=tls1 \
2494 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2495 trunc_hmac=1" \
2496 0 \
2497 -s "Read from client: 1 bytes read"
2498
2499run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2500 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2501 "$P_CLI request_size=1 force_version=tls1 \
2502 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2503 trunc_hmac=1" \
2504 0 \
2505 -s "Read from client: 1 bytes read"
2506
2507run_test "Small packet TLS 1.1 BlockCipher" \
2508 "$P_SRV" \
2509 "$P_CLI request_size=1 force_version=tls1_1 \
2510 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2511 0 \
2512 -s "Read from client: 1 bytes read"
2513
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]2514run_test "Small packet TLS 1.1 BlockCipher without EtM" \
2515 "$P_SRV" \
2516 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
2517 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2518 0 \
2519 -s "Read from client: 1 bytes read"
2520
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2521run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2522 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2523 "$P_CLI request_size=1 force_version=tls1_1 \
2524 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2525 0 \
2526 -s "Read from client: 1 bytes read"
2527
2528run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
2529 "$P_SRV" \
2530 "$P_CLI request_size=1 force_version=tls1_1 \
2531 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2532 trunc_hmac=1" \
2533 0 \
2534 -s "Read from client: 1 bytes read"
2535
2536run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2537 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2538 "$P_CLI request_size=1 force_version=tls1_1 \
2539 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2540 trunc_hmac=1" \
2541 0 \
2542 -s "Read from client: 1 bytes read"
2543
2544run_test "Small packet TLS 1.2 BlockCipher" \
2545 "$P_SRV" \
2546 "$P_CLI request_size=1 force_version=tls1_2 \
2547 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2548 0 \
2549 -s "Read from client: 1 bytes read"
2550
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]2551run_test "Small packet TLS 1.2 BlockCipher without EtM" \
2552 "$P_SRV" \
2553 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
2554 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2555 0 \
2556 -s "Read from client: 1 bytes read"
2557
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2558run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
2559 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2560 "$P_CLI request_size=1 force_version=tls1_2 \
2561 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2562 0 \
2563 -s "Read from client: 1 bytes read"
2564
2565run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
2566 "$P_SRV" \
2567 "$P_CLI request_size=1 force_version=tls1_2 \
2568 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2569 trunc_hmac=1" \
2570 0 \
2571 -s "Read from client: 1 bytes read"
2572
2573run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2574 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2575 "$P_CLI request_size=1 force_version=tls1_2 \
2576 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2577 0 \
2578 -s "Read from client: 1 bytes read"
2579
2580run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2581 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2582 "$P_CLI request_size=1 force_version=tls1_2 \
2583 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2584 trunc_hmac=1" \
2585 0 \
2586 -s "Read from client: 1 bytes read"
2587
2588run_test "Small packet TLS 1.2 AEAD" \
2589 "$P_SRV" \
2590 "$P_CLI request_size=1 force_version=tls1_2 \
2591 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
2592 0 \
2593 -s "Read from client: 1 bytes read"
2594
2595run_test "Small packet TLS 1.2 AEAD shorter tag" \
2596 "$P_SRV" \
2597 "$P_CLI request_size=1 force_version=tls1_2 \
2598 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
2599 0 \
2600 -s "Read from client: 1 bytes read"
2601
Janos Follath8abaa8b2016-05-06 13:48:23 +0100[diff] [blame]2602# A test for extensions in SSLv3
2603
Hanno Becker6fd6d242017-05-25 17:51:31 +0100[diff] [blame]2604requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Janos Follath8abaa8b2016-05-06 13:48:23 +0100[diff] [blame]2605run_test "SSLv3 with extensions, server side" \
2606 "$P_SRV min_version=ssl3 debug_level=3" \
2607 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
2608 0 \
2609 -S "dumping 'client hello extensions'" \
2610 -S "server hello, total extension length:"
2611
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2612# Test for large packets
2613
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2614requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2615run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2616 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2617 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2618 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2619 0 \
2620 -s "Read from client: 16384 bytes read"
2621
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2622requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2623run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2624 "$P_SRV min_version=ssl3 arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2625 "$P_CLI request_size=16384 force_version=ssl3 \
2626 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2627 0 \
2628 -s "Read from client: 16384 bytes read"
2629
2630run_test "Large packet TLS 1.0 BlockCipher" \
2631 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2632 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2633 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2634 0 \
2635 -s "Read from client: 16384 bytes read"
2636
2637run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
2638 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2639 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2640 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2641 trunc_hmac=1" \
2642 0 \
2643 -s "Read from client: 16384 bytes read"
2644
2645run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2646 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2647 "$P_CLI request_size=16384 force_version=tls1 \
2648 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2649 trunc_hmac=1" \
2650 0 \
2651 -s "Read from client: 16384 bytes read"
2652
2653run_test "Large packet TLS 1.1 BlockCipher" \
2654 "$P_SRV" \
2655 "$P_CLI request_size=16384 force_version=tls1_1 \
2656 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2657 0 \
2658 -s "Read from client: 16384 bytes read"
2659
2660run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2661 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2662 "$P_CLI request_size=16384 force_version=tls1_1 \
2663 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2664 0 \
2665 -s "Read from client: 16384 bytes read"
2666
2667run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
2668 "$P_SRV" \
2669 "$P_CLI request_size=16384 force_version=tls1_1 \
2670 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2671 trunc_hmac=1" \
2672 0 \
2673 -s "Read from client: 16384 bytes read"
2674
2675run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2676 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2677 "$P_CLI request_size=16384 force_version=tls1_1 \
2678 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2679 trunc_hmac=1" \
2680 0 \
2681 -s "Read from client: 16384 bytes read"
2682
2683run_test "Large packet TLS 1.2 BlockCipher" \
2684 "$P_SRV" \
2685 "$P_CLI request_size=16384 force_version=tls1_2 \
2686 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2687 0 \
2688 -s "Read from client: 16384 bytes read"
2689
2690run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
2691 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2692 "$P_CLI request_size=16384 force_version=tls1_2 \
2693 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2694 0 \
2695 -s "Read from client: 16384 bytes read"
2696
2697run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
2698 "$P_SRV" \
2699 "$P_CLI request_size=16384 force_version=tls1_2 \
2700 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2701 trunc_hmac=1" \
2702 0 \
2703 -s "Read from client: 16384 bytes read"
2704
2705run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2706 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2707 "$P_CLI request_size=16384 force_version=tls1_2 \
2708 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2709 0 \
2710 -s "Read from client: 16384 bytes read"
2711
2712run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2713 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2714 "$P_CLI request_size=16384 force_version=tls1_2 \
2715 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2716 trunc_hmac=1" \
2717 0 \
2718 -s "Read from client: 16384 bytes read"
2719
2720run_test "Large packet TLS 1.2 AEAD" \
2721 "$P_SRV" \
2722 "$P_CLI request_size=16384 force_version=tls1_2 \
2723 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
2724 0 \
2725 -s "Read from client: 16384 bytes read"
2726
2727run_test "Large packet TLS 1.2 AEAD shorter tag" \
2728 "$P_SRV" \
2729 "$P_CLI request_size=16384 force_version=tls1_2 \
2730 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
2731 0 \
2732 -s "Read from client: 16384 bytes read"
2733
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2734# Final report
2735
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2736echo "------------------------------------------------------------------------"
2737
2738if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]2739 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2740else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]2741 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2742fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]2743PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]2744echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2745
2746exit $FAILS