TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 99d67823a2b46a3de8f9df3fb2d332c710096b16 / . / tests / ssl-opt.sh
blob: 4c8d3566daff05452b32596ef5d81281362e3e80 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# Copyright (c) 2016, ARM Limited, All Rights Reserved
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7#
8# This file is provided under the Apache License 2.0, or the
9# GNU General Public License v2.0 or later.
10#
11# **********
12# Apache License 2.0:
Bence Szépkúti09b4f192020-05-26 01:54:15 +0200[diff] [blame]13#
14# Licensed under the Apache License, Version 2.0 (the "License"); you may
15# not use this file except in compliance with the License.
16# You may obtain a copy of the License at
17#
18# http://www.apache.org/licenses/LICENSE-2.0
19#
20# Unless required by applicable law or agreed to in writing, software
21# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23# See the License for the specific language governing permissions and
24# limitations under the License.
25#
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]26# **********
27#
28# **********
29# GNU General Public License v2.0 or later:
30#
31# This program is free software; you can redistribute it and/or modify
32# it under the terms of the GNU General Public License as published by
33# the Free Software Foundation; either version 2 of the License, or
34# (at your option) any later version.
35#
36# This program is distributed in the hope that it will be useful,
37# but WITHOUT ANY WARRANTY; without even the implied warranty of
38# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
39# GNU General Public License for more details.
40#
41# You should have received a copy of the GNU General Public License along
42# with this program; if not, write to the Free Software Foundation, Inc.,
43# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44#
45# **********
46#
Bence Szépkúti09b4f192020-05-26 01:54:15 +0200[diff] [blame]47# This file is part of Mbed TLS (https://tls.mbed.org)
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]48#
49# Purpose
50#
51# Executes tests to prove various TLS/SSL options and extensions.
52#
53# The goal is not to cover every ciphersuite/version, but instead to cover
54# specific options (max fragment length, truncated hmac, etc) or procedures
55# (session resumption from cache or ticket, renego, etc).
56#
57# The tests assume a build with default options, with exceptions expressed
58# with a dependency. The tests focus on functionality and do not consider
59# performance.
60#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]61
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]62set -u
63
Jaeden Amero34730912019-07-03 13:51:04 +0100[diff] [blame]64# Limit the size of each log to 10 GiB, in case of failures with this script
65# where it may output seemingly unlimited length error logs.
66ulimit -f 20971520
67
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]68# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]69: ${P_SRV:=../programs/ssl/ssl_server2}
70: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]71: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]72: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]73: ${GNUTLS_CLI:=gnutls-cli}
74: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]75: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]76
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]77O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]78O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]79G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard179c2272020-02-03 15:37:47 +0100[diff] [blame]80G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12u.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]81TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]82
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]83TESTS=0
84FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]85SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]86
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]87CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]88
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]89MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]90FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]91EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]92
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]93SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]94RUN_TEST_NUMBER=''
95
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]96PRESERVE_LOGS=0
97
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]98# Pick a "unique" server port in the range 10000-19999, and a proxy
99# port which is this plus 10000. Each port number may be independently
100# overridden by a command line option.
101SRV_PORT=$(($$ % 10000 + 10000))
102PXY_PORT=$((SRV_PORT + 10000))
103
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104print_usage() {
105 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]106 printf " -h|--help\tPrint this help.\n"
107 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]108 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
109 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]110 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]111 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]112 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]113 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
114 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]115 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]116}
117
118get_options() {
119 while [ $# -gt 0 ]; do
120 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]121 -f|--filter)
122 shift; FILTER=$1
123 ;;
124 -e|--exclude)
125 shift; EXCLUDE=$1
126 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]127 -m|--memcheck)
128 MEMCHECK=1
129 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]130 -n|--number)
131 shift; RUN_TEST_NUMBER=$1
132 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]133 -s|--show-numbers)
134 SHOW_TEST_NUMBER=1
135 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]136 -p|--preserve-logs)
137 PRESERVE_LOGS=1
138 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]139 --port)
140 shift; SRV_PORT=$1
141 ;;
142 --proxy-port)
143 shift; PXY_PORT=$1
144 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]145 --seed)
146 shift; SEED="$1"
147 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]148 -h|--help)
149 print_usage
150 exit 0
151 ;;
152 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]153 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]154 print_usage
155 exit 1
156 ;;
157 esac
158 shift
159 done
160}
161
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]162# skip next test if the flag is not enabled in config.h
163requires_config_enabled() {
164 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
165 SKIP_NEXT="YES"
166 fi
167}
168
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]169# skip next test if the flag is enabled in config.h
170requires_config_disabled() {
171 if grep "^#define $1" $CONFIG_H > /dev/null; then
172 SKIP_NEXT="YES"
173 fi
174}
175
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]176# skip next test if OpenSSL doesn't support FALLBACK_SCSV
177requires_openssl_with_fallback_scsv() {
178 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
179 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
180 then
181 OPENSSL_HAS_FBSCSV="YES"
182 else
183 OPENSSL_HAS_FBSCSV="NO"
184 fi
185 fi
186 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
187 SKIP_NEXT="YES"
188 fi
189}
190
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]191# skip next test if GnuTLS isn't available
192requires_gnutls() {
193 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]194 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]195 GNUTLS_AVAILABLE="YES"
196 else
197 GNUTLS_AVAILABLE="NO"
198 fi
199 fi
200 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
201 SKIP_NEXT="YES"
202 fi
203}
204
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]205# skip next test if IPv6 isn't available on this host
206requires_ipv6() {
207 if [ -z "${HAS_IPV6:-}" ]; then
208 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
209 SRV_PID=$!
210 sleep 1
211 kill $SRV_PID >/dev/null 2>&1
212 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
213 HAS_IPV6="NO"
214 else
215 HAS_IPV6="YES"
216 fi
217 rm -r $SRV_OUT
218 fi
219
220 if [ "$HAS_IPV6" = "NO" ]; then
221 SKIP_NEXT="YES"
222 fi
223}
224
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]225# skip the next test if valgrind is in use
226not_with_valgrind() {
227 if [ "$MEMCHECK" -gt 0 ]; then
228 SKIP_NEXT="YES"
229 fi
230}
231
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]232# skip the next test if valgrind is NOT in use
233only_with_valgrind() {
234 if [ "$MEMCHECK" -eq 0 ]; then
235 SKIP_NEXT="YES"
236 fi
237}
238
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]239# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]240client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]241 CLI_DELAY_FACTOR=$1
242}
243
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]244# wait for the given seconds after the client finished in the next test
245server_needs_more_time() {
246 SRV_DELAY_SECONDS=$1
247}
248
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249# print_name <name>
250print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]251 TESTS=$(( $TESTS + 1 ))
252 LINE=""
253
254 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
255 LINE="$TESTS "
256 fi
257
258 LINE="$LINE$1"
259 printf "$LINE "
260 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]261 for i in `seq 1 $LEN`; do printf '.'; done
262 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]263
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]264}
265
266# fail <message>
267fail() {
268 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]269 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]270
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]271 mv $SRV_OUT o-srv-${TESTS}.log
272 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]273 if [ -n "$PXY_CMD" ]; then
274 mv $PXY_OUT o-pxy-${TESTS}.log
275 fi
276 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]277
Azim Khan03da1212018-03-29 11:04:20 +0100[diff] [blame]278 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]279 echo " ! server output:"
280 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]281 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]282 echo " ! client output:"
283 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]284 if [ -n "$PXY_CMD" ]; then
285 echo " ! ========================================================"
286 echo " ! proxy output:"
287 cat o-pxy-${TESTS}.log
288 fi
289 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]290 fi
291
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]292 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]293}
294
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]295# is_polar <cmd_line>
296is_polar() {
297 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
298}
299
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]300# openssl s_server doesn't have -www with DTLS
301check_osrv_dtls() {
302 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
303 NEEDS_INPUT=1
304 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
305 else
306 NEEDS_INPUT=0
307 fi
308}
309
310# provide input to commands that need it
311provide_input() {
312 if [ $NEEDS_INPUT -eq 0 ]; then
313 return
314 fi
315
316 while true; do
317 echo "HTTP/1.0 200 OK"
318 sleep 1
319 done
320}
321
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]322# has_mem_err <log_file_name>
323has_mem_err() {
324 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
325 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
326 then
327 return 1 # false: does not have errors
328 else
329 return 0 # true: has errors
330 fi
331}
332
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]333# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]334if type lsof >/dev/null 2>/dev/null; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]335 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]336 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]337 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]338 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]339 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]340 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]341 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]342 # Make a tight loop, server normally takes less than 1s to start.
343 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
344 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]345 echo "$3 START TIMEOUT"
346 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]347 break
348 fi
349 # Linux and *BSD support decimal arguments to sleep. On other
350 # OSes this may be a tight loop.
351 sleep 0.1 2>/dev/null || true
352 done
353 }
354else
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]355 echo "Warning: lsof not available, wait_app_start = sleep"
356 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]357 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]358 }
359fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]360
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]361# Wait for server process $2 to be listening on port $1.
362wait_server_start() {
363 wait_app_start $1 $2 "SERVER" $SRV_OUT
364}
365
366# Wait for proxy process $2 to be listening on port $1.
367wait_proxy_start() {
368 wait_app_start $1 $2 "PROXY" $PXY_OUT
369}
370
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]371# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]372# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]373# acceptable bounds
374check_server_hello_time() {
375 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]376 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]377 # Get the Unix timestamp for now
378 CUR_TIME=$(date +'%s')
379 THRESHOLD_IN_SECS=300
380
381 # Check if the ServerHello time was printed
382 if [ -z "$SERVER_HELLO_TIME" ]; then
383 return 1
384 fi
385
386 # Check the time in ServerHello is within acceptable bounds
387 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
388 # The time in ServerHello is at least 5 minutes before now
389 return 1
390 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]391 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]392 return 1
393 else
394 return 0
395 fi
396}
397
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]398# wait for client to terminate and set CLI_EXIT
399# must be called right after starting the client
400wait_client_done() {
401 CLI_PID=$!
402
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]403 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
404 CLI_DELAY_FACTOR=1
405
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]406 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]407 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]408
409 wait $CLI_PID
410 CLI_EXIT=$?
411
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]412 kill $DOG_PID >/dev/null 2>&1
413 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]414
415 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]416
417 sleep $SRV_DELAY_SECONDS
418 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]419}
420
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]421# check if the given command uses dtls and sets global variable DTLS
422detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]423 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]424 DTLS=1
425 else
426 DTLS=0
427 fi
428}
429
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]430# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]431# Options: -s pattern pattern that must be present in server output
432# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]433# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]434# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]435# -S pattern pattern that must be absent in server output
436# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]437# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]438# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]439run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]440 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]441 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]442
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]443 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
444 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]445 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]446 return
447 fi
448
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]449 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]450
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]451 # Do we only run numbered tests?
452 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
453 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
454 else
455 SKIP_NEXT="YES"
456 fi
457
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]458 # should we skip?
459 if [ "X$SKIP_NEXT" = "XYES" ]; then
460 SKIP_NEXT="NO"
461 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]462 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]463 return
464 fi
465
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]466 # does this test use a proxy?
467 if [ "X$1" = "X-p" ]; then
468 PXY_CMD="$2"
469 shift 2
470 else
471 PXY_CMD=""
472 fi
473
474 # get commands and client output
475 SRV_CMD="$1"
476 CLI_CMD="$2"
477 CLI_EXPECT="$3"
478 shift 3
479
480 # fix client port
481 if [ -n "$PXY_CMD" ]; then
482 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
483 else
484 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
485 fi
486
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]487 # update DTLS variable
488 detect_dtls "$SRV_CMD"
489
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]490 # prepend valgrind to our commands if active
491 if [ "$MEMCHECK" -gt 0 ]; then
492 if is_polar "$SRV_CMD"; then
493 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
494 fi
495 if is_polar "$CLI_CMD"; then
496 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
497 fi
498 fi
499
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]500 TIMES_LEFT=2
501 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]502 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]503
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]504 # run the commands
505 if [ -n "$PXY_CMD" ]; then
506 echo "$PXY_CMD" > $PXY_OUT
507 $PXY_CMD >> $PXY_OUT 2>&1 &
508 PXY_PID=$!
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]509 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]510 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]511
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]512 check_osrv_dtls
513 echo "$SRV_CMD" > $SRV_OUT
514 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
515 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]516 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]517
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]518 echo "$CLI_CMD" > $CLI_OUT
519 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
520 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]521
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]522 # terminate the server (and the proxy)
523 kill $SRV_PID
524 wait $SRV_PID
525 if [ -n "$PXY_CMD" ]; then
526 kill $PXY_PID >/dev/null 2>&1
527 wait $PXY_PID
528 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]529
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]530 # retry only on timeouts
531 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
532 printf "RETRY "
533 else
534 TIMES_LEFT=0
535 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]536 done
537
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]538 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]539 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]540 # expected client exit to incorrectly succeed in case of catastrophic
541 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]542 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]543 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]544 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]545 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]546 return
547 fi
548 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]549 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]550 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]551 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]552 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]553 return
554 fi
555 fi
556
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]557 # check server exit code
558 if [ $? != 0 ]; then
559 fail "server fail"
560 return
561 fi
562
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]563 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]564 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
565 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]566 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]567 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]568 return
569 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]570
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]571 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]572 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]573 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]574 while [ $# -gt 0 ]
575 do
576 case $1 in
577 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]578 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]579 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]580 return
581 fi
582 ;;
583
584 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]585 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]586 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]587 return
588 fi
589 ;;
590
591 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]592 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]593 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]594 return
595 fi
596 ;;
597
598 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]599 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]600 fail "pattern '$2' MUST NOT be present in the Client output"
601 return
602 fi
603 ;;
604
605 # The filtering in the following two options (-u and -U) do the following
606 # - ignore valgrind output
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]607 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]608 # - keep one of each non-unique line
609 # - count how many lines remain
610 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
611 # if there were no duplicates.
612 "-U")
613 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
614 fail "lines following pattern '$2' must be unique in Server output"
615 return
616 fi
617 ;;
618
619 "-u")
620 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
621 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]622 return
623 fi
624 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]625 "-F")
626 if ! $2 "$SRV_OUT"; then
627 fail "function call to '$2' failed on Server output"
628 return
629 fi
630 ;;
631 "-f")
632 if ! $2 "$CLI_OUT"; then
633 fail "function call to '$2' failed on Client output"
634 return
635 fi
636 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]637
638 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]639 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]640 exit 1
641 esac
642 shift 2
643 done
644
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]645 # check valgrind's results
646 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]647 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]648 fail "Server has memory errors"
649 return
650 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]651 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]652 fail "Client has memory errors"
653 return
654 fi
655 fi
656
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]657 # if we're here, everything is ok
658 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]659 if [ "$PRESERVE_LOGS" -gt 0 ]; then
660 mv $SRV_OUT o-srv-${TESTS}.log
661 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Beckerdc6c0e42018-08-20 12:21:35 +0100[diff] [blame]662 if [ -n "$PXY_CMD" ]; then
663 mv $PXY_OUT o-pxy-${TESTS}.log
664 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]665 fi
666
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]667 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]668}
669
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]670cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]671 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]672 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
673 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
674 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
675 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]676 exit 1
677}
678
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]679#
680# MAIN
681#
682
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]683if cd $( dirname $0 ); then :; else
684 echo "cd $( dirname $0 ) failed" >&2
685 exit 1
686fi
687
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]688get_options "$@"
689
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]690# sanity checks, avoid an avalanche of errors
691if [ ! -x "$P_SRV" ]; then
692 echo "Command '$P_SRV' is not an executable file"
693 exit 1
694fi
695if [ ! -x "$P_CLI" ]; then
696 echo "Command '$P_CLI' is not an executable file"
697 exit 1
698fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]699if [ ! -x "$P_PXY" ]; then
700 echo "Command '$P_PXY' is not an executable file"
701 exit 1
702fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]703if [ "$MEMCHECK" -gt 0 ]; then
704 if which valgrind >/dev/null 2>&1; then :; else
705 echo "Memcheck not possible. Valgrind not found"
706 exit 1
707 fi
708fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]709if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
710 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]711 exit 1
712fi
713
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]714# used by watchdog
715MAIN_PID="$$"
716
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]717# We use somewhat arbitrary delays for tests:
718# - how long do we wait for the server to start (when lsof not available)?
719# - how long do we allow for the client to finish?
720# (not to check performance, just to avoid waiting indefinitely)
721# Things are slower with valgrind, so give extra time here.
722#
723# Note: without lsof, there is a trade-off between the running time of this
724# script and the risk of spurious errors because we didn't wait long enough.
725# The watchdog delay on the other hand doesn't affect normal running time of
726# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]727if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]728 START_DELAY=6
729 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]730else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]731 START_DELAY=2
732 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]733fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]734
735# some particular tests need more time:
736# - for the client, we multiply the usual watchdog limit by a factor
737# - for the server, we sleep for a number of seconds after the client exits
738# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]739CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]740SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]741
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]742# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]743# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]744P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
745P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]746P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]747O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]748O_CLI="$O_CLI -connect localhost:+SRV_PORT"
749G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]750G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]751
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]752# Allow SHA-1, because many of our test certificates use it
753P_SRV="$P_SRV allow_sha1=1"
754P_CLI="$P_CLI allow_sha1=1"
755
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]756# Also pick a unique name for intermediate files
757SRV_OUT="srv_out.$$"
758CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]759PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]760SESSION="session.$$"
761
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]762SKIP_NEXT="NO"
763
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]764trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]765
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]766# Basic test
767
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]768# Checks that:
769# - things work with all ciphersuites active (used with config-full in all.sh)
770# - the expected (highest security) parameters are selected
771# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]772run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]773 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]774 "$P_CLI" \
775 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]776 -s "Protocol is TLSv1.2" \
777 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
778 -s "client hello v3, signature_algorithm ext: 6" \
779 -s "ECDHE curve: secp521r1" \
780 -S "error" \
781 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]782
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]783run_test "Default, DTLS" \
784 "$P_SRV dtls=1" \
785 "$P_CLI dtls=1" \
786 0 \
787 -s "Protocol is DTLSv1.2" \
788 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
789
Manuel Pégourié-Gonnard45575512020-01-02 11:58:00 +0100[diff] [blame]790requires_config_enabled MBEDTLS_ZLIB_SUPPORT
791run_test "Default (compression enabled)" \
792 "$P_SRV debug_level=3" \
793 "$P_CLI debug_level=3" \
794 0 \
795 -s "Allocating compression buffer" \
796 -c "Allocating compression buffer" \
797 -s "Record expansion is unknown (compression)" \
798 -c "Record expansion is unknown (compression)" \
799 -S "error" \
800 -C "error"
801
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]802# Test current time in ServerHello
803requires_config_enabled MBEDTLS_HAVE_TIME
804run_test "Default, ServerHello contains gmt_unix_time" \
805 "$P_SRV debug_level=3" \
806 "$P_CLI debug_level=3" \
807 0 \
808 -s "Protocol is TLSv1.2" \
809 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
810 -s "client hello v3, signature_algorithm ext: 6" \
811 -s "ECDHE curve: secp521r1" \
812 -S "error" \
813 -C "error" \
814 -f "check_server_hello_time" \
815 -F "check_server_hello_time"
816
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]817# Test for uniqueness of IVs in AEAD ciphersuites
818run_test "Unique IV in GCM" \
819 "$P_SRV exchanges=20 debug_level=4" \
820 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
821 0 \
822 -u "IV used" \
823 -U "IV used"
824
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]825# Tests for rc4 option
826
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]827requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]828run_test "RC4: server disabled, client enabled" \
829 "$P_SRV" \
830 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
831 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]832 -s "SSL - The server has no ciphersuites in common"
833
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]834requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]835run_test "RC4: server half, client enabled" \
836 "$P_SRV arc4=1" \
837 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
838 1 \
839 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]840
841run_test "RC4: server enabled, client disabled" \
842 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
843 "$P_CLI" \
844 1 \
845 -s "SSL - The server has no ciphersuites in common"
846
847run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]848 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]849 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
850 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]851 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]852 -S "SSL - The server has no ciphersuites in common"
853
Hanno Becker3a333a52018-08-17 09:54:10 +0100[diff] [blame]854# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
855
856requires_gnutls
857requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
858run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
859 "$G_SRV"\
860 "$P_CLI force_version=tls1_1" \
861 0
862
863requires_gnutls
864requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
865run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
866 "$G_SRV"\
867 "$P_CLI force_version=tls1" \
868 0
869
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]870# Tests for SHA-1 support
871
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]872requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]873run_test "SHA-1 forbidden by default in server certificate" \
874 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
875 "$P_CLI debug_level=2 allow_sha1=0" \
876 1 \
877 -c "The certificate is signed with an unacceptable hash"
878
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]879requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
880run_test "SHA-1 forbidden by default in server certificate" \
881 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
882 "$P_CLI debug_level=2 allow_sha1=0" \
883 0
884
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]885run_test "SHA-1 explicitly allowed in server certificate" \
886 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
887 "$P_CLI allow_sha1=1" \
888 0
889
890run_test "SHA-256 allowed by default in server certificate" \
891 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
892 "$P_CLI allow_sha1=0" \
893 0
894
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]895requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]896run_test "SHA-1 forbidden by default in client certificate" \
897 "$P_SRV auth_mode=required allow_sha1=0" \
898 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
899 1 \
900 -s "The certificate is signed with an unacceptable hash"
901
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]902requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
903run_test "SHA-1 forbidden by default in client certificate" \
904 "$P_SRV auth_mode=required allow_sha1=0" \
905 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
906 0
907
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]908run_test "SHA-1 explicitly allowed in client certificate" \
909 "$P_SRV auth_mode=required allow_sha1=1" \
910 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
911 0
912
913run_test "SHA-256 allowed by default in client certificate" \
914 "$P_SRV auth_mode=required allow_sha1=0" \
915 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
916 0
917
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]918# Tests for Truncated HMAC extension
919
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]920run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]921 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]922 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]923 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]924 -s "dumping 'expected mac' (20 bytes)" \
925 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]926
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]927requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]928run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]929 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]930 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]931 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]932 -s "dumping 'expected mac' (20 bytes)" \
933 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]934
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]935requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]936run_test "Truncated HMAC: client enabled, server default" \
937 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]938 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]939 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]940 -s "dumping 'expected mac' (20 bytes)" \
941 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]942
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]943requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]944run_test "Truncated HMAC: client enabled, server disabled" \
945 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]946 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]947 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]948 -s "dumping 'expected mac' (20 bytes)" \
949 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]950
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]951requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]952run_test "Truncated HMAC: client disabled, server enabled" \
953 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]954 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]955 0 \
956 -s "dumping 'expected mac' (20 bytes)" \
957 -S "dumping 'expected mac' (10 bytes)"
958
959requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]960run_test "Truncated HMAC: client enabled, server enabled" \
961 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]962 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]963 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]964 -S "dumping 'expected mac' (20 bytes)" \
965 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]966
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]967run_test "Truncated HMAC, DTLS: client default, server default" \
968 "$P_SRV dtls=1 debug_level=4" \
969 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
970 0 \
971 -s "dumping 'expected mac' (20 bytes)" \
972 -S "dumping 'expected mac' (10 bytes)"
973
974requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
975run_test "Truncated HMAC, DTLS: client disabled, server default" \
976 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]977 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]978 0 \
979 -s "dumping 'expected mac' (20 bytes)" \
980 -S "dumping 'expected mac' (10 bytes)"
981
982requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
983run_test "Truncated HMAC, DTLS: client enabled, server default" \
984 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]985 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]986 0 \
987 -s "dumping 'expected mac' (20 bytes)" \
988 -S "dumping 'expected mac' (10 bytes)"
989
990requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
991run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
992 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]993 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]994 0 \
995 -s "dumping 'expected mac' (20 bytes)" \
996 -S "dumping 'expected mac' (10 bytes)"
997
998requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
999run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1000 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1001 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1002 0 \
1003 -s "dumping 'expected mac' (20 bytes)" \
1004 -S "dumping 'expected mac' (10 bytes)"
1005
1006requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1007run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1008 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1009 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1010 0 \
1011 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1012 -s "dumping 'expected mac' (10 bytes)"
1013
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1014# Tests for Encrypt-then-MAC extension
1015
1016run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1017 "$P_SRV debug_level=3 \
1018 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1019 "$P_CLI debug_level=3" \
1020 0 \
1021 -c "client hello, adding encrypt_then_mac extension" \
1022 -s "found encrypt then mac extension" \
1023 -s "server hello, adding encrypt then mac extension" \
1024 -c "found encrypt_then_mac extension" \
1025 -c "using encrypt then mac" \
1026 -s "using encrypt then mac"
1027
1028run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1029 "$P_SRV debug_level=3 etm=0 \
1030 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1031 "$P_CLI debug_level=3 etm=1" \
1032 0 \
1033 -c "client hello, adding encrypt_then_mac extension" \
1034 -s "found encrypt then mac extension" \
1035 -S "server hello, adding encrypt then mac extension" \
1036 -C "found encrypt_then_mac extension" \
1037 -C "using encrypt then mac" \
1038 -S "using encrypt then mac"
1039
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1040run_test "Encrypt then MAC: client enabled, aead cipher" \
1041 "$P_SRV debug_level=3 etm=1 \
1042 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
1043 "$P_CLI debug_level=3 etm=1" \
1044 0 \
1045 -c "client hello, adding encrypt_then_mac extension" \
1046 -s "found encrypt then mac extension" \
1047 -S "server hello, adding encrypt then mac extension" \
1048 -C "found encrypt_then_mac extension" \
1049 -C "using encrypt then mac" \
1050 -S "using encrypt then mac"
1051
1052run_test "Encrypt then MAC: client enabled, stream cipher" \
1053 "$P_SRV debug_level=3 etm=1 \
1054 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1055 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1056 0 \
1057 -c "client hello, adding encrypt_then_mac extension" \
1058 -s "found encrypt then mac extension" \
1059 -S "server hello, adding encrypt then mac extension" \
1060 -C "found encrypt_then_mac extension" \
1061 -C "using encrypt then mac" \
1062 -S "using encrypt then mac"
1063
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1064run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1065 "$P_SRV debug_level=3 etm=1 \
1066 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1067 "$P_CLI debug_level=3 etm=0" \
1068 0 \
1069 -C "client hello, adding encrypt_then_mac extension" \
1070 -S "found encrypt then mac extension" \
1071 -S "server hello, adding encrypt then mac extension" \
1072 -C "found encrypt_then_mac extension" \
1073 -C "using encrypt then mac" \
1074 -S "using encrypt then mac"
1075
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1076requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1077run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1078 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1079 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1080 "$P_CLI debug_level=3 force_version=ssl3" \
1081 0 \
1082 -C "client hello, adding encrypt_then_mac extension" \
1083 -S "found encrypt then mac extension" \
1084 -S "server hello, adding encrypt then mac extension" \
1085 -C "found encrypt_then_mac extension" \
1086 -C "using encrypt then mac" \
1087 -S "using encrypt then mac"
1088
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1089requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1090run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1091 "$P_SRV debug_level=3 force_version=ssl3 \
1092 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1093 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1094 0 \
1095 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1096 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1097 -S "server hello, adding encrypt then mac extension" \
1098 -C "found encrypt_then_mac extension" \
1099 -C "using encrypt then mac" \
1100 -S "using encrypt then mac"
1101
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1102# Tests for Extended Master Secret extension
1103
1104run_test "Extended Master Secret: default" \
1105 "$P_SRV debug_level=3" \
1106 "$P_CLI debug_level=3" \
1107 0 \
1108 -c "client hello, adding extended_master_secret extension" \
1109 -s "found extended master secret extension" \
1110 -s "server hello, adding extended master secret extension" \
1111 -c "found extended_master_secret extension" \
1112 -c "using extended master secret" \
1113 -s "using extended master secret"
1114
1115run_test "Extended Master Secret: client enabled, server disabled" \
1116 "$P_SRV debug_level=3 extended_ms=0" \
1117 "$P_CLI debug_level=3 extended_ms=1" \
1118 0 \
1119 -c "client hello, adding extended_master_secret extension" \
1120 -s "found extended master secret extension" \
1121 -S "server hello, adding extended master secret extension" \
1122 -C "found extended_master_secret extension" \
1123 -C "using extended master secret" \
1124 -S "using extended master secret"
1125
1126run_test "Extended Master Secret: client disabled, server enabled" \
1127 "$P_SRV debug_level=3 extended_ms=1" \
1128 "$P_CLI debug_level=3 extended_ms=0" \
1129 0 \
1130 -C "client hello, adding extended_master_secret extension" \
1131 -S "found extended master secret extension" \
1132 -S "server hello, adding extended master secret extension" \
1133 -C "found extended_master_secret extension" \
1134 -C "using extended master secret" \
1135 -S "using extended master secret"
1136
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1137requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1138run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1139 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1140 "$P_CLI debug_level=3 force_version=ssl3" \
1141 0 \
1142 -C "client hello, adding extended_master_secret extension" \
1143 -S "found extended master secret extension" \
1144 -S "server hello, adding extended master secret extension" \
1145 -C "found extended_master_secret extension" \
1146 -C "using extended master secret" \
1147 -S "using extended master secret"
1148
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1149requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1150run_test "Extended Master Secret: client enabled, server SSLv3" \
1151 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1152 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1153 0 \
1154 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1155 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1156 -S "server hello, adding extended master secret extension" \
1157 -C "found extended_master_secret extension" \
1158 -C "using extended master secret" \
1159 -S "using extended master secret"
1160
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1161# Tests for FALLBACK_SCSV
1162
1163run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1164 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1165 "$P_CLI debug_level=3 force_version=tls1_1" \
1166 0 \
1167 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1168 -S "received FALLBACK_SCSV" \
1169 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1170 -C "is a fatal alert message (msg 86)"
1171
1172run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1173 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1174 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1175 0 \
1176 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1177 -S "received FALLBACK_SCSV" \
1178 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1179 -C "is a fatal alert message (msg 86)"
1180
1181run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1182 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1183 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1184 1 \
1185 -c "adding FALLBACK_SCSV" \
1186 -s "received FALLBACK_SCSV" \
1187 -s "inapropriate fallback" \
1188 -c "is a fatal alert message (msg 86)"
1189
1190run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1191 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1192 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1193 0 \
1194 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1195 -s "received FALLBACK_SCSV" \
1196 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1197 -C "is a fatal alert message (msg 86)"
1198
1199requires_openssl_with_fallback_scsv
1200run_test "Fallback SCSV: default, openssl server" \
1201 "$O_SRV" \
1202 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1203 0 \
1204 -C "adding FALLBACK_SCSV" \
1205 -C "is a fatal alert message (msg 86)"
1206
1207requires_openssl_with_fallback_scsv
1208run_test "Fallback SCSV: enabled, openssl server" \
1209 "$O_SRV" \
1210 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1211 1 \
1212 -c "adding FALLBACK_SCSV" \
1213 -c "is a fatal alert message (msg 86)"
1214
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1215requires_openssl_with_fallback_scsv
1216run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1217 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1218 "$O_CLI -tls1_1" \
1219 0 \
1220 -S "received FALLBACK_SCSV" \
1221 -S "inapropriate fallback"
1222
1223requires_openssl_with_fallback_scsv
1224run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1225 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1226 "$O_CLI -tls1_1 -fallback_scsv" \
1227 1 \
1228 -s "received FALLBACK_SCSV" \
1229 -s "inapropriate fallback"
1230
1231requires_openssl_with_fallback_scsv
1232run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1233 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1234 "$O_CLI -fallback_scsv" \
1235 0 \
1236 -s "received FALLBACK_SCSV" \
1237 -S "inapropriate fallback"
1238
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1239# Test sending and receiving empty application data records
1240
1241run_test "Encrypt then MAC: empty application data record" \
1242 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1243 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1244 0 \
1245 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1246 -s "dumping 'input payload after decrypt' (0 bytes)" \
1247 -c "0 bytes written in 1 fragments"
1248
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1249run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1250 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1251 "$P_CLI auth_mode=none etm=0 request_size=0" \
1252 0 \
1253 -s "dumping 'input payload after decrypt' (0 bytes)" \
1254 -c "0 bytes written in 1 fragments"
1255
1256run_test "Encrypt then MAC, DTLS: empty application data record" \
1257 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1258 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1259 0 \
1260 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1261 -s "dumping 'input payload after decrypt' (0 bytes)" \
1262 -c "0 bytes written in 1 fragments"
1263
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1264run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1265 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1266 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1267 0 \
1268 -s "dumping 'input payload after decrypt' (0 bytes)" \
1269 -c "0 bytes written in 1 fragments"
1270
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1271## ClientHello generated with
1272## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1273## then manually twiddling the ciphersuite list.
1274## The ClientHello content is spelled out below as a hex string as
1275## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1276## The expected response is an inappropriate_fallback alert.
1277requires_openssl_with_fallback_scsv
1278run_test "Fallback SCSV: beginning of list" \
1279 "$P_SRV debug_level=2" \
1280 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1281 0 \
1282 -s "received FALLBACK_SCSV" \
1283 -s "inapropriate fallback"
1284
1285requires_openssl_with_fallback_scsv
1286run_test "Fallback SCSV: end of list" \
1287 "$P_SRV debug_level=2" \
1288 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1289 0 \
1290 -s "received FALLBACK_SCSV" \
1291 -s "inapropriate fallback"
1292
1293## Here the expected response is a valid ServerHello prefix, up to the random.
1294requires_openssl_with_fallback_scsv
1295run_test "Fallback SCSV: not in list" \
1296 "$P_SRV debug_level=2" \
1297 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1298 0 \
1299 -S "received FALLBACK_SCSV" \
1300 -S "inapropriate fallback"
1301
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1302# Tests for CBC 1/n-1 record splitting
1303
1304run_test "CBC Record splitting: TLS 1.2, no splitting" \
1305 "$P_SRV" \
1306 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1307 request_size=123 force_version=tls1_2" \
1308 0 \
1309 -s "Read from client: 123 bytes read" \
1310 -S "Read from client: 1 bytes read" \
1311 -S "122 bytes read"
1312
1313run_test "CBC Record splitting: TLS 1.1, no splitting" \
1314 "$P_SRV" \
1315 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1316 request_size=123 force_version=tls1_1" \
1317 0 \
1318 -s "Read from client: 123 bytes read" \
1319 -S "Read from client: 1 bytes read" \
1320 -S "122 bytes read"
1321
1322run_test "CBC Record splitting: TLS 1.0, splitting" \
1323 "$P_SRV" \
1324 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1325 request_size=123 force_version=tls1" \
1326 0 \
1327 -S "Read from client: 123 bytes read" \
1328 -s "Read from client: 1 bytes read" \
1329 -s "122 bytes read"
1330
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1331requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1332run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1333 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1334 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1335 request_size=123 force_version=ssl3" \
1336 0 \
1337 -S "Read from client: 123 bytes read" \
1338 -s "Read from client: 1 bytes read" \
1339 -s "122 bytes read"
1340
1341run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1342 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1343 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1344 request_size=123 force_version=tls1" \
1345 0 \
1346 -s "Read from client: 123 bytes read" \
1347 -S "Read from client: 1 bytes read" \
1348 -S "122 bytes read"
1349
1350run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1351 "$P_SRV" \
1352 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1353 request_size=123 force_version=tls1 recsplit=0" \
1354 0 \
1355 -s "Read from client: 123 bytes read" \
1356 -S "Read from client: 1 bytes read" \
1357 -S "122 bytes read"
1358
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1359run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1360 "$P_SRV nbio=2" \
1361 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1362 request_size=123 force_version=tls1" \
1363 0 \
1364 -S "Read from client: 123 bytes read" \
1365 -s "Read from client: 1 bytes read" \
1366 -s "122 bytes read"
1367
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1368# Tests for Session Tickets
1369
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1370run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1371 "$P_SRV debug_level=3 tickets=1" \
1372 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1373 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1374 -c "client hello, adding session ticket extension" \
1375 -s "found session ticket extension" \
1376 -s "server hello, adding session ticket extension" \
1377 -c "found session_ticket extension" \
1378 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1379 -S "session successfully restored from cache" \
1380 -s "session successfully restored from ticket" \
1381 -s "a session has been resumed" \
1382 -c "a session has been resumed"
1383
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1384run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1385 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1386 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1387 0 \
1388 -c "client hello, adding session ticket extension" \
1389 -s "found session ticket extension" \
1390 -s "server hello, adding session ticket extension" \
1391 -c "found session_ticket extension" \
1392 -c "parse new session ticket" \
1393 -S "session successfully restored from cache" \
1394 -s "session successfully restored from ticket" \
1395 -s "a session has been resumed" \
1396 -c "a session has been resumed"
1397
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1398run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1399 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1400 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1401 0 \
1402 -c "client hello, adding session ticket extension" \
1403 -s "found session ticket extension" \
1404 -s "server hello, adding session ticket extension" \
1405 -c "found session_ticket extension" \
1406 -c "parse new session ticket" \
1407 -S "session successfully restored from cache" \
1408 -S "session successfully restored from ticket" \
1409 -S "a session has been resumed" \
1410 -C "a session has been resumed"
1411
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1412run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1413 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1414 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1415 0 \
1416 -c "client hello, adding session ticket extension" \
1417 -c "found session_ticket extension" \
1418 -c "parse new session ticket" \
1419 -c "a session has been resumed"
1420
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1421run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1422 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1423 "( $O_CLI -sess_out $SESSION; \
1424 $O_CLI -sess_in $SESSION; \
1425 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1426 0 \
1427 -s "found session ticket extension" \
1428 -s "server hello, adding session ticket extension" \
1429 -S "session successfully restored from cache" \
1430 -s "session successfully restored from ticket" \
1431 -s "a session has been resumed"
1432
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1433# Tests for Session Tickets with DTLS
1434
1435run_test "Session resume using tickets, DTLS: basic" \
1436 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1437 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1438 0 \
1439 -c "client hello, adding session ticket extension" \
1440 -s "found session ticket extension" \
1441 -s "server hello, adding session ticket extension" \
1442 -c "found session_ticket extension" \
1443 -c "parse new session ticket" \
1444 -S "session successfully restored from cache" \
1445 -s "session successfully restored from ticket" \
1446 -s "a session has been resumed" \
1447 -c "a session has been resumed"
1448
1449run_test "Session resume using tickets, DTLS: cache disabled" \
1450 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1451 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1452 0 \
1453 -c "client hello, adding session ticket extension" \
1454 -s "found session ticket extension" \
1455 -s "server hello, adding session ticket extension" \
1456 -c "found session_ticket extension" \
1457 -c "parse new session ticket" \
1458 -S "session successfully restored from cache" \
1459 -s "session successfully restored from ticket" \
1460 -s "a session has been resumed" \
1461 -c "a session has been resumed"
1462
1463run_test "Session resume using tickets, DTLS: timeout" \
1464 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1465 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1466 0 \
1467 -c "client hello, adding session ticket extension" \
1468 -s "found session ticket extension" \
1469 -s "server hello, adding session ticket extension" \
1470 -c "found session_ticket extension" \
1471 -c "parse new session ticket" \
1472 -S "session successfully restored from cache" \
1473 -S "session successfully restored from ticket" \
1474 -S "a session has been resumed" \
1475 -C "a session has been resumed"
1476
1477run_test "Session resume using tickets, DTLS: openssl server" \
1478 "$O_SRV -dtls1" \
1479 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1480 0 \
1481 -c "client hello, adding session ticket extension" \
1482 -c "found session_ticket extension" \
1483 -c "parse new session ticket" \
1484 -c "a session has been resumed"
1485
1486run_test "Session resume using tickets, DTLS: openssl client" \
1487 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1488 "( $O_CLI -dtls1 -sess_out $SESSION; \
1489 $O_CLI -dtls1 -sess_in $SESSION; \
1490 rm -f $SESSION )" \
1491 0 \
1492 -s "found session ticket extension" \
1493 -s "server hello, adding session ticket extension" \
1494 -S "session successfully restored from cache" \
1495 -s "session successfully restored from ticket" \
1496 -s "a session has been resumed"
1497
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1498# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1499
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1500run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1501 "$P_SRV debug_level=3 tickets=0" \
1502 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1503 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1504 -c "client hello, adding session ticket extension" \
1505 -s "found session ticket extension" \
1506 -S "server hello, adding session ticket extension" \
1507 -C "found session_ticket extension" \
1508 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1509 -s "session successfully restored from cache" \
1510 -S "session successfully restored from ticket" \
1511 -s "a session has been resumed" \
1512 -c "a session has been resumed"
1513
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1514run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1515 "$P_SRV debug_level=3 tickets=1" \
1516 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1517 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1518 -C "client hello, adding session ticket extension" \
1519 -S "found session ticket extension" \
1520 -S "server hello, adding session ticket extension" \
1521 -C "found session_ticket extension" \
1522 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1523 -s "session successfully restored from cache" \
1524 -S "session successfully restored from ticket" \
1525 -s "a session has been resumed" \
1526 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1527
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1528run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1529 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1530 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1531 0 \
1532 -S "session successfully restored from cache" \
1533 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1534 -S "a session has been resumed" \
1535 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1536
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1537run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1538 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1539 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1540 0 \
1541 -s "session successfully restored from cache" \
1542 -S "session successfully restored from ticket" \
1543 -s "a session has been resumed" \
1544 -c "a session has been resumed"
1545
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1546run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1547 "$P_SRV debug_level=3 tickets=0" \
1548 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1549 0 \
1550 -s "session successfully restored from cache" \
1551 -S "session successfully restored from ticket" \
1552 -s "a session has been resumed" \
1553 -c "a session has been resumed"
1554
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1555run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1556 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1557 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1558 0 \
1559 -S "session successfully restored from cache" \
1560 -S "session successfully restored from ticket" \
1561 -S "a session has been resumed" \
1562 -C "a session has been resumed"
1563
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1564run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1565 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1566 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1567 0 \
1568 -s "session successfully restored from cache" \
1569 -S "session successfully restored from ticket" \
1570 -s "a session has been resumed" \
1571 -c "a session has been resumed"
1572
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1573run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1574 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1575 "( $O_CLI -sess_out $SESSION; \
1576 $O_CLI -sess_in $SESSION; \
1577 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1578 0 \
1579 -s "found session ticket extension" \
1580 -S "server hello, adding session ticket extension" \
1581 -s "session successfully restored from cache" \
1582 -S "session successfully restored from ticket" \
1583 -s "a session has been resumed"
1584
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1585run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1586 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1587 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1588 0 \
1589 -C "found session_ticket extension" \
1590 -C "parse new session ticket" \
1591 -c "a session has been resumed"
1592
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1593# Tests for Session Resume based on session-ID and cache, DTLS
1594
1595run_test "Session resume using cache, DTLS: tickets enabled on client" \
1596 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1597 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1598 0 \
1599 -c "client hello, adding session ticket extension" \
1600 -s "found session ticket extension" \
1601 -S "server hello, adding session ticket extension" \
1602 -C "found session_ticket extension" \
1603 -C "parse new session ticket" \
1604 -s "session successfully restored from cache" \
1605 -S "session successfully restored from ticket" \
1606 -s "a session has been resumed" \
1607 -c "a session has been resumed"
1608
1609run_test "Session resume using cache, DTLS: tickets enabled on server" \
1610 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1611 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1612 0 \
1613 -C "client hello, adding session ticket extension" \
1614 -S "found session ticket extension" \
1615 -S "server hello, adding session ticket extension" \
1616 -C "found session_ticket extension" \
1617 -C "parse new session ticket" \
1618 -s "session successfully restored from cache" \
1619 -S "session successfully restored from ticket" \
1620 -s "a session has been resumed" \
1621 -c "a session has been resumed"
1622
1623run_test "Session resume using cache, DTLS: cache_max=0" \
1624 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1625 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1626 0 \
1627 -S "session successfully restored from cache" \
1628 -S "session successfully restored from ticket" \
1629 -S "a session has been resumed" \
1630 -C "a session has been resumed"
1631
1632run_test "Session resume using cache, DTLS: cache_max=1" \
1633 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1634 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1635 0 \
1636 -s "session successfully restored from cache" \
1637 -S "session successfully restored from ticket" \
1638 -s "a session has been resumed" \
1639 -c "a session has been resumed"
1640
1641run_test "Session resume using cache, DTLS: timeout > delay" \
1642 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1643 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1644 0 \
1645 -s "session successfully restored from cache" \
1646 -S "session successfully restored from ticket" \
1647 -s "a session has been resumed" \
1648 -c "a session has been resumed"
1649
1650run_test "Session resume using cache, DTLS: timeout < delay" \
1651 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1652 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1653 0 \
1654 -S "session successfully restored from cache" \
1655 -S "session successfully restored from ticket" \
1656 -S "a session has been resumed" \
1657 -C "a session has been resumed"
1658
1659run_test "Session resume using cache, DTLS: no timeout" \
1660 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1661 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1662 0 \
1663 -s "session successfully restored from cache" \
1664 -S "session successfully restored from ticket" \
1665 -s "a session has been resumed" \
1666 -c "a session has been resumed"
1667
1668run_test "Session resume using cache, DTLS: openssl client" \
1669 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1670 "( $O_CLI -dtls1 -sess_out $SESSION; \
1671 $O_CLI -dtls1 -sess_in $SESSION; \
1672 rm -f $SESSION )" \
1673 0 \
1674 -s "found session ticket extension" \
1675 -S "server hello, adding session ticket extension" \
1676 -s "session successfully restored from cache" \
1677 -S "session successfully restored from ticket" \
1678 -s "a session has been resumed"
1679
1680run_test "Session resume using cache, DTLS: openssl server" \
1681 "$O_SRV -dtls1" \
1682 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1683 0 \
1684 -C "found session_ticket extension" \
1685 -C "parse new session ticket" \
1686 -c "a session has been resumed"
1687
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1688# Tests for Max Fragment Length extension
1689
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1690MAX_CONTENT_LEN_EXPECT='16384'
1691MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1692
1693if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1694 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1695 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1696 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1697 printf "\n"
1698 printf "The tests assume this value and if it changes, the tests in this\n"
1699 printf "script should also be adjusted.\n"
1700 printf "\n"
1701
1702 exit 1
1703fi
1704
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1705requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1706run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1707 "$P_SRV debug_level=3" \
1708 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1709 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1710 -c "Maximum fragment length is 16384" \
1711 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1712 -C "client hello, adding max_fragment_length extension" \
1713 -S "found max fragment length extension" \
1714 -S "server hello, max_fragment_length extension" \
1715 -C "found max_fragment_length extension"
1716
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1717requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1718run_test "Max fragment length: enabled, default, larger message" \
1719 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1720 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1721 0 \
1722 -c "Maximum fragment length is 16384" \
1723 -s "Maximum fragment length is 16384" \
1724 -C "client hello, adding max_fragment_length extension" \
1725 -S "found max fragment length extension" \
1726 -S "server hello, max_fragment_length extension" \
1727 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1728 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1729 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1730 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1731
1732requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1733run_test "Max fragment length, DTLS: enabled, default, larger message" \
1734 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1735 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1736 1 \
1737 -c "Maximum fragment length is 16384" \
1738 -s "Maximum fragment length is 16384" \
1739 -C "client hello, adding max_fragment_length extension" \
1740 -S "found max fragment length extension" \
1741 -S "server hello, max_fragment_length extension" \
1742 -C "found max_fragment_length extension" \
1743 -c "fragment larger than.*maximum "
1744
1745requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1746run_test "Max fragment length: disabled, larger message" \
1747 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1748 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1749 0 \
1750 -C "Maximum fragment length is 16384" \
1751 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1752 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1753 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1754 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1755
1756requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1757run_test "Max fragment length DTLS: disabled, larger message" \
1758 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1759 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1760 1 \
1761 -C "Maximum fragment length is 16384" \
1762 -S "Maximum fragment length is 16384" \
1763 -c "fragment larger than.*maximum "
1764
1765requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1766run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1767 "$P_SRV debug_level=3" \
1768 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1769 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1770 -c "Maximum fragment length is 4096" \
1771 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1772 -c "client hello, adding max_fragment_length extension" \
1773 -s "found max fragment length extension" \
1774 -s "server hello, max_fragment_length extension" \
1775 -c "found max_fragment_length extension"
1776
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1777requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1778run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1779 "$P_SRV debug_level=3 max_frag_len=4096" \
1780 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1781 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1782 -c "Maximum fragment length is 16384" \
1783 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1784 -C "client hello, adding max_fragment_length extension" \
1785 -S "found max fragment length extension" \
1786 -S "server hello, max_fragment_length extension" \
1787 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1788
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1789requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1790requires_gnutls
1791run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1792 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1793 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1794 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1795 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1796 -c "client hello, adding max_fragment_length extension" \
1797 -c "found max_fragment_length extension"
1798
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1799requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1800run_test "Max fragment length: client, message just fits" \
1801 "$P_SRV debug_level=3" \
1802 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1803 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1804 -c "Maximum fragment length is 2048" \
1805 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1806 -c "client hello, adding max_fragment_length extension" \
1807 -s "found max fragment length extension" \
1808 -s "server hello, max_fragment_length extension" \
1809 -c "found max_fragment_length extension" \
1810 -c "2048 bytes written in 1 fragments" \
1811 -s "2048 bytes read"
1812
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1813requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1814run_test "Max fragment length: client, larger message" \
1815 "$P_SRV debug_level=3" \
1816 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1817 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1818 -c "Maximum fragment length is 2048" \
1819 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1820 -c "client hello, adding max_fragment_length extension" \
1821 -s "found max fragment length extension" \
1822 -s "server hello, max_fragment_length extension" \
1823 -c "found max_fragment_length extension" \
1824 -c "2345 bytes written in 2 fragments" \
1825 -s "2048 bytes read" \
1826 -s "297 bytes read"
1827
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1828requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1829run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1830 "$P_SRV debug_level=3 dtls=1" \
1831 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1832 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1833 -c "Maximum fragment length is 2048" \
1834 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1835 -c "client hello, adding max_fragment_length extension" \
1836 -s "found max fragment length extension" \
1837 -s "server hello, max_fragment_length extension" \
1838 -c "found max_fragment_length extension" \
1839 -c "fragment larger than.*maximum"
1840
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1841# Tests for renegotiation
1842
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1843# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1844run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1845 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1846 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1847 0 \
1848 -C "client hello, adding renegotiation extension" \
1849 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1850 -S "found renegotiation extension" \
1851 -s "server hello, secure renegotiation extension" \
1852 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1853 -C "=> renegotiate" \
1854 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1855 -S "write hello request"
1856
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1857requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1858run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1859 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1860 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1861 0 \
1862 -c "client hello, adding renegotiation extension" \
1863 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1864 -s "found renegotiation extension" \
1865 -s "server hello, secure renegotiation extension" \
1866 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1867 -c "=> renegotiate" \
1868 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1869 -S "write hello request"
1870
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1871requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1872run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1873 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1874 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1875 0 \
1876 -c "client hello, adding renegotiation extension" \
1877 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1878 -s "found renegotiation extension" \
1879 -s "server hello, secure renegotiation extension" \
1880 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1881 -c "=> renegotiate" \
1882 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1883 -s "write hello request"
1884
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1885# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1886# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1887# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1888requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1889run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1890 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1891 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1892 0 \
1893 -c "client hello, adding renegotiation extension" \
1894 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1895 -s "found renegotiation extension" \
1896 -s "server hello, secure renegotiation extension" \
1897 -c "found renegotiation extension" \
1898 -c "=> renegotiate" \
1899 -s "=> renegotiate" \
1900 -S "write hello request" \
1901 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1902
1903# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1904# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1905# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1906requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1907run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1908 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1909 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1910 0 \
1911 -c "client hello, adding renegotiation extension" \
1912 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1913 -s "found renegotiation extension" \
1914 -s "server hello, secure renegotiation extension" \
1915 -c "found renegotiation extension" \
1916 -c "=> renegotiate" \
1917 -s "=> renegotiate" \
1918 -s "write hello request" \
1919 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1920
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1921requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1922run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1923 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1924 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1925 0 \
1926 -c "client hello, adding renegotiation extension" \
1927 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1928 -s "found renegotiation extension" \
1929 -s "server hello, secure renegotiation extension" \
1930 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1931 -c "=> renegotiate" \
1932 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1933 -s "write hello request"
1934
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1935requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1936run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1937 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1938 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1939 1 \
1940 -c "client hello, adding renegotiation extension" \
1941 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1942 -S "found renegotiation extension" \
1943 -s "server hello, secure renegotiation extension" \
1944 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1945 -c "=> renegotiate" \
1946 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1947 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1948 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1949 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1950
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1951requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1952run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1953 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1954 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1955 0 \
1956 -C "client hello, adding renegotiation extension" \
1957 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1958 -S "found renegotiation extension" \
1959 -s "server hello, secure renegotiation extension" \
1960 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1961 -C "=> renegotiate" \
1962 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1963 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1964 -S "SSL - An unexpected message was received from our peer" \
1965 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1966
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1967requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1968run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1969 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1970 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1971 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1972 0 \
1973 -C "client hello, adding renegotiation extension" \
1974 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1975 -S "found renegotiation extension" \
1976 -s "server hello, secure renegotiation extension" \
1977 -c "found renegotiation extension" \
1978 -C "=> renegotiate" \
1979 -S "=> renegotiate" \
1980 -s "write hello request" \
1981 -S "SSL - An unexpected message was received from our peer" \
1982 -S "failed"
1983
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1984# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1985requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1986run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1987 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1988 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1989 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1990 0 \
1991 -C "client hello, adding renegotiation extension" \
1992 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1993 -S "found renegotiation extension" \
1994 -s "server hello, secure renegotiation extension" \
1995 -c "found renegotiation extension" \
1996 -C "=> renegotiate" \
1997 -S "=> renegotiate" \
1998 -s "write hello request" \
1999 -S "SSL - An unexpected message was received from our peer" \
2000 -S "failed"
2001
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2002requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2003run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2004 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2005 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2006 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2007 0 \
2008 -C "client hello, adding renegotiation extension" \
2009 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2010 -S "found renegotiation extension" \
2011 -s "server hello, secure renegotiation extension" \
2012 -c "found renegotiation extension" \
2013 -C "=> renegotiate" \
2014 -S "=> renegotiate" \
2015 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]2016 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2017
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2018requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2019run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2020 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2021 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2022 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2023 0 \
2024 -c "client hello, adding renegotiation extension" \
2025 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2026 -s "found renegotiation extension" \
2027 -s "server hello, secure renegotiation extension" \
2028 -c "found renegotiation extension" \
2029 -c "=> renegotiate" \
2030 -s "=> renegotiate" \
2031 -s "write hello request" \
2032 -S "SSL - An unexpected message was received from our peer" \
2033 -S "failed"
2034
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2035requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2036run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2037 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2038 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2039 0 \
2040 -C "client hello, adding renegotiation extension" \
2041 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2042 -S "found renegotiation extension" \
2043 -s "server hello, secure renegotiation extension" \
2044 -c "found renegotiation extension" \
2045 -S "record counter limit reached: renegotiate" \
2046 -C "=> renegotiate" \
2047 -S "=> renegotiate" \
2048 -S "write hello request" \
2049 -S "SSL - An unexpected message was received from our peer" \
2050 -S "failed"
2051
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2052# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2053requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2054run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2055 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2056 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2057 0 \
2058 -c "client hello, adding renegotiation extension" \
2059 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2060 -s "found renegotiation extension" \
2061 -s "server hello, secure renegotiation extension" \
2062 -c "found renegotiation extension" \
2063 -s "record counter limit reached: renegotiate" \
2064 -c "=> renegotiate" \
2065 -s "=> renegotiate" \
2066 -s "write hello request" \
2067 -S "SSL - An unexpected message was received from our peer" \
2068 -S "failed"
2069
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2070requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2071run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2072 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2073 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2074 0 \
2075 -c "client hello, adding renegotiation extension" \
2076 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2077 -s "found renegotiation extension" \
2078 -s "server hello, secure renegotiation extension" \
2079 -c "found renegotiation extension" \
2080 -s "record counter limit reached: renegotiate" \
2081 -c "=> renegotiate" \
2082 -s "=> renegotiate" \
2083 -s "write hello request" \
2084 -S "SSL - An unexpected message was received from our peer" \
2085 -S "failed"
2086
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2087requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2088run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2089 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2090 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2091 0 \
2092 -C "client hello, adding renegotiation extension" \
2093 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2094 -S "found renegotiation extension" \
2095 -s "server hello, secure renegotiation extension" \
2096 -c "found renegotiation extension" \
2097 -S "record counter limit reached: renegotiate" \
2098 -C "=> renegotiate" \
2099 -S "=> renegotiate" \
2100 -S "write hello request" \
2101 -S "SSL - An unexpected message was received from our peer" \
2102 -S "failed"
2103
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2104requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2105run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2106 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2107 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2108 0 \
2109 -c "client hello, adding renegotiation extension" \
2110 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2111 -s "found renegotiation extension" \
2112 -s "server hello, secure renegotiation extension" \
2113 -c "found renegotiation extension" \
2114 -c "=> renegotiate" \
2115 -s "=> renegotiate" \
2116 -S "write hello request"
2117
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2118requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2119run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2120 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2121 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2122 0 \
2123 -c "client hello, adding renegotiation extension" \
2124 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2125 -s "found renegotiation extension" \
2126 -s "server hello, secure renegotiation extension" \
2127 -c "found renegotiation extension" \
2128 -c "=> renegotiate" \
2129 -s "=> renegotiate" \
2130 -s "write hello request"
2131
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2132requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2133run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2134 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2135 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2136 0 \
2137 -c "client hello, adding renegotiation extension" \
2138 -c "found renegotiation extension" \
2139 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2140 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2141 -C "error" \
2142 -c "HTTP/1.0 200 [Oo][Kk]"
2143
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2144requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2145requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2146run_test "Renegotiation: gnutls server strict, client-initiated" \
2147 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2148 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2149 0 \
2150 -c "client hello, adding renegotiation extension" \
2151 -c "found renegotiation extension" \
2152 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2153 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2154 -C "error" \
2155 -c "HTTP/1.0 200 [Oo][Kk]"
2156
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2157requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2158requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2159run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2160 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2161 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2162 1 \
2163 -c "client hello, adding renegotiation extension" \
2164 -C "found renegotiation extension" \
2165 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2166 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2167 -c "error" \
2168 -C "HTTP/1.0 200 [Oo][Kk]"
2169
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2170requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2171requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2172run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2173 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2174 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2175 allow_legacy=0" \
2176 1 \
2177 -c "client hello, adding renegotiation extension" \
2178 -C "found renegotiation extension" \
2179 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2180 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2181 -c "error" \
2182 -C "HTTP/1.0 200 [Oo][Kk]"
2183
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2184requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2185requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2186run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2187 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2188 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2189 allow_legacy=1" \
2190 0 \
2191 -c "client hello, adding renegotiation extension" \
2192 -C "found renegotiation extension" \
2193 -c "=> renegotiate" \
2194 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2195 -C "error" \
2196 -c "HTTP/1.0 200 [Oo][Kk]"
2197
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2198requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]2199run_test "Renegotiation: DTLS, client-initiated" \
2200 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
2201 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
2202 0 \
2203 -c "client hello, adding renegotiation extension" \
2204 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2205 -s "found renegotiation extension" \
2206 -s "server hello, secure renegotiation extension" \
2207 -c "found renegotiation extension" \
2208 -c "=> renegotiate" \
2209 -s "=> renegotiate" \
2210 -S "write hello request"
2211
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2212requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2213run_test "Renegotiation: DTLS, server-initiated" \
2214 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2215 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2216 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2217 0 \
2218 -c "client hello, adding renegotiation extension" \
2219 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2220 -s "found renegotiation extension" \
2221 -s "server hello, secure renegotiation extension" \
2222 -c "found renegotiation extension" \
2223 -c "=> renegotiate" \
2224 -s "=> renegotiate" \
2225 -s "write hello request"
2226
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2227requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2228run_test "Renegotiation: DTLS, renego_period overflow" \
2229 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2230 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2231 0 \
2232 -c "client hello, adding renegotiation extension" \
2233 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2234 -s "found renegotiation extension" \
2235 -s "server hello, secure renegotiation extension" \
2236 -s "record counter limit reached: renegotiate" \
2237 -c "=> renegotiate" \
2238 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2239 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2240
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2241requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2242requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2243run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2244 "$G_SRV -u --mtu 4096" \
2245 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2246 0 \
2247 -c "client hello, adding renegotiation extension" \
2248 -c "found renegotiation extension" \
2249 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2250 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2251 -C "error" \
2252 -s "Extra-header:"
2253
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2254# Test for the "secure renegotation" extension only (no actual renegotiation)
2255
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2256requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2257run_test "Renego ext: gnutls server strict, client default" \
2258 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2259 "$P_CLI debug_level=3" \
2260 0 \
2261 -c "found renegotiation extension" \
2262 -C "error" \
2263 -c "HTTP/1.0 200 [Oo][Kk]"
2264
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2265requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2266run_test "Renego ext: gnutls server unsafe, client default" \
2267 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2268 "$P_CLI debug_level=3" \
2269 0 \
2270 -C "found renegotiation extension" \
2271 -C "error" \
2272 -c "HTTP/1.0 200 [Oo][Kk]"
2273
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2274requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2275run_test "Renego ext: gnutls server unsafe, client break legacy" \
2276 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2277 "$P_CLI debug_level=3 allow_legacy=-1" \
2278 1 \
2279 -C "found renegotiation extension" \
2280 -c "error" \
2281 -C "HTTP/1.0 200 [Oo][Kk]"
2282
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2283requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2284run_test "Renego ext: gnutls client strict, server default" \
2285 "$P_SRV debug_level=3" \
2286 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2287 0 \
2288 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2289 -s "server hello, secure renegotiation extension"
2290
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2291requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2292run_test "Renego ext: gnutls client unsafe, server default" \
2293 "$P_SRV debug_level=3" \
2294 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2295 0 \
2296 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2297 -S "server hello, secure renegotiation extension"
2298
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2299requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2300run_test "Renego ext: gnutls client unsafe, server break legacy" \
2301 "$P_SRV debug_level=3 allow_legacy=-1" \
2302 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2303 1 \
2304 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2305 -S "server hello, secure renegotiation extension"
2306
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2307# Tests for silently dropping trailing extra bytes in .der certificates
2308
2309requires_gnutls
2310run_test "DER format: no trailing bytes" \
2311 "$P_SRV crt_file=data_files/server5-der0.crt \
2312 key_file=data_files/server5.key" \
2313 "$G_CLI " \
2314 0 \
2315 -c "Handshake was completed" \
2316
2317requires_gnutls
2318run_test "DER format: with a trailing zero byte" \
2319 "$P_SRV crt_file=data_files/server5-der1a.crt \
2320 key_file=data_files/server5.key" \
2321 "$G_CLI " \
2322 0 \
2323 -c "Handshake was completed" \
2324
2325requires_gnutls
2326run_test "DER format: with a trailing random byte" \
2327 "$P_SRV crt_file=data_files/server5-der1b.crt \
2328 key_file=data_files/server5.key" \
2329 "$G_CLI " \
2330 0 \
2331 -c "Handshake was completed" \
2332
2333requires_gnutls
2334run_test "DER format: with 2 trailing random bytes" \
2335 "$P_SRV crt_file=data_files/server5-der2.crt \
2336 key_file=data_files/server5.key" \
2337 "$G_CLI " \
2338 0 \
2339 -c "Handshake was completed" \
2340
2341requires_gnutls
2342run_test "DER format: with 4 trailing random bytes" \
2343 "$P_SRV crt_file=data_files/server5-der4.crt \
2344 key_file=data_files/server5.key" \
2345 "$G_CLI " \
2346 0 \
2347 -c "Handshake was completed" \
2348
2349requires_gnutls
2350run_test "DER format: with 8 trailing random bytes" \
2351 "$P_SRV crt_file=data_files/server5-der8.crt \
2352 key_file=data_files/server5.key" \
2353 "$G_CLI " \
2354 0 \
2355 -c "Handshake was completed" \
2356
2357requires_gnutls
2358run_test "DER format: with 9 trailing random bytes" \
2359 "$P_SRV crt_file=data_files/server5-der9.crt \
2360 key_file=data_files/server5.key" \
2361 "$G_CLI " \
2362 0 \
2363 -c "Handshake was completed" \
2364
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2365# Tests for auth_mode
2366
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2367run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2368 "$P_SRV crt_file=data_files/server5-badsign.crt \
2369 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2370 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2371 1 \
2372 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2373 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2374 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2375 -c "X509 - Certificate verification failed"
2376
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2377run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2378 "$P_SRV crt_file=data_files/server5-badsign.crt \
2379 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2380 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2381 0 \
2382 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2383 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2384 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2385 -C "X509 - Certificate verification failed"
2386
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2387run_test "Authentication: server goodcert, client optional, no trusted CA" \
2388 "$P_SRV" \
2389 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2390 0 \
2391 -c "x509_verify_cert() returned" \
2392 -c "! The certificate is not correctly signed by the trusted CA" \
2393 -c "! Certificate verification flags"\
2394 -C "! mbedtls_ssl_handshake returned" \
2395 -C "X509 - Certificate verification failed" \
2396 -C "SSL - No CA Chain is set, but required to operate"
2397
2398run_test "Authentication: server goodcert, client required, no trusted CA" \
2399 "$P_SRV" \
2400 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2401 1 \
2402 -c "x509_verify_cert() returned" \
2403 -c "! The certificate is not correctly signed by the trusted CA" \
2404 -c "! Certificate verification flags"\
2405 -c "! mbedtls_ssl_handshake returned" \
2406 -c "SSL - No CA Chain is set, but required to operate"
2407
2408# The purpose of the next two tests is to test the client's behaviour when receiving a server
2409# certificate with an unsupported elliptic curve. This should usually not happen because
2410# the client informs the server about the supported curves - it does, though, in the
2411# corner case of a static ECDH suite, because the server doesn't check the curve on that
2412# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2413# different means to have the server ignoring the client's supported curve list.
2414
2415requires_config_enabled MBEDTLS_ECP_C
2416run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2417 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2418 crt_file=data_files/server5.ku-ka.crt" \
2419 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2420 1 \
2421 -c "bad certificate (EC key curve)"\
2422 -c "! Certificate verification flags"\
2423 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2424
2425requires_config_enabled MBEDTLS_ECP_C
2426run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2427 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2428 crt_file=data_files/server5.ku-ka.crt" \
2429 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2430 1 \
2431 -c "bad certificate (EC key curve)"\
2432 -c "! Certificate verification flags"\
2433 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2434
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2435run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2436 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2437 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2438 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2439 0 \
2440 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2441 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2442 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2443 -C "X509 - Certificate verification failed"
2444
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2445run_test "Authentication: client SHA256, server required" \
2446 "$P_SRV auth_mode=required" \
2447 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2448 key_file=data_files/server6.key \
2449 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2450 0 \
2451 -c "Supported Signature Algorithm found: 4," \
2452 -c "Supported Signature Algorithm found: 5,"
2453
2454run_test "Authentication: client SHA384, server required" \
2455 "$P_SRV auth_mode=required" \
2456 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2457 key_file=data_files/server6.key \
2458 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2459 0 \
2460 -c "Supported Signature Algorithm found: 4," \
2461 -c "Supported Signature Algorithm found: 5,"
2462
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2463requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2464run_test "Authentication: client has no cert, server required (SSLv3)" \
2465 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2466 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2467 key_file=data_files/server5.key" \
2468 1 \
2469 -S "skip write certificate request" \
2470 -C "skip parse certificate request" \
2471 -c "got a certificate request" \
2472 -c "got no certificate to send" \
2473 -S "x509_verify_cert() returned" \
2474 -s "client has no certificate" \
2475 -s "! mbedtls_ssl_handshake returned" \
2476 -c "! mbedtls_ssl_handshake returned" \
2477 -s "No client certification received from the client, but required by the authentication mode"
2478
2479run_test "Authentication: client has no cert, server required (TLS)" \
2480 "$P_SRV debug_level=3 auth_mode=required" \
2481 "$P_CLI debug_level=3 crt_file=none \
2482 key_file=data_files/server5.key" \
2483 1 \
2484 -S "skip write certificate request" \
2485 -C "skip parse certificate request" \
2486 -c "got a certificate request" \
2487 -c "= write certificate$" \
2488 -C "skip write certificate$" \
2489 -S "x509_verify_cert() returned" \
2490 -s "client has no certificate" \
2491 -s "! mbedtls_ssl_handshake returned" \
2492 -c "! mbedtls_ssl_handshake returned" \
2493 -s "No client certification received from the client, but required by the authentication mode"
2494
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2495run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2496 "$P_SRV debug_level=3 auth_mode=required" \
2497 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2498 key_file=data_files/server5.key" \
2499 1 \
2500 -S "skip write certificate request" \
2501 -C "skip parse certificate request" \
2502 -c "got a certificate request" \
2503 -C "skip write certificate" \
2504 -C "skip write certificate verify" \
2505 -S "skip parse certificate verify" \
2506 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2507 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2508 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2509 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2510 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2511 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2512# We don't check that the client receives the alert because it might
2513# detect that its write end of the connection is closed and abort
2514# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2515
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2516run_test "Authentication: client cert not trusted, server required" \
2517 "$P_SRV debug_level=3 auth_mode=required" \
2518 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2519 key_file=data_files/server5.key" \
2520 1 \
2521 -S "skip write certificate request" \
2522 -C "skip parse certificate request" \
2523 -c "got a certificate request" \
2524 -C "skip write certificate" \
2525 -C "skip write certificate verify" \
2526 -S "skip parse certificate verify" \
2527 -s "x509_verify_cert() returned" \
2528 -s "! The certificate is not correctly signed by the trusted CA" \
2529 -s "! mbedtls_ssl_handshake returned" \
2530 -c "! mbedtls_ssl_handshake returned" \
2531 -s "X509 - Certificate verification failed"
2532
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2533run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2534 "$P_SRV debug_level=3 auth_mode=optional" \
2535 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2536 key_file=data_files/server5.key" \
2537 0 \
2538 -S "skip write certificate request" \
2539 -C "skip parse certificate request" \
2540 -c "got a certificate request" \
2541 -C "skip write certificate" \
2542 -C "skip write certificate verify" \
2543 -S "skip parse certificate verify" \
2544 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2545 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2546 -S "! mbedtls_ssl_handshake returned" \
2547 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2548 -S "X509 - Certificate verification failed"
2549
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2550run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2551 "$P_SRV debug_level=3 auth_mode=none" \
2552 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2553 key_file=data_files/server5.key" \
2554 0 \
2555 -s "skip write certificate request" \
2556 -C "skip parse certificate request" \
2557 -c "got no certificate request" \
2558 -c "skip write certificate" \
2559 -c "skip write certificate verify" \
2560 -s "skip parse certificate verify" \
2561 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2562 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2563 -S "! mbedtls_ssl_handshake returned" \
2564 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2565 -S "X509 - Certificate verification failed"
2566
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2567run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2568 "$P_SRV debug_level=3 auth_mode=optional" \
2569 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2570 0 \
2571 -S "skip write certificate request" \
2572 -C "skip parse certificate request" \
2573 -c "got a certificate request" \
2574 -C "skip write certificate$" \
2575 -C "got no certificate to send" \
2576 -S "SSLv3 client has no certificate" \
2577 -c "skip write certificate verify" \
2578 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2579 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2580 -S "! mbedtls_ssl_handshake returned" \
2581 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2582 -S "X509 - Certificate verification failed"
2583
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2584run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2585 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2586 "$O_CLI" \
2587 0 \
2588 -S "skip write certificate request" \
2589 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2590 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2591 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2592 -S "X509 - Certificate verification failed"
2593
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2594run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2595 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2596 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2597 0 \
2598 -C "skip parse certificate request" \
2599 -c "got a certificate request" \
2600 -C "skip write certificate$" \
2601 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2602 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2603
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2604run_test "Authentication: client no cert, openssl server required" \
2605 "$O_SRV -Verify 10" \
2606 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2607 1 \
2608 -C "skip parse certificate request" \
2609 -c "got a certificate request" \
2610 -C "skip write certificate$" \
2611 -c "skip write certificate verify" \
2612 -c "! mbedtls_ssl_handshake returned"
2613
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2614requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2615run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2616 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2617 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2618 0 \
2619 -S "skip write certificate request" \
2620 -C "skip parse certificate request" \
2621 -c "got a certificate request" \
2622 -C "skip write certificate$" \
2623 -c "skip write certificate verify" \
2624 -c "got no certificate to send" \
2625 -s "SSLv3 client has no certificate" \
2626 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2627 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2628 -S "! mbedtls_ssl_handshake returned" \
2629 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2630 -S "X509 - Certificate verification failed"
2631
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2632# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2633# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2634
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2635MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2636MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2637
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2638if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2639 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2640 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2641 printf "test value of ${MAX_IM_CA}. \n"
2642 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2643 printf "The tests assume this value and if it changes, the tests in this\n"
2644 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2645 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2646
2647 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2648fi
2649
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2650run_test "Authentication: server max_int chain, client default" \
2651 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2652 key_file=data_files/dir-maxpath/09.key" \
2653 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2654 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2655 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2656
2657run_test "Authentication: server max_int+1 chain, client default" \
2658 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2659 key_file=data_files/dir-maxpath/10.key" \
2660 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2661 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2662 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2663
2664run_test "Authentication: server max_int+1 chain, client optional" \
2665 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2666 key_file=data_files/dir-maxpath/10.key" \
2667 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2668 auth_mode=optional" \
2669 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2670 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2671
2672run_test "Authentication: server max_int+1 chain, client none" \
2673 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2674 key_file=data_files/dir-maxpath/10.key" \
2675 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2676 auth_mode=none" \
2677 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2678 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2679
2680run_test "Authentication: client max_int+1 chain, server default" \
2681 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2682 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2683 key_file=data_files/dir-maxpath/10.key" \
2684 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2685 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2686
2687run_test "Authentication: client max_int+1 chain, server optional" \
2688 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2689 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2690 key_file=data_files/dir-maxpath/10.key" \
2691 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2692 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2693
2694run_test "Authentication: client max_int+1 chain, server required" \
2695 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2696 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2697 key_file=data_files/dir-maxpath/10.key" \
2698 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2699 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2700
2701run_test "Authentication: client max_int chain, server required" \
2702 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2703 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2704 key_file=data_files/dir-maxpath/09.key" \
2705 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2706 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2707
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2708# Tests for CA list in CertificateRequest messages
2709
2710run_test "Authentication: send CA list in CertificateRequest (default)" \
2711 "$P_SRV debug_level=3 auth_mode=required" \
2712 "$P_CLI crt_file=data_files/server6.crt \
2713 key_file=data_files/server6.key" \
2714 0 \
2715 -s "requested DN"
2716
2717run_test "Authentication: do not send CA list in CertificateRequest" \
2718 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2719 "$P_CLI crt_file=data_files/server6.crt \
2720 key_file=data_files/server6.key" \
2721 0 \
2722 -S "requested DN"
2723
2724run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2725 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2726 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2727 key_file=data_files/server5.key" \
2728 1 \
2729 -S "requested DN" \
2730 -s "x509_verify_cert() returned" \
2731 -s "! The certificate is not correctly signed by the trusted CA" \
2732 -s "! mbedtls_ssl_handshake returned" \
2733 -c "! mbedtls_ssl_handshake returned" \
2734 -s "X509 - Certificate verification failed"
2735
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2736# Tests for certificate selection based on SHA verson
2737
2738run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2739 "$P_SRV crt_file=data_files/server5.crt \
2740 key_file=data_files/server5.key \
2741 crt_file2=data_files/server5-sha1.crt \
2742 key_file2=data_files/server5.key" \
2743 "$P_CLI force_version=tls1_2" \
2744 0 \
2745 -c "signed using.*ECDSA with SHA256" \
2746 -C "signed using.*ECDSA with SHA1"
2747
2748run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2749 "$P_SRV crt_file=data_files/server5.crt \
2750 key_file=data_files/server5.key \
2751 crt_file2=data_files/server5-sha1.crt \
2752 key_file2=data_files/server5.key" \
2753 "$P_CLI force_version=tls1_1" \
2754 0 \
2755 -C "signed using.*ECDSA with SHA256" \
2756 -c "signed using.*ECDSA with SHA1"
2757
2758run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2759 "$P_SRV crt_file=data_files/server5.crt \
2760 key_file=data_files/server5.key \
2761 crt_file2=data_files/server5-sha1.crt \
2762 key_file2=data_files/server5.key" \
2763 "$P_CLI force_version=tls1" \
2764 0 \
2765 -C "signed using.*ECDSA with SHA256" \
2766 -c "signed using.*ECDSA with SHA1"
2767
2768run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2769 "$P_SRV crt_file=data_files/server5.crt \
2770 key_file=data_files/server5.key \
2771 crt_file2=data_files/server6.crt \
2772 key_file2=data_files/server6.key" \
2773 "$P_CLI force_version=tls1_1" \
2774 0 \
2775 -c "serial number.*09" \
2776 -c "signed using.*ECDSA with SHA256" \
2777 -C "signed using.*ECDSA with SHA1"
2778
2779run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2780 "$P_SRV crt_file=data_files/server6.crt \
2781 key_file=data_files/server6.key \
2782 crt_file2=data_files/server5.crt \
2783 key_file2=data_files/server5.key" \
2784 "$P_CLI force_version=tls1_1" \
2785 0 \
2786 -c "serial number.*0A" \
2787 -c "signed using.*ECDSA with SHA256" \
2788 -C "signed using.*ECDSA with SHA1"
2789
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2790# tests for SNI
2791
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2792run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2793 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2794 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2795 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2796 0 \
2797 -S "parse ServerName extension" \
2798 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2799 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2800
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2801run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2802 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2803 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2804 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2805 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2806 0 \
2807 -s "parse ServerName extension" \
2808 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2809 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2810
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2811run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2812 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2813 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2814 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2815 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2816 0 \
2817 -s "parse ServerName extension" \
2818 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2819 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2820
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2821run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2822 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2823 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2824 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2825 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2826 1 \
2827 -s "parse ServerName extension" \
2828 -s "ssl_sni_wrapper() returned" \
2829 -s "mbedtls_ssl_handshake returned" \
2830 -c "mbedtls_ssl_handshake returned" \
2831 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2832
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2833run_test "SNI: client auth no override: optional" \
2834 "$P_SRV debug_level=3 auth_mode=optional \
2835 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2836 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2837 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2838 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2839 -S "skip write certificate request" \
2840 -C "skip parse certificate request" \
2841 -c "got a certificate request" \
2842 -C "skip write certificate" \
2843 -C "skip write certificate verify" \
2844 -S "skip parse certificate verify"
2845
2846run_test "SNI: client auth override: none -> optional" \
2847 "$P_SRV debug_level=3 auth_mode=none \
2848 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2849 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2850 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2851 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2852 -S "skip write certificate request" \
2853 -C "skip parse certificate request" \
2854 -c "got a certificate request" \
2855 -C "skip write certificate" \
2856 -C "skip write certificate verify" \
2857 -S "skip parse certificate verify"
2858
2859run_test "SNI: client auth override: optional -> none" \
2860 "$P_SRV debug_level=3 auth_mode=optional \
2861 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2862 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2863 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2864 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2865 -s "skip write certificate request" \
2866 -C "skip parse certificate request" \
2867 -c "got no certificate request" \
2868 -c "skip write certificate" \
2869 -c "skip write certificate verify" \
2870 -s "skip parse certificate verify"
2871
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2872run_test "SNI: CA no override" \
2873 "$P_SRV debug_level=3 auth_mode=optional \
2874 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2875 ca_file=data_files/test-ca.crt \
2876 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2877 "$P_CLI debug_level=3 server_name=localhost \
2878 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2879 1 \
2880 -S "skip write certificate request" \
2881 -C "skip parse certificate request" \
2882 -c "got a certificate request" \
2883 -C "skip write certificate" \
2884 -C "skip write certificate verify" \
2885 -S "skip parse certificate verify" \
2886 -s "x509_verify_cert() returned" \
2887 -s "! The certificate is not correctly signed by the trusted CA" \
2888 -S "The certificate has been revoked (is on a CRL)"
2889
2890run_test "SNI: CA override" \
2891 "$P_SRV debug_level=3 auth_mode=optional \
2892 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2893 ca_file=data_files/test-ca.crt \
2894 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2895 "$P_CLI debug_level=3 server_name=localhost \
2896 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2897 0 \
2898 -S "skip write certificate request" \
2899 -C "skip parse certificate request" \
2900 -c "got a certificate request" \
2901 -C "skip write certificate" \
2902 -C "skip write certificate verify" \
2903 -S "skip parse certificate verify" \
2904 -S "x509_verify_cert() returned" \
2905 -S "! The certificate is not correctly signed by the trusted CA" \
2906 -S "The certificate has been revoked (is on a CRL)"
2907
2908run_test "SNI: CA override with CRL" \
2909 "$P_SRV debug_level=3 auth_mode=optional \
2910 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2911 ca_file=data_files/test-ca.crt \
2912 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2913 "$P_CLI debug_level=3 server_name=localhost \
2914 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2915 1 \
2916 -S "skip write certificate request" \
2917 -C "skip parse certificate request" \
2918 -c "got a certificate request" \
2919 -C "skip write certificate" \
2920 -C "skip write certificate verify" \
2921 -S "skip parse certificate verify" \
2922 -s "x509_verify_cert() returned" \
2923 -S "! The certificate is not correctly signed by the trusted CA" \
2924 -s "The certificate has been revoked (is on a CRL)"
2925
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2926# Tests for SNI and DTLS
2927
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2928run_test "SNI: DTLS, no SNI callback" \
2929 "$P_SRV debug_level=3 dtls=1 \
2930 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2931 "$P_CLI server_name=localhost dtls=1" \
2932 0 \
2933 -S "parse ServerName extension" \
2934 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2935 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2936
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2937run_test "SNI: DTLS, matching cert 1" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2938 "$P_SRV debug_level=3 dtls=1 \
2939 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2940 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2941 "$P_CLI server_name=localhost dtls=1" \
2942 0 \
2943 -s "parse ServerName extension" \
2944 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2945 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2946
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2947run_test "SNI: DTLS, matching cert 2" \
2948 "$P_SRV debug_level=3 dtls=1 \
2949 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2950 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2951 "$P_CLI server_name=polarssl.example dtls=1" \
2952 0 \
2953 -s "parse ServerName extension" \
2954 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2955 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2956
2957run_test "SNI: DTLS, no matching cert" \
2958 "$P_SRV debug_level=3 dtls=1 \
2959 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2960 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2961 "$P_CLI server_name=nonesuch.example dtls=1" \
2962 1 \
2963 -s "parse ServerName extension" \
2964 -s "ssl_sni_wrapper() returned" \
2965 -s "mbedtls_ssl_handshake returned" \
2966 -c "mbedtls_ssl_handshake returned" \
2967 -c "SSL - A fatal alert message was received from our peer"
2968
2969run_test "SNI: DTLS, client auth no override: optional" \
2970 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2971 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2972 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2973 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2974 0 \
2975 -S "skip write certificate request" \
2976 -C "skip parse certificate request" \
2977 -c "got a certificate request" \
2978 -C "skip write certificate" \
2979 -C "skip write certificate verify" \
2980 -S "skip parse certificate verify"
2981
2982run_test "SNI: DTLS, client auth override: none -> optional" \
2983 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2984 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2985 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2986 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2987 0 \
2988 -S "skip write certificate request" \
2989 -C "skip parse certificate request" \
2990 -c "got a certificate request" \
2991 -C "skip write certificate" \
2992 -C "skip write certificate verify" \
2993 -S "skip parse certificate verify"
2994
2995run_test "SNI: DTLS, client auth override: optional -> none" \
2996 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2997 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2998 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2999 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
3000 0 \
3001 -s "skip write certificate request" \
3002 -C "skip parse certificate request" \
3003 -c "got no certificate request" \
3004 -c "skip write certificate" \
3005 -c "skip write certificate verify" \
3006 -s "skip parse certificate verify"
3007
3008run_test "SNI: DTLS, CA no override" \
3009 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3010 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3011 ca_file=data_files/test-ca.crt \
3012 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
3013 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3014 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3015 1 \
3016 -S "skip write certificate request" \
3017 -C "skip parse certificate request" \
3018 -c "got a certificate request" \
3019 -C "skip write certificate" \
3020 -C "skip write certificate verify" \
3021 -S "skip parse certificate verify" \
3022 -s "x509_verify_cert() returned" \
3023 -s "! The certificate is not correctly signed by the trusted CA" \
3024 -S "The certificate has been revoked (is on a CRL)"
3025
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3026run_test "SNI: DTLS, CA override" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3027 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3028 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3029 ca_file=data_files/test-ca.crt \
3030 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
3031 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3032 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3033 0 \
3034 -S "skip write certificate request" \
3035 -C "skip parse certificate request" \
3036 -c "got a certificate request" \
3037 -C "skip write certificate" \
3038 -C "skip write certificate verify" \
3039 -S "skip parse certificate verify" \
3040 -S "x509_verify_cert() returned" \
3041 -S "! The certificate is not correctly signed by the trusted CA" \
3042 -S "The certificate has been revoked (is on a CRL)"
3043
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3044run_test "SNI: DTLS, CA override with CRL" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3045 "$P_SRV debug_level=3 auth_mode=optional \
3046 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
3047 ca_file=data_files/test-ca.crt \
3048 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
3049 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3050 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3051 1 \
3052 -S "skip write certificate request" \
3053 -C "skip parse certificate request" \
3054 -c "got a certificate request" \
3055 -C "skip write certificate" \
3056 -C "skip write certificate verify" \
3057 -S "skip parse certificate verify" \
3058 -s "x509_verify_cert() returned" \
3059 -S "! The certificate is not correctly signed by the trusted CA" \
3060 -s "The certificate has been revoked (is on a CRL)"
3061
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3062# Tests for non-blocking I/O: exercise a variety of handshake flows
3063
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3064run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3065 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3066 "$P_CLI nbio=2 tickets=0" \
3067 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3068 -S "mbedtls_ssl_handshake returned" \
3069 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3070 -c "Read from server: .* bytes read"
3071
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3072run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3073 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
3074 "$P_CLI nbio=2 tickets=0" \
3075 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3076 -S "mbedtls_ssl_handshake returned" \
3077 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3078 -c "Read from server: .* bytes read"
3079
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3080run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3081 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3082 "$P_CLI nbio=2 tickets=1" \
3083 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3084 -S "mbedtls_ssl_handshake returned" \
3085 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3086 -c "Read from server: .* bytes read"
3087
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3088run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3089 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3090 "$P_CLI nbio=2 tickets=1" \
3091 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3092 -S "mbedtls_ssl_handshake returned" \
3093 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3094 -c "Read from server: .* bytes read"
3095
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3096run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3097 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3098 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3099 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3100 -S "mbedtls_ssl_handshake returned" \
3101 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3102 -c "Read from server: .* bytes read"
3103
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3104run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3105 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3106 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3107 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3108 -S "mbedtls_ssl_handshake returned" \
3109 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3110 -c "Read from server: .* bytes read"
3111
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3112run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3113 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3114 "$P_CLI nbio=2 tickets=0 reconnect=1" \
3115 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3116 -S "mbedtls_ssl_handshake returned" \
3117 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3118 -c "Read from server: .* bytes read"
3119
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3120# Tests for version negotiation
3121
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3122run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3123 "$P_SRV" \
3124 "$P_CLI" \
3125 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3126 -S "mbedtls_ssl_handshake returned" \
3127 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3128 -s "Protocol is TLSv1.2" \
3129 -c "Protocol is TLSv1.2"
3130
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3131run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3132 "$P_SRV" \
3133 "$P_CLI max_version=tls1_1" \
3134 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3135 -S "mbedtls_ssl_handshake returned" \
3136 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3137 -s "Protocol is TLSv1.1" \
3138 -c "Protocol is TLSv1.1"
3139
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3140run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3141 "$P_SRV max_version=tls1_1" \
3142 "$P_CLI" \
3143 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3144 -S "mbedtls_ssl_handshake returned" \
3145 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3146 -s "Protocol is TLSv1.1" \
3147 -c "Protocol is TLSv1.1"
3148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3149run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3150 "$P_SRV max_version=tls1_1" \
3151 "$P_CLI max_version=tls1_1" \
3152 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3153 -S "mbedtls_ssl_handshake returned" \
3154 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3155 -s "Protocol is TLSv1.1" \
3156 -c "Protocol is TLSv1.1"
3157
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3158run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3159 "$P_SRV min_version=tls1_1" \
3160 "$P_CLI max_version=tls1_1" \
3161 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3162 -S "mbedtls_ssl_handshake returned" \
3163 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3164 -s "Protocol is TLSv1.1" \
3165 -c "Protocol is TLSv1.1"
3166
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3167run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3168 "$P_SRV max_version=tls1_1" \
3169 "$P_CLI min_version=tls1_1" \
3170 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3171 -S "mbedtls_ssl_handshake returned" \
3172 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3173 -s "Protocol is TLSv1.1" \
3174 -c "Protocol is TLSv1.1"
3175
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3176run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3177 "$P_SRV max_version=tls1_1" \
3178 "$P_CLI min_version=tls1_2" \
3179 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3180 -s "mbedtls_ssl_handshake returned" \
3181 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3182 -c "SSL - Handshake protocol not within min/max boundaries"
3183
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3184run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3185 "$P_SRV min_version=tls1_2" \
3186 "$P_CLI max_version=tls1_1" \
3187 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3188 -s "mbedtls_ssl_handshake returned" \
3189 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3190 -s "SSL - Handshake protocol not within min/max boundaries"
3191
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3192# Tests for ALPN extension
3193
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3194run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3195 "$P_SRV debug_level=3" \
3196 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3197 0 \
3198 -C "client hello, adding alpn extension" \
3199 -S "found alpn extension" \
3200 -C "got an alert message, type: \\[2:120]" \
3201 -S "server hello, adding alpn extension" \
3202 -C "found alpn extension " \
3203 -C "Application Layer Protocol is" \
3204 -S "Application Layer Protocol is"
3205
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3206run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3207 "$P_SRV debug_level=3" \
3208 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3209 0 \
3210 -c "client hello, adding alpn extension" \
3211 -s "found alpn extension" \
3212 -C "got an alert message, type: \\[2:120]" \
3213 -S "server hello, adding alpn extension" \
3214 -C "found alpn extension " \
3215 -c "Application Layer Protocol is (none)" \
3216 -S "Application Layer Protocol is"
3217
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3218run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3219 "$P_SRV debug_level=3 alpn=abc,1234" \
3220 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3221 0 \
3222 -C "client hello, adding alpn extension" \
3223 -S "found alpn extension" \
3224 -C "got an alert message, type: \\[2:120]" \
3225 -S "server hello, adding alpn extension" \
3226 -C "found alpn extension " \
3227 -C "Application Layer Protocol is" \
3228 -s "Application Layer Protocol is (none)"
3229
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3230run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3231 "$P_SRV debug_level=3 alpn=abc,1234" \
3232 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3233 0 \
3234 -c "client hello, adding alpn extension" \
3235 -s "found alpn extension" \
3236 -C "got an alert message, type: \\[2:120]" \
3237 -s "server hello, adding alpn extension" \
3238 -c "found alpn extension" \
3239 -c "Application Layer Protocol is abc" \
3240 -s "Application Layer Protocol is abc"
3241
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3242run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3243 "$P_SRV debug_level=3 alpn=abc,1234" \
3244 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3245 0 \
3246 -c "client hello, adding alpn extension" \
3247 -s "found alpn extension" \
3248 -C "got an alert message, type: \\[2:120]" \
3249 -s "server hello, adding alpn extension" \
3250 -c "found alpn extension" \
3251 -c "Application Layer Protocol is abc" \
3252 -s "Application Layer Protocol is abc"
3253
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3254run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3255 "$P_SRV debug_level=3 alpn=abc,1234" \
3256 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3257 0 \
3258 -c "client hello, adding alpn extension" \
3259 -s "found alpn extension" \
3260 -C "got an alert message, type: \\[2:120]" \
3261 -s "server hello, adding alpn extension" \
3262 -c "found alpn extension" \
3263 -c "Application Layer Protocol is 1234" \
3264 -s "Application Layer Protocol is 1234"
3265
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3266run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3267 "$P_SRV debug_level=3 alpn=abc,123" \
3268 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3269 1 \
3270 -c "client hello, adding alpn extension" \
3271 -s "found alpn extension" \
3272 -c "got an alert message, type: \\[2:120]" \
3273 -S "server hello, adding alpn extension" \
3274 -C "found alpn extension" \
3275 -C "Application Layer Protocol is 1234" \
3276 -S "Application Layer Protocol is 1234"
3277
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3278
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3279# Tests for keyUsage in leaf certificates, part 1:
3280# server-side certificate/suite selection
3281
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3282run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3283 "$P_SRV key_file=data_files/server2.key \
3284 crt_file=data_files/server2.ku-ds.crt" \
3285 "$P_CLI" \
3286 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3287 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3288
3289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3290run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3291 "$P_SRV key_file=data_files/server2.key \
3292 crt_file=data_files/server2.ku-ke.crt" \
3293 "$P_CLI" \
3294 0 \
3295 -c "Ciphersuite is TLS-RSA-WITH-"
3296
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3297run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3298 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3299 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3300 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3301 1 \
3302 -C "Ciphersuite is "
3303
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3304run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3305 "$P_SRV key_file=data_files/server5.key \
3306 crt_file=data_files/server5.ku-ds.crt" \
3307 "$P_CLI" \
3308 0 \
3309 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3310
3311
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3312run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3313 "$P_SRV key_file=data_files/server5.key \
3314 crt_file=data_files/server5.ku-ka.crt" \
3315 "$P_CLI" \
3316 0 \
3317 -c "Ciphersuite is TLS-ECDH-"
3318
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3319run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3320 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3321 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3322 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3323 1 \
3324 -C "Ciphersuite is "
3325
3326# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3327# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3328
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3329run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3330 "$O_SRV -key data_files/server2.key \
3331 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3332 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3333 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3334 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3335 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3336 -C "Processing of the Certificate handshake message failed" \
3337 -c "Ciphersuite is TLS-"
3338
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3339run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3340 "$O_SRV -key data_files/server2.key \
3341 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3342 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3343 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3344 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3345 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3346 -C "Processing of the Certificate handshake message failed" \
3347 -c "Ciphersuite is TLS-"
3348
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3349run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3350 "$O_SRV -key data_files/server2.key \
3351 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3352 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3353 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3354 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3355 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3356 -C "Processing of the Certificate handshake message failed" \
3357 -c "Ciphersuite is TLS-"
3358
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3359run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3360 "$O_SRV -key data_files/server2.key \
3361 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3362 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3363 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3364 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3365 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3366 -c "Processing of the Certificate handshake message failed" \
3367 -C "Ciphersuite is TLS-"
3368
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3369run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3370 "$O_SRV -key data_files/server2.key \
3371 -cert data_files/server2.ku-ke.crt" \
3372 "$P_CLI debug_level=1 auth_mode=optional \
3373 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3374 0 \
3375 -c "bad certificate (usage extensions)" \
3376 -C "Processing of the Certificate handshake message failed" \
3377 -c "Ciphersuite is TLS-" \
3378 -c "! Usage does not match the keyUsage extension"
3379
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3380run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3381 "$O_SRV -key data_files/server2.key \
3382 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3383 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3384 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3385 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3386 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3387 -C "Processing of the Certificate handshake message failed" \
3388 -c "Ciphersuite is TLS-"
3389
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3390run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3391 "$O_SRV -key data_files/server2.key \
3392 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3393 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3394 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3395 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3396 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3397 -c "Processing of the Certificate handshake message failed" \
3398 -C "Ciphersuite is TLS-"
3399
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3400run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3401 "$O_SRV -key data_files/server2.key \
3402 -cert data_files/server2.ku-ds.crt" \
3403 "$P_CLI debug_level=1 auth_mode=optional \
3404 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3405 0 \
3406 -c "bad certificate (usage extensions)" \
3407 -C "Processing of the Certificate handshake message failed" \
3408 -c "Ciphersuite is TLS-" \
3409 -c "! Usage does not match the keyUsage extension"
3410
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3411# Tests for keyUsage in leaf certificates, part 3:
3412# server-side checking of client cert
3413
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3414run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3415 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3416 "$O_CLI -key data_files/server2.key \
3417 -cert data_files/server2.ku-ds.crt" \
3418 0 \
3419 -S "bad certificate (usage extensions)" \
3420 -S "Processing of the Certificate handshake message failed"
3421
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3422run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3423 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3424 "$O_CLI -key data_files/server2.key \
3425 -cert data_files/server2.ku-ke.crt" \
3426 0 \
3427 -s "bad certificate (usage extensions)" \
3428 -S "Processing of the Certificate handshake message failed"
3429
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3430run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3431 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3432 "$O_CLI -key data_files/server2.key \
3433 -cert data_files/server2.ku-ke.crt" \
3434 1 \
3435 -s "bad certificate (usage extensions)" \
3436 -s "Processing of the Certificate handshake message failed"
3437
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3438run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3439 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3440 "$O_CLI -key data_files/server5.key \
3441 -cert data_files/server5.ku-ds.crt" \
3442 0 \
3443 -S "bad certificate (usage extensions)" \
3444 -S "Processing of the Certificate handshake message failed"
3445
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3446run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3447 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3448 "$O_CLI -key data_files/server5.key \
3449 -cert data_files/server5.ku-ka.crt" \
3450 0 \
3451 -s "bad certificate (usage extensions)" \
3452 -S "Processing of the Certificate handshake message failed"
3453
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3454# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3455
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3456run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3457 "$P_SRV key_file=data_files/server5.key \
3458 crt_file=data_files/server5.eku-srv.crt" \
3459 "$P_CLI" \
3460 0
3461
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3462run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3463 "$P_SRV key_file=data_files/server5.key \
3464 crt_file=data_files/server5.eku-srv.crt" \
3465 "$P_CLI" \
3466 0
3467
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3468run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3469 "$P_SRV key_file=data_files/server5.key \
3470 crt_file=data_files/server5.eku-cs_any.crt" \
3471 "$P_CLI" \
3472 0
3473
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3474run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3475 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3476 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3477 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3478 1
3479
3480# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3481
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3482run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3483 "$O_SRV -key data_files/server5.key \
3484 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3485 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3486 0 \
3487 -C "bad certificate (usage extensions)" \
3488 -C "Processing of the Certificate handshake message failed" \
3489 -c "Ciphersuite is TLS-"
3490
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3491run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3492 "$O_SRV -key data_files/server5.key \
3493 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3494 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3495 0 \
3496 -C "bad certificate (usage extensions)" \
3497 -C "Processing of the Certificate handshake message failed" \
3498 -c "Ciphersuite is TLS-"
3499
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3500run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3501 "$O_SRV -key data_files/server5.key \
3502 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3503 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3504 0 \
3505 -C "bad certificate (usage extensions)" \
3506 -C "Processing of the Certificate handshake message failed" \
3507 -c "Ciphersuite is TLS-"
3508
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3509run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3510 "$O_SRV -key data_files/server5.key \
3511 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3512 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3513 1 \
3514 -c "bad certificate (usage extensions)" \
3515 -c "Processing of the Certificate handshake message failed" \
3516 -C "Ciphersuite is TLS-"
3517
3518# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3519
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3520run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3521 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3522 "$O_CLI -key data_files/server5.key \
3523 -cert data_files/server5.eku-cli.crt" \
3524 0 \
3525 -S "bad certificate (usage extensions)" \
3526 -S "Processing of the Certificate handshake message failed"
3527
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3528run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3529 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3530 "$O_CLI -key data_files/server5.key \
3531 -cert data_files/server5.eku-srv_cli.crt" \
3532 0 \
3533 -S "bad certificate (usage extensions)" \
3534 -S "Processing of the Certificate handshake message failed"
3535
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3536run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3537 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3538 "$O_CLI -key data_files/server5.key \
3539 -cert data_files/server5.eku-cs_any.crt" \
3540 0 \
3541 -S "bad certificate (usage extensions)" \
3542 -S "Processing of the Certificate handshake message failed"
3543
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3544run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3545 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3546 "$O_CLI -key data_files/server5.key \
3547 -cert data_files/server5.eku-cs.crt" \
3548 0 \
3549 -s "bad certificate (usage extensions)" \
3550 -S "Processing of the Certificate handshake message failed"
3551
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3552run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3553 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3554 "$O_CLI -key data_files/server5.key \
3555 -cert data_files/server5.eku-cs.crt" \
3556 1 \
3557 -s "bad certificate (usage extensions)" \
3558 -s "Processing of the Certificate handshake message failed"
3559
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3560# Tests for DHM parameters loading
3561
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3562run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3563 "$P_SRV" \
3564 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3565 debug_level=3" \
3566 0 \
3567 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3568 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3569
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3570run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3571 "$P_SRV dhm_file=data_files/dhparams.pem" \
3572 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3573 debug_level=3" \
3574 0 \
3575 -c "value of 'DHM: P ' (1024 bits)" \
3576 -c "value of 'DHM: G ' (2 bits)"
3577
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3578# Tests for DHM client-side size checking
3579
3580run_test "DHM size: server default, client default, OK" \
3581 "$P_SRV" \
3582 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3583 debug_level=1" \
3584 0 \
3585 -C "DHM prime too short:"
3586
3587run_test "DHM size: server default, client 2048, OK" \
3588 "$P_SRV" \
3589 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3590 debug_level=1 dhmlen=2048" \
3591 0 \
3592 -C "DHM prime too short:"
3593
3594run_test "DHM size: server 1024, client default, OK" \
3595 "$P_SRV dhm_file=data_files/dhparams.pem" \
3596 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3597 debug_level=1" \
3598 0 \
3599 -C "DHM prime too short:"
3600
3601run_test "DHM size: server 1000, client default, rejected" \
3602 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3603 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3604 debug_level=1" \
3605 1 \
3606 -c "DHM prime too short:"
3607
3608run_test "DHM size: server default, client 2049, rejected" \
3609 "$P_SRV" \
3610 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3611 debug_level=1 dhmlen=2049" \
3612 1 \
3613 -c "DHM prime too short:"
3614
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3615# Tests for PSK callback
3616
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3617run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3618 "$P_SRV psk=abc123 psk_identity=foo" \
3619 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3620 psk_identity=foo psk=abc123" \
3621 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3622 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3623 -S "SSL - Unknown identity received" \
3624 -S "SSL - Verification of the message MAC failed"
3625
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3626run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3627 "$P_SRV" \
3628 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3629 psk_identity=foo psk=abc123" \
3630 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3631 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3632 -S "SSL - Unknown identity received" \
3633 -S "SSL - Verification of the message MAC failed"
3634
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3635run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3636 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3637 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3638 psk_identity=foo psk=abc123" \
3639 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3640 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3641 -s "SSL - Unknown identity received" \
3642 -S "SSL - Verification of the message MAC failed"
3643
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3644run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3645 "$P_SRV psk_list=abc,dead,def,beef" \
3646 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3647 psk_identity=abc psk=dead" \
3648 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3649 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3650 -S "SSL - Unknown identity received" \
3651 -S "SSL - Verification of the message MAC failed"
3652
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3653run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3654 "$P_SRV psk_list=abc,dead,def,beef" \
3655 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3656 psk_identity=def psk=beef" \
3657 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3658 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3659 -S "SSL - Unknown identity received" \
3660 -S "SSL - Verification of the message MAC failed"
3661
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3662run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3663 "$P_SRV psk_list=abc,dead,def,beef" \
3664 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3665 psk_identity=ghi psk=beef" \
3666 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3667 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3668 -s "SSL - Unknown identity received" \
3669 -S "SSL - Verification of the message MAC failed"
3670
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3671run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3672 "$P_SRV psk_list=abc,dead,def,beef" \
3673 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3674 psk_identity=abc psk=beef" \
3675 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3676 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3677 -S "SSL - Unknown identity received" \
3678 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3679
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3680# Tests for EC J-PAKE
3681
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3682requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3683run_test "ECJPAKE: client not configured" \
3684 "$P_SRV debug_level=3" \
3685 "$P_CLI debug_level=3" \
3686 0 \
3687 -C "add ciphersuite: c0ff" \
3688 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3689 -S "found ecjpake kkpp extension" \
3690 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3691 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3692 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3693 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3694 -S "None of the common ciphersuites is usable"
3695
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3696requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3697run_test "ECJPAKE: server not configured" \
3698 "$P_SRV debug_level=3" \
3699 "$P_CLI debug_level=3 ecjpake_pw=bla \
3700 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3701 1 \
3702 -c "add ciphersuite: c0ff" \
3703 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3704 -s "found ecjpake kkpp extension" \
3705 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3706 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3707 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3708 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3709 -s "None of the common ciphersuites is usable"
3710
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3711requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3712run_test "ECJPAKE: working, TLS" \
3713 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3714 "$P_CLI debug_level=3 ecjpake_pw=bla \
3715 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3716 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3717 -c "add ciphersuite: c0ff" \
3718 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3719 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3720 -s "found ecjpake kkpp extension" \
3721 -S "skip ecjpake kkpp extension" \
3722 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3723 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3724 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3725 -S "None of the common ciphersuites is usable" \
3726 -S "SSL - Verification of the message MAC failed"
3727
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3728server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3729requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3730run_test "ECJPAKE: password mismatch, TLS" \
3731 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3732 "$P_CLI debug_level=3 ecjpake_pw=bad \
3733 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3734 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3735 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3736 -s "SSL - Verification of the message MAC failed"
3737
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3738requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3739run_test "ECJPAKE: working, DTLS" \
3740 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3741 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3742 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3743 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3744 -c "re-using cached ecjpake parameters" \
3745 -S "SSL - Verification of the message MAC failed"
3746
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3747requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3748run_test "ECJPAKE: working, DTLS, no cookie" \
3749 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3750 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3751 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3752 0 \
3753 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3754 -S "SSL - Verification of the message MAC failed"
3755
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3756server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3757requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3758run_test "ECJPAKE: password mismatch, DTLS" \
3759 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3760 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3761 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3762 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3763 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3764 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3765
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3766# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3767requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3768run_test "ECJPAKE: working, DTLS, nolog" \
3769 "$P_SRV dtls=1 ecjpake_pw=bla" \
3770 "$P_CLI dtls=1 ecjpake_pw=bla \
3771 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3772 0
3773
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3774# Tests for ciphersuites per version
3775
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3776requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3777requires_config_enabled MBEDTLS_CAMELLIA_C
3778requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3779run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3780 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3781 "$P_CLI force_version=ssl3" \
3782 0 \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3783 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3784
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3785requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
3786requires_config_enabled MBEDTLS_CAMELLIA_C
3787requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3788run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3789 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3790 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3791 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3792 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3793
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3794requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
3795requires_config_enabled MBEDTLS_CAMELLIA_C
3796requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3797run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3798 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3799 "$P_CLI force_version=tls1_1" \
3800 0 \
3801 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3802
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3803requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
3804requires_config_enabled MBEDTLS_CAMELLIA_C
3805requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3806run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3807 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3808 "$P_CLI force_version=tls1_2" \
3809 0 \
3810 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3811
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3812# Test for ClientHello without extensions
3813
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3814requires_gnutls
Manuel Pégourié-Gonnard37abf122020-01-30 12:45:14 +0100[diff] [blame]3815run_test "ClientHello without extensions" \
Manuel Pégourié-Gonnarda92990a2020-01-30 11:19:45 +0100[diff] [blame]3816 "$P_SRV debug_level=3" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3817 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3818 0 \
3819 -s "dumping 'client hello extensions' (0 bytes)"
3820
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3821# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3822
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3823run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3824 "$P_SRV" \
3825 "$P_CLI request_size=100" \
3826 0 \
3827 -s "Read from client: 100 bytes read$"
3828
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3829run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3830 "$P_SRV" \
3831 "$P_CLI request_size=500" \
3832 0 \
3833 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3834
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3835# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3836
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3837requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3838run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3839 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3840 "$P_CLI request_size=1 force_version=ssl3 \
3841 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3842 0 \
3843 -s "Read from client: 1 bytes read"
3844
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3845requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3846run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3847 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3848 "$P_CLI request_size=1 force_version=ssl3 \
3849 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3850 0 \
3851 -s "Read from client: 1 bytes read"
3852
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3853run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3854 "$P_SRV" \
3855 "$P_CLI request_size=1 force_version=tls1 \
3856 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3857 0 \
3858 -s "Read from client: 1 bytes read"
3859
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3860run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3861 "$P_SRV" \
3862 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3863 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3864 0 \
3865 -s "Read from client: 1 bytes read"
3866
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3867requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3868run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3869 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3870 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3871 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3872 0 \
3873 -s "Read from client: 1 bytes read"
3874
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3875requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3876run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3877 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3878 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3879 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3880 0 \
3881 -s "Read from client: 1 bytes read"
3882
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3883run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3884 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3885 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3886 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3887 0 \
3888 -s "Read from client: 1 bytes read"
3889
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3890run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3891 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3892 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3893 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3894 0 \
3895 -s "Read from client: 1 bytes read"
3896
3897requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3898run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3899 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3900 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3901 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3902 0 \
3903 -s "Read from client: 1 bytes read"
3904
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3905requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3906run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3907 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3908 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3909 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3910 0 \
3911 -s "Read from client: 1 bytes read"
3912
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3913run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3914 "$P_SRV" \
3915 "$P_CLI request_size=1 force_version=tls1_1 \
3916 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3917 0 \
3918 -s "Read from client: 1 bytes read"
3919
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3920run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3921 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3922 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3923 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3924 0 \
3925 -s "Read from client: 1 bytes read"
3926
3927requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3928run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3929 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3930 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3931 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3932 0 \
3933 -s "Read from client: 1 bytes read"
3934
3935requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3936run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3937 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3938 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3939 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3940 0 \
3941 -s "Read from client: 1 bytes read"
3942
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3943run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3944 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3945 "$P_CLI request_size=1 force_version=tls1_1 \
3946 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3947 0 \
3948 -s "Read from client: 1 bytes read"
3949
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3950run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3951 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3952 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3953 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3954 0 \
3955 -s "Read from client: 1 bytes read"
3956
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3957requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3958run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3959 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3960 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3961 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3962 0 \
3963 -s "Read from client: 1 bytes read"
3964
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3965requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3966run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3967 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3968 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3969 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3970 0 \
3971 -s "Read from client: 1 bytes read"
3972
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3973run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3974 "$P_SRV" \
3975 "$P_CLI request_size=1 force_version=tls1_2 \
3976 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3977 0 \
3978 -s "Read from client: 1 bytes read"
3979
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3980run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3981 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3982 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3983 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3984 0 \
3985 -s "Read from client: 1 bytes read"
3986
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3987run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3988 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3989 "$P_CLI request_size=1 force_version=tls1_2 \
3990 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3991 0 \
3992 -s "Read from client: 1 bytes read"
3993
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3994requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3995run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3996 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3997 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3998 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3999 0 \
4000 -s "Read from client: 1 bytes read"
4001
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4002requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4003run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4004 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4005 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4006 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4007 0 \
4008 -s "Read from client: 1 bytes read"
4009
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4010run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4011 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4012 "$P_CLI request_size=1 force_version=tls1_2 \
4013 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4014 0 \
4015 -s "Read from client: 1 bytes read"
4016
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4017run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4018 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4019 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4020 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4021 0 \
4022 -s "Read from client: 1 bytes read"
4023
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4024requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4025run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4026 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4027 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4028 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4029 0 \
4030 -s "Read from client: 1 bytes read"
4031
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4032requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4033run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4034 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4035 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4036 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4037 0 \
4038 -s "Read from client: 1 bytes read"
4039
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4040run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4041 "$P_SRV" \
4042 "$P_CLI request_size=1 force_version=tls1_2 \
4043 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4044 0 \
4045 -s "Read from client: 1 bytes read"
4046
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4047run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4048 "$P_SRV" \
4049 "$P_CLI request_size=1 force_version=tls1_2 \
4050 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4051 0 \
4052 -s "Read from client: 1 bytes read"
4053
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4054# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4055
4056requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4057run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4058 "$P_SRV dtls=1 force_version=dtls1" \
4059 "$P_CLI dtls=1 request_size=1 \
4060 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4061 0 \
4062 -s "Read from client: 1 bytes read"
4063
4064requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4065run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4066 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
4067 "$P_CLI dtls=1 request_size=1 \
4068 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4069 0 \
4070 -s "Read from client: 1 bytes read"
4071
4072requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4073requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4074run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4075 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
4076 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4077 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4078 0 \
4079 -s "Read from client: 1 bytes read"
4080
4081requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4082requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4083run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4084 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4085 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4086 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4087 0 \
4088 -s "Read from client: 1 bytes read"
4089
4090requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4091run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4092 "$P_SRV dtls=1 force_version=dtls1_2" \
4093 "$P_CLI dtls=1 request_size=1 \
4094 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4095 0 \
4096 -s "Read from client: 1 bytes read"
4097
4098requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4099run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4100 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4101 "$P_CLI dtls=1 request_size=1 \
4102 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4103 0 \
4104 -s "Read from client: 1 bytes read"
4105
4106requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4107requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4108run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4109 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4110 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4111 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4112 0 \
4113 -s "Read from client: 1 bytes read"
4114
4115requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4116requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4117run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4118 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4119 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4120 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4121 0 \
4122 -s "Read from client: 1 bytes read"
4123
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4124# Tests for small server packets
4125
4126requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4127run_test "Small server packet SSLv3 BlockCipher" \
4128 "$P_SRV response_size=1 min_version=ssl3" \
4129 "$P_CLI force_version=ssl3 \
4130 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4131 0 \
4132 -c "Read from server: 1 bytes read"
4133
4134requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4135run_test "Small server packet SSLv3 StreamCipher" \
4136 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4137 "$P_CLI force_version=ssl3 \
4138 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4139 0 \
4140 -c "Read from server: 1 bytes read"
4141
4142run_test "Small server packet TLS 1.0 BlockCipher" \
4143 "$P_SRV response_size=1" \
4144 "$P_CLI force_version=tls1 \
4145 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4146 0 \
4147 -c "Read from server: 1 bytes read"
4148
4149run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
4150 "$P_SRV response_size=1" \
4151 "$P_CLI force_version=tls1 etm=0 \
4152 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4153 0 \
4154 -c "Read from server: 1 bytes read"
4155
4156requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4157run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
4158 "$P_SRV response_size=1 trunc_hmac=1" \
4159 "$P_CLI force_version=tls1 \
4160 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4161 0 \
4162 -c "Read from server: 1 bytes read"
4163
4164requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4165run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
4166 "$P_SRV response_size=1 trunc_hmac=1" \
4167 "$P_CLI force_version=tls1 \
4168 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4169 0 \
4170 -c "Read from server: 1 bytes read"
4171
4172run_test "Small server packet TLS 1.0 StreamCipher" \
4173 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4174 "$P_CLI force_version=tls1 \
4175 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4176 0 \
4177 -c "Read from server: 1 bytes read"
4178
4179run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
4180 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4181 "$P_CLI force_version=tls1 \
4182 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4183 0 \
4184 -c "Read from server: 1 bytes read"
4185
4186requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4187run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
4188 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4189 "$P_CLI force_version=tls1 \
4190 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4191 0 \
4192 -c "Read from server: 1 bytes read"
4193
4194requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4195run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4196 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4197 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4198 trunc_hmac=1 etm=0" \
4199 0 \
4200 -c "Read from server: 1 bytes read"
4201
4202run_test "Small server packet TLS 1.1 BlockCipher" \
4203 "$P_SRV response_size=1" \
4204 "$P_CLI force_version=tls1_1 \
4205 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4206 0 \
4207 -c "Read from server: 1 bytes read"
4208
4209run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
4210 "$P_SRV response_size=1" \
4211 "$P_CLI force_version=tls1_1 \
4212 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4213 0 \
4214 -c "Read from server: 1 bytes read"
4215
4216requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4217run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
4218 "$P_SRV response_size=1 trunc_hmac=1" \
4219 "$P_CLI force_version=tls1_1 \
4220 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4221 0 \
4222 -c "Read from server: 1 bytes read"
4223
4224requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4225run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4226 "$P_SRV response_size=1 trunc_hmac=1" \
4227 "$P_CLI force_version=tls1_1 \
4228 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4229 0 \
4230 -c "Read from server: 1 bytes read"
4231
4232run_test "Small server packet TLS 1.1 StreamCipher" \
4233 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4234 "$P_CLI force_version=tls1_1 \
4235 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4236 0 \
4237 -c "Read from server: 1 bytes read"
4238
4239run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
4240 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4241 "$P_CLI force_version=tls1_1 \
4242 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4243 0 \
4244 -c "Read from server: 1 bytes read"
4245
4246requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4247run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
4248 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4249 "$P_CLI force_version=tls1_1 \
4250 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4251 0 \
4252 -c "Read from server: 1 bytes read"
4253
4254requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4255run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4256 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4257 "$P_CLI force_version=tls1_1 \
4258 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4259 0 \
4260 -c "Read from server: 1 bytes read"
4261
4262run_test "Small server packet TLS 1.2 BlockCipher" \
4263 "$P_SRV response_size=1" \
4264 "$P_CLI force_version=tls1_2 \
4265 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4266 0 \
4267 -c "Read from server: 1 bytes read"
4268
4269run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
4270 "$P_SRV response_size=1" \
4271 "$P_CLI force_version=tls1_2 \
4272 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4273 0 \
4274 -c "Read from server: 1 bytes read"
4275
4276run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
4277 "$P_SRV response_size=1" \
4278 "$P_CLI force_version=tls1_2 \
4279 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4280 0 \
4281 -c "Read from server: 1 bytes read"
4282
4283requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4284run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
4285 "$P_SRV response_size=1 trunc_hmac=1" \
4286 "$P_CLI force_version=tls1_2 \
4287 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4288 0 \
4289 -c "Read from server: 1 bytes read"
4290
4291requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4292run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4293 "$P_SRV response_size=1 trunc_hmac=1" \
4294 "$P_CLI force_version=tls1_2 \
4295 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4296 0 \
4297 -c "Read from server: 1 bytes read"
4298
4299run_test "Small server packet TLS 1.2 StreamCipher" \
4300 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4301 "$P_CLI force_version=tls1_2 \
4302 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4303 0 \
4304 -c "Read from server: 1 bytes read"
4305
4306run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
4307 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4308 "$P_CLI force_version=tls1_2 \
4309 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4310 0 \
4311 -c "Read from server: 1 bytes read"
4312
4313requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4314run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
4315 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4316 "$P_CLI force_version=tls1_2 \
4317 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4318 0 \
4319 -c "Read from server: 1 bytes read"
4320
4321requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4322run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4323 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4324 "$P_CLI force_version=tls1_2 \
4325 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4326 0 \
4327 -c "Read from server: 1 bytes read"
4328
4329run_test "Small server packet TLS 1.2 AEAD" \
4330 "$P_SRV response_size=1" \
4331 "$P_CLI force_version=tls1_2 \
4332 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4333 0 \
4334 -c "Read from server: 1 bytes read"
4335
4336run_test "Small server packet TLS 1.2 AEAD shorter tag" \
4337 "$P_SRV response_size=1" \
4338 "$P_CLI force_version=tls1_2 \
4339 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4340 0 \
4341 -c "Read from server: 1 bytes read"
4342
4343# Tests for small server packets in DTLS
4344
4345requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4346run_test "Small server packet DTLS 1.0" \
4347 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
4348 "$P_CLI dtls=1 \
4349 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4350 0 \
4351 -c "Read from server: 1 bytes read"
4352
4353requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4354run_test "Small server packet DTLS 1.0, without EtM" \
4355 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
4356 "$P_CLI dtls=1 \
4357 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4358 0 \
4359 -c "Read from server: 1 bytes read"
4360
4361requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4362requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4363run_test "Small server packet DTLS 1.0, truncated hmac" \
4364 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
4365 "$P_CLI dtls=1 trunc_hmac=1 \
4366 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4367 0 \
4368 -c "Read from server: 1 bytes read"
4369
4370requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4371requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4372run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
4373 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
4374 "$P_CLI dtls=1 \
4375 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4376 0 \
4377 -c "Read from server: 1 bytes read"
4378
4379requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4380run_test "Small server packet DTLS 1.2" \
4381 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
4382 "$P_CLI dtls=1 \
4383 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4384 0 \
4385 -c "Read from server: 1 bytes read"
4386
4387requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4388run_test "Small server packet DTLS 1.2, without EtM" \
4389 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
4390 "$P_CLI dtls=1 \
4391 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4392 0 \
4393 -c "Read from server: 1 bytes read"
4394
4395requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4396requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4397run_test "Small server packet DTLS 1.2, truncated hmac" \
4398 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
4399 "$P_CLI dtls=1 \
4400 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4401 0 \
4402 -c "Read from server: 1 bytes read"
4403
4404requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4405requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4406run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
4407 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
4408 "$P_CLI dtls=1 \
4409 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4410 0 \
4411 -c "Read from server: 1 bytes read"
4412
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]4413# A test for extensions in SSLv3
4414
4415requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4416run_test "SSLv3 with extensions, server side" \
4417 "$P_SRV min_version=ssl3 debug_level=3" \
4418 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
4419 0 \
4420 -S "dumping 'client hello extensions'" \
4421 -S "server hello, total extension length:"
4422
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4423# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4424
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4425requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4426run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4427 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4428 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4429 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4430 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4431 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4432 -s "Read from client: 16384 bytes read"
4433
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4434requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4435run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4436 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4437 "$P_CLI request_size=16384 force_version=ssl3 \
4438 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4439 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4440 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4441 -s "Read from client: 16384 bytes read"
4442
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4443run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4444 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4445 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4446 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4447 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4448 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4449 -s "Read from client: 16384 bytes read"
4450
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4451run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4452 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4453 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
4454 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4455 0 \
4456 -s "Read from client: 16384 bytes read"
4457
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4458requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4459run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4460 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4461 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4462 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4463 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4464 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4465 -s "Read from client: 16384 bytes read"
4466
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4467requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4468run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4469 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4470 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4471 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4472 0 \
4473 -s "Read from client: 16384 bytes read"
4474
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4475run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4476 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4477 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4478 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4479 0 \
4480 -s "Read from client: 16384 bytes read"
4481
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4482run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4483 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4484 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4485 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4486 0 \
4487 -s "Read from client: 16384 bytes read"
4488
4489requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4490run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4491 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4492 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4493 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4494 0 \
4495 -s "Read from client: 16384 bytes read"
4496
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4497requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4498run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4499 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4500 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4501 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4502 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4503 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4504 -s "Read from client: 16384 bytes read"
4505
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4506run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4507 "$P_SRV" \
4508 "$P_CLI request_size=16384 force_version=tls1_1 \
4509 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4510 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4511 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4512 -s "Read from client: 16384 bytes read"
4513
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4514run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4515 "$P_SRV" \
4516 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4517 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4518 0 \
4519 -s "Read from client: 16384 bytes read"
4520
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4521requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4522run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4523 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4524 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4525 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4526 0 \
4527 -s "Read from client: 16384 bytes read"
4528
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4529requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4530run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4531 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4532 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4533 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4534 0 \
4535 -s "Read from client: 16384 bytes read"
4536
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4537run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4538 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4539 "$P_CLI request_size=16384 force_version=tls1_1 \
4540 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4541 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4542 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4543 -s "Read from client: 16384 bytes read"
4544
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4545run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4546 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4547 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4548 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4549 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4550 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4551 -s "Read from client: 16384 bytes read"
4552
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4553requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4554run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4555 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4556 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4557 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4558 0 \
4559 -s "Read from client: 16384 bytes read"
4560
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4561requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4562run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4563 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4564 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4565 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4566 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4567 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4568 -s "Read from client: 16384 bytes read"
4569
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4570run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4571 "$P_SRV" \
4572 "$P_CLI request_size=16384 force_version=tls1_2 \
4573 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4574 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4575 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4576 -s "Read from client: 16384 bytes read"
4577
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4578run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4579 "$P_SRV" \
4580 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4581 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4582 0 \
4583 -s "Read from client: 16384 bytes read"
4584
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4585run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4586 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4587 "$P_CLI request_size=16384 force_version=tls1_2 \
4588 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4589 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4590 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4591 -s "Read from client: 16384 bytes read"
4592
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4593requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4594run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4595 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4596 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4597 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4598 0 \
4599 -s "Read from client: 16384 bytes read"
4600
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4601requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4602run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4603 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4604 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4605 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4606 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4607 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4608 -s "Read from client: 16384 bytes read"
4609
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4610run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4611 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4612 "$P_CLI request_size=16384 force_version=tls1_2 \
4613 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4614 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4615 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4616 -s "Read from client: 16384 bytes read"
4617
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4618run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4619 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4620 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4621 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4622 0 \
4623 -s "Read from client: 16384 bytes read"
4624
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4625requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4626run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4627 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4628 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4629 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4630 0 \
4631 -s "Read from client: 16384 bytes read"
4632
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4633requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4634run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4635 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4636 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4637 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4638 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4639 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4640 -s "Read from client: 16384 bytes read"
4641
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4642run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4643 "$P_SRV" \
4644 "$P_CLI request_size=16384 force_version=tls1_2 \
4645 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4646 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4647 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4648 -s "Read from client: 16384 bytes read"
4649
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4650run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4651 "$P_SRV" \
4652 "$P_CLI request_size=16384 force_version=tls1_2 \
4653 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4654 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4655 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4656 -s "Read from client: 16384 bytes read"
4657
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4658# Tests for ECC extensions (rfc 4492)
4659
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4660requires_config_enabled MBEDTLS_AES_C
4661requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4662requires_config_enabled MBEDTLS_SHA256_C
4663requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4664run_test "Force a non ECC ciphersuite in the client side" \
4665 "$P_SRV debug_level=3" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4666 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4667 0 \
4668 -C "client hello, adding supported_elliptic_curves extension" \
4669 -C "client hello, adding supported_point_formats extension" \
4670 -S "found supported elliptic curves extension" \
4671 -S "found supported point formats extension"
4672
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4673requires_config_enabled MBEDTLS_AES_C
4674requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4675requires_config_enabled MBEDTLS_SHA256_C
4676requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4677run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4678 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4679 "$P_CLI debug_level=3" \
4680 0 \
4681 -C "found supported_point_formats extension" \
4682 -S "server hello, supported_point_formats extension"
4683
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4684requires_config_enabled MBEDTLS_AES_C
4685requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4686requires_config_enabled MBEDTLS_SHA256_C
4687requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4688run_test "Force an ECC ciphersuite in the client side" \
4689 "$P_SRV debug_level=3" \
4690 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4691 0 \
4692 -c "client hello, adding supported_elliptic_curves extension" \
4693 -c "client hello, adding supported_point_formats extension" \
4694 -s "found supported elliptic curves extension" \
4695 -s "found supported point formats extension"
4696
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4697requires_config_enabled MBEDTLS_AES_C
4698requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4699requires_config_enabled MBEDTLS_SHA256_C
4700requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4701run_test "Force an ECC ciphersuite in the server side" \
4702 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4703 "$P_CLI debug_level=3" \
4704 0 \
4705 -c "found supported_point_formats extension" \
4706 -s "server hello, supported_point_formats extension"
4707
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4708# Test for large server packets
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4709requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4710run_test "Large server packet SSLv3 StreamCipher" \
4711 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4712 "$P_CLI force_version=ssl3 \
4713 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4714 0 \
4715 -c "Read from server: 16384 bytes read"
4716
Andrzej Kurekc8958212018-08-27 08:00:13 -0400[diff] [blame]4717# Checking next 4 tests logs for 1n-1 split against BEAST too
4718requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4719run_test "Large server packet SSLv3 BlockCipher" \
4720 "$P_SRV response_size=16384 min_version=ssl3" \
4721 "$P_CLI force_version=ssl3 recsplit=0 \
4722 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4723 0 \
4724 -c "Read from server: 1 bytes read"\
4725 -c "16383 bytes read"\
4726 -C "Read from server: 16384 bytes read"
4727
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4728run_test "Large server packet TLS 1.0 BlockCipher" \
4729 "$P_SRV response_size=16384" \
4730 "$P_CLI force_version=tls1 recsplit=0 \
4731 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4732 0 \
4733 -c "Read from server: 1 bytes read"\
4734 -c "16383 bytes read"\
4735 -C "Read from server: 16384 bytes read"
4736
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4737run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
4738 "$P_SRV response_size=16384" \
4739 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
4740 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4741 0 \
4742 -c "Read from server: 1 bytes read"\
4743 -c "16383 bytes read"\
4744 -C "Read from server: 16384 bytes read"
4745
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4746requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4747run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
4748 "$P_SRV response_size=16384" \
4749 "$P_CLI force_version=tls1 recsplit=0 \
4750 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4751 trunc_hmac=1" \
4752 0 \
4753 -c "Read from server: 1 bytes read"\
4754 -c "16383 bytes read"\
4755 -C "Read from server: 16384 bytes read"
4756
4757requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4758run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
4759 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4760 "$P_CLI force_version=tls1 \
4761 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4762 trunc_hmac=1" \
4763 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4764 -s "16384 bytes written in 1 fragments" \
4765 -c "Read from server: 16384 bytes read"
4766
4767run_test "Large server packet TLS 1.0 StreamCipher" \
4768 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4769 "$P_CLI force_version=tls1 \
4770 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4771 0 \
4772 -s "16384 bytes written in 1 fragments" \
4773 -c "Read from server: 16384 bytes read"
4774
4775run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
4776 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4777 "$P_CLI force_version=tls1 \
4778 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4779 0 \
4780 -s "16384 bytes written in 1 fragments" \
4781 -c "Read from server: 16384 bytes read"
4782
4783requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4784run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
4785 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4786 "$P_CLI force_version=tls1 \
4787 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4788 0 \
4789 -s "16384 bytes written in 1 fragments" \
4790 -c "Read from server: 16384 bytes read"
4791
4792requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4793run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4794 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4795 "$P_CLI force_version=tls1 \
4796 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4797 0 \
4798 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4799 -c "Read from server: 16384 bytes read"
4800
4801run_test "Large server packet TLS 1.1 BlockCipher" \
4802 "$P_SRV response_size=16384" \
4803 "$P_CLI force_version=tls1_1 \
4804 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4805 0 \
4806 -c "Read from server: 16384 bytes read"
4807
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4808run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
4809 "$P_SRV response_size=16384" \
4810 "$P_CLI force_version=tls1_1 etm=0 \
4811 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4812 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4813 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4814 -c "Read from server: 16384 bytes read"
4815
4816requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4817run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
4818 "$P_SRV response_size=16384" \
4819 "$P_CLI force_version=tls1_1 \
4820 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4821 trunc_hmac=1" \
4822 0 \
4823 -c "Read from server: 16384 bytes read"
4824
4825requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4826run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4827 "$P_SRV response_size=16384 trunc_hmac=1" \
4828 "$P_CLI force_version=tls1_1 \
4829 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4830 0 \
4831 -s "16384 bytes written in 1 fragments" \
4832 -c "Read from server: 16384 bytes read"
4833
4834run_test "Large server packet TLS 1.1 StreamCipher" \
4835 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4836 "$P_CLI force_version=tls1_1 \
4837 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4838 0 \
4839 -c "Read from server: 16384 bytes read"
4840
4841run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
4842 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4843 "$P_CLI force_version=tls1_1 \
4844 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4845 0 \
4846 -s "16384 bytes written in 1 fragments" \
4847 -c "Read from server: 16384 bytes read"
4848
4849requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4850run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
4851 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4852 "$P_CLI force_version=tls1_1 \
4853 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4854 trunc_hmac=1" \
4855 0 \
4856 -c "Read from server: 16384 bytes read"
4857
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4858run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4859 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4860 "$P_CLI force_version=tls1_1 \
4861 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4862 0 \
4863 -s "16384 bytes written in 1 fragments" \
4864 -c "Read from server: 16384 bytes read"
4865
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4866run_test "Large server packet TLS 1.2 BlockCipher" \
4867 "$P_SRV response_size=16384" \
4868 "$P_CLI force_version=tls1_2 \
4869 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4870 0 \
4871 -c "Read from server: 16384 bytes read"
4872
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4873run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
4874 "$P_SRV response_size=16384" \
4875 "$P_CLI force_version=tls1_2 etm=0 \
4876 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4877 0 \
4878 -s "16384 bytes written in 1 fragments" \
4879 -c "Read from server: 16384 bytes read"
4880
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4881run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
4882 "$P_SRV response_size=16384" \
4883 "$P_CLI force_version=tls1_2 \
4884 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4885 0 \
4886 -c "Read from server: 16384 bytes read"
4887
4888requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4889run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
4890 "$P_SRV response_size=16384" \
4891 "$P_CLI force_version=tls1_2 \
4892 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4893 trunc_hmac=1" \
4894 0 \
4895 -c "Read from server: 16384 bytes read"
4896
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4897run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4898 "$P_SRV response_size=16384 trunc_hmac=1" \
4899 "$P_CLI force_version=tls1_2 \
4900 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4901 0 \
4902 -s "16384 bytes written in 1 fragments" \
4903 -c "Read from server: 16384 bytes read"
4904
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4905run_test "Large server packet TLS 1.2 StreamCipher" \
4906 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4907 "$P_CLI force_version=tls1_2 \
4908 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4909 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4910 -s "16384 bytes written in 1 fragments" \
4911 -c "Read from server: 16384 bytes read"
4912
4913run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
4914 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4915 "$P_CLI force_version=tls1_2 \
4916 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4917 0 \
4918 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4919 -c "Read from server: 16384 bytes read"
4920
4921requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4922run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
4923 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4924 "$P_CLI force_version=tls1_2 \
4925 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4926 trunc_hmac=1" \
4927 0 \
4928 -c "Read from server: 16384 bytes read"
4929
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4930requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4931run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4932 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4933 "$P_CLI force_version=tls1_2 \
4934 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4935 0 \
4936 -s "16384 bytes written in 1 fragments" \
4937 -c "Read from server: 16384 bytes read"
4938
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4939run_test "Large server packet TLS 1.2 AEAD" \
4940 "$P_SRV response_size=16384" \
4941 "$P_CLI force_version=tls1_2 \
4942 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4943 0 \
4944 -c "Read from server: 16384 bytes read"
4945
4946run_test "Large server packet TLS 1.2 AEAD shorter tag" \
4947 "$P_SRV response_size=16384" \
4948 "$P_CLI force_version=tls1_2 \
4949 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4950 0 \
4951 -c "Read from server: 16384 bytes read"
4952
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4953# Tests for DTLS HelloVerifyRequest
4954
4955run_test "DTLS cookie: enabled" \
4956 "$P_SRV dtls=1 debug_level=2" \
4957 "$P_CLI dtls=1 debug_level=2" \
4958 0 \
4959 -s "cookie verification failed" \
4960 -s "cookie verification passed" \
4961 -S "cookie verification skipped" \
4962 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4963 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4964 -S "SSL - The requested feature is not available"
4965
4966run_test "DTLS cookie: disabled" \
4967 "$P_SRV dtls=1 debug_level=2 cookies=0" \
4968 "$P_CLI dtls=1 debug_level=2" \
4969 0 \
4970 -S "cookie verification failed" \
4971 -S "cookie verification passed" \
4972 -s "cookie verification skipped" \
4973 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4974 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4975 -S "SSL - The requested feature is not available"
4976
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4977run_test "DTLS cookie: default (failing)" \
4978 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4979 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4980 1 \
4981 -s "cookie verification failed" \
4982 -S "cookie verification passed" \
4983 -S "cookie verification skipped" \
4984 -C "received hello verify request" \
4985 -S "hello verification requested" \
4986 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4987
4988requires_ipv6
4989run_test "DTLS cookie: enabled, IPv6" \
4990 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4991 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
4992 0 \
4993 -s "cookie verification failed" \
4994 -s "cookie verification passed" \
4995 -S "cookie verification skipped" \
4996 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4997 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4998 -S "SSL - The requested feature is not available"
4999
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5000run_test "DTLS cookie: enabled, nbio" \
5001 "$P_SRV dtls=1 nbio=2 debug_level=2" \
5002 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5003 0 \
5004 -s "cookie verification failed" \
5005 -s "cookie verification passed" \
5006 -S "cookie verification skipped" \
5007 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5008 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5009 -S "SSL - The requested feature is not available"
5010
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5011# Tests for client reconnecting from the same port with DTLS
5012
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5013not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5014run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5015 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
5016 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5017 0 \
5018 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5019 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5020 -S "Client initiated reconnection from same port"
5021
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5022not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5023run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5024 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
5025 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5026 0 \
5027 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5028 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5029 -s "Client initiated reconnection from same port"
5030
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5031not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
5032run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5033 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
5034 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5035 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5036 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5037 -s "Client initiated reconnection from same port"
5038
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5039only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
5040run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
5041 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
5042 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
5043 0 \
5044 -S "The operation timed out" \
5045 -s "Client initiated reconnection from same port"
5046
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5047run_test "DTLS client reconnect from same port: no cookies" \
5048 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]5049 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
5050 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5051 -s "The operation timed out" \
5052 -S "Client initiated reconnection from same port"
5053
Manuel Pégourié-Gonnarda58b0462020-03-13 11:11:02 +0100[diff] [blame]5054run_test "DTLS client reconnect from same port: attacker-injected" \
5055 -p "$P_PXY inject_clihlo=1" \
5056 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
5057 "$P_CLI dtls=1 exchanges=2" \
5058 0 \
5059 -s "possible client reconnect from the same port" \
5060 -S "Client initiated reconnection from same port"
5061
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5062# Tests for various cases of client authentication with DTLS
5063# (focused on handshake flows and message parsing)
5064
5065run_test "DTLS client auth: required" \
5066 "$P_SRV dtls=1 auth_mode=required" \
5067 "$P_CLI dtls=1" \
5068 0 \
5069 -s "Verifying peer X.509 certificate... ok"
5070
5071run_test "DTLS client auth: optional, client has no cert" \
5072 "$P_SRV dtls=1 auth_mode=optional" \
5073 "$P_CLI dtls=1 crt_file=none key_file=none" \
5074 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5075 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5076
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5077run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5078 "$P_SRV dtls=1 auth_mode=none" \
5079 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
5080 0 \
5081 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5082 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5083
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]5084run_test "DTLS wrong PSK: badmac alert" \
5085 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
5086 "$P_CLI dtls=1 psk=abc124" \
5087 1 \
5088 -s "SSL - Verification of the message MAC failed" \
5089 -c "SSL - A fatal alert message was received from our peer"
5090
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]5091# Tests for receiving fragmented handshake messages with DTLS
5092
5093requires_gnutls
5094run_test "DTLS reassembly: no fragmentation (gnutls server)" \
5095 "$G_SRV -u --mtu 2048 -a" \
5096 "$P_CLI dtls=1 debug_level=2" \
5097 0 \
5098 -C "found fragmented DTLS handshake message" \
5099 -C "error"
5100
5101requires_gnutls
5102run_test "DTLS reassembly: some fragmentation (gnutls server)" \
5103 "$G_SRV -u --mtu 512" \
5104 "$P_CLI dtls=1 debug_level=2" \
5105 0 \
5106 -c "found fragmented DTLS handshake message" \
5107 -C "error"
5108
5109requires_gnutls
5110run_test "DTLS reassembly: more fragmentation (gnutls server)" \
5111 "$G_SRV -u --mtu 128" \
5112 "$P_CLI dtls=1 debug_level=2" \
5113 0 \
5114 -c "found fragmented DTLS handshake message" \
5115 -C "error"
5116
5117requires_gnutls
5118run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
5119 "$G_SRV -u --mtu 128" \
5120 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5121 0 \
5122 -c "found fragmented DTLS handshake message" \
5123 -C "error"
5124
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5125requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5126requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5127run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
5128 "$G_SRV -u --mtu 256" \
5129 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
5130 0 \
5131 -c "found fragmented DTLS handshake message" \
5132 -c "client hello, adding renegotiation extension" \
5133 -c "found renegotiation extension" \
5134 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5135 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5136 -C "error" \
5137 -s "Extra-header:"
5138
5139requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5140requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5141run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
5142 "$G_SRV -u --mtu 256" \
5143 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
5144 0 \
5145 -c "found fragmented DTLS handshake message" \
5146 -c "client hello, adding renegotiation extension" \
5147 -c "found renegotiation extension" \
5148 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5149 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5150 -C "error" \
5151 -s "Extra-header:"
5152
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5153run_test "DTLS reassembly: no fragmentation (openssl server)" \
5154 "$O_SRV -dtls1 -mtu 2048" \
5155 "$P_CLI dtls=1 debug_level=2" \
5156 0 \
5157 -C "found fragmented DTLS handshake message" \
5158 -C "error"
5159
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5160run_test "DTLS reassembly: some fragmentation (openssl server)" \
5161 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5162 "$P_CLI dtls=1 debug_level=2" \
5163 0 \
5164 -c "found fragmented DTLS handshake message" \
5165 -C "error"
5166
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5167run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5168 "$O_SRV -dtls1 -mtu 256" \
5169 "$P_CLI dtls=1 debug_level=2" \
5170 0 \
5171 -c "found fragmented DTLS handshake message" \
5172 -C "error"
5173
5174run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
5175 "$O_SRV -dtls1 -mtu 256" \
5176 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5177 0 \
5178 -c "found fragmented DTLS handshake message" \
5179 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5180
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5181# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5182
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5183not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5184run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5185 -p "$P_PXY" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5186 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5187 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5188 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5189 -C "replayed record" \
5190 -S "replayed record" \
5191 -C "record from another epoch" \
5192 -S "record from another epoch" \
5193 -C "discarding invalid record" \
5194 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5195 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5196 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5197 -c "HTTP/1.0 200 OK"
5198
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5199not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5200run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5201 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5202 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5203 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5204 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5205 -c "replayed record" \
5206 -s "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5207 -c "record from another epoch" \
5208 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5209 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5210 -s "Extra-header:" \
5211 -c "HTTP/1.0 200 OK"
5212
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5213run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
5214 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5215 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
5216 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5217 0 \
5218 -c "replayed record" \
5219 -S "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5220 -c "record from another epoch" \
5221 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5222 -c "resend" \
5223 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5224 -s "Extra-header:" \
5225 -c "HTTP/1.0 200 OK"
5226
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5227run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5228 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5229 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5230 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5231 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5232 -c "discarding invalid record (mac)" \
5233 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5234 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5235 -c "HTTP/1.0 200 OK" \
5236 -S "too many records with bad MAC" \
5237 -S "Verification of the message MAC failed"
5238
5239run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
5240 -p "$P_PXY bad_ad=1" \
5241 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
5242 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5243 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5244 -C "discarding invalid record (mac)" \
5245 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5246 -S "Extra-header:" \
5247 -C "HTTP/1.0 200 OK" \
5248 -s "too many records with bad MAC" \
5249 -s "Verification of the message MAC failed"
5250
5251run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
5252 -p "$P_PXY bad_ad=1" \
5253 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
5254 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5255 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5256 -c "discarding invalid record (mac)" \
5257 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5258 -s "Extra-header:" \
5259 -c "HTTP/1.0 200 OK" \
5260 -S "too many records with bad MAC" \
5261 -S "Verification of the message MAC failed"
5262
5263run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
5264 -p "$P_PXY bad_ad=1" \
5265 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
5266 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
5267 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5268 -c "discarding invalid record (mac)" \
5269 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5270 -s "Extra-header:" \
5271 -c "HTTP/1.0 200 OK" \
5272 -s "too many records with bad MAC" \
5273 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5274
5275run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5276 -p "$P_PXY delay_ccs=1" \
5277 "$P_SRV dtls=1 debug_level=1" \
5278 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5279 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5280 -c "record from another epoch" \
5281 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5282 -s "Extra-header:" \
5283 -c "HTTP/1.0 200 OK"
5284
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5285# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5286
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5287client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5288run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5289 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5290 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5291 psk=abc123" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5292 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5293 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5294 0 \
5295 -s "Extra-header:" \
5296 -c "HTTP/1.0 200 OK"
5297
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5298client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5299run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
5300 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5301 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5302 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5303 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5304 0 \
5305 -s "Extra-header:" \
5306 -c "HTTP/1.0 200 OK"
5307
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5308client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5309run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
5310 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5311 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5312 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5313 0 \
5314 -s "Extra-header:" \
5315 -c "HTTP/1.0 200 OK"
5316
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5317client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5318run_test "DTLS proxy: 3d, FS, client auth" \
5319 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5320 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=required" \
5321 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5322 0 \
5323 -s "Extra-header:" \
5324 -c "HTTP/1.0 200 OK"
5325
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5326client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5327run_test "DTLS proxy: 3d, FS, ticket" \
5328 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5329 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=none" \
5330 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5331 0 \
5332 -s "Extra-header:" \
5333 -c "HTTP/1.0 200 OK"
5334
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5335client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5336run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
5337 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5338 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=required" \
5339 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5340 0 \
5341 -s "Extra-header:" \
5342 -c "HTTP/1.0 200 OK"
5343
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5344client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5345run_test "DTLS proxy: 3d, max handshake, nbio" \
5346 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5347 "$P_SRV dtls=1 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5348 auth_mode=required" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5349 "$P_CLI dtls=1 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5350 0 \
5351 -s "Extra-header:" \
5352 -c "HTTP/1.0 200 OK"
5353
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5354client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5355run_test "DTLS proxy: 3d, min handshake, resumption" \
5356 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5357 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5358 psk=abc123 debug_level=3" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5359 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5360 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5361 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5362 0 \
5363 -s "a session has been resumed" \
5364 -c "a session has been resumed" \
5365 -s "Extra-header:" \
5366 -c "HTTP/1.0 200 OK"
5367
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5368client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5369run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
5370 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5371 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5372 psk=abc123 debug_level=3 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5373 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5374 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5375 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
5376 0 \
5377 -s "a session has been resumed" \
5378 -c "a session has been resumed" \
5379 -s "Extra-header:" \
5380 -c "HTTP/1.0 200 OK"
5381
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5382client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5383requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5384run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5385 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5386 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5387 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5388 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5389 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5390 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5391 0 \
5392 -c "=> renegotiate" \
5393 -s "=> renegotiate" \
5394 -s "Extra-header:" \
5395 -c "HTTP/1.0 200 OK"
5396
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5397client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5398requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5399run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
5400 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5401 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5402 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5403 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5404 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5405 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5406 0 \
5407 -c "=> renegotiate" \
5408 -s "=> renegotiate" \
5409 -s "Extra-header:" \
5410 -c "HTTP/1.0 200 OK"
5411
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5412client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5413requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5414run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5415 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5416 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5417 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5418 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5419 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5420 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5421 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5422 0 \
5423 -c "=> renegotiate" \
5424 -s "=> renegotiate" \
5425 -s "Extra-header:" \
5426 -c "HTTP/1.0 200 OK"
5427
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5428client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5429requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5430run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5431 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5432 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5433 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5434 debug_level=2 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5435 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5436 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5437 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5438 0 \
5439 -c "=> renegotiate" \
5440 -s "=> renegotiate" \
5441 -s "Extra-header:" \
5442 -c "HTTP/1.0 200 OK"
5443
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5444client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5445not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5446run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5447 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5448 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5449 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5450 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5451 -c "HTTP/1.0 200 OK"
5452
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5453client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5454not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5455run_test "DTLS proxy: 3d, openssl server, fragmentation" \
5456 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5457 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5458 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5459 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5460 -c "HTTP/1.0 200 OK"
5461
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5462client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5463not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5464run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
5465 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5466 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5467 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5468 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5469 -c "HTTP/1.0 200 OK"
5470
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5471requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5472client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5473not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5474run_test "DTLS proxy: 3d, gnutls server" \
5475 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5476 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5477 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5478 0 \
5479 -s "Extra-header:" \
5480 -c "Extra-header:"
5481
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5482requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5483client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5484not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5485run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
5486 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5487 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5488 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5489 0 \
5490 -s "Extra-header:" \
5491 -c "Extra-header:"
5492
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5493requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5494client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5495not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5496run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
5497 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5498 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5499 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5500 0 \
5501 -s "Extra-header:" \
5502 -c "Extra-header:"
5503
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5504# Final report
5505
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5506echo "------------------------------------------------------------------------"
5507
5508if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5509 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5510else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5511 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5512fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]5513PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]5514echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5515
5516exit $FAILS