TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 251bab5ceb0b54303e899e1622dd02e1fb2a418c / . / tests / ssl-opt.sh
blob: 53bf2acdd616f01d925081a9892ef43914aa3ed1 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
9# Assumes all options are compiled in.
10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]16: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]17: ${GNUTLS_CLI:=gnutls-cli}
18: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskinea1cf6c82017-05-17 14:50:38 +0200[diff] [blame]19: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]20
Manuel Pégourié-Gonnard6461f362015-06-29 16:20:13 +0200[diff] [blame]21O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]22O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]23G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]24G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskinea1cf6c82017-05-17 14:50:38 +0200[diff] [blame]25TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]26
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]27TESTS=0
28FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]29SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]30
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]31CONFIG_H='../include/polarssl/config.h'
32
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]33MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]34FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]35EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]36
37print_usage() {
38 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]39 printf " -h|--help\tPrint this help.\n"
40 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
41 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
42 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]43}
44
45get_options() {
46 while [ $# -gt 0 ]; do
47 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]48 -f|--filter)
49 shift; FILTER=$1
50 ;;
51 -e|--exclude)
52 shift; EXCLUDE=$1
53 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]54 -m|--memcheck)
55 MEMCHECK=1
56 ;;
57 -h|--help)
58 print_usage
59 exit 0
60 ;;
61 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]62 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]63 print_usage
64 exit 1
65 ;;
66 esac
67 shift
68 done
69}
70
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]71# skip next test if the flag is not enabled in config.h
72requires_config_enabled() {
73 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
74 SKIP_NEXT="YES"
75 fi
76}
77
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]78# skip next test if OpenSSL can't send SSLv2 ClientHello
79requires_openssl_with_sslv2() {
80 if [ -z "${OPENSSL_HAS_SSL2:-}" ]; then
Manuel Pégourié-Gonnarda4afadf2014-08-30 22:09:36 +0200[diff] [blame]81 if $OPENSSL_CMD ciphers -ssl2 >/dev/null 2>&1; then
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]82 OPENSSL_HAS_SSL2="YES"
83 else
84 OPENSSL_HAS_SSL2="NO"
85 fi
86 fi
87 if [ "$OPENSSL_HAS_SSL2" = "NO" ]; then
88 SKIP_NEXT="YES"
89 fi
90}
91
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]92# skip next test if OpenSSL doesn't support FALLBACK_SCSV
93requires_openssl_with_fallback_scsv() {
94 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
95 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
96 then
97 OPENSSL_HAS_FBSCSV="YES"
98 else
99 OPENSSL_HAS_FBSCSV="NO"
100 fi
101 fi
102 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
103 SKIP_NEXT="YES"
104 fi
105}
106
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]107# skip next test if GnuTLS isn't available
108requires_gnutls() {
109 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
110 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null; then
111 GNUTLS_AVAILABLE="YES"
112 else
113 GNUTLS_AVAILABLE="NO"
114 fi
115 fi
116 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
117 SKIP_NEXT="YES"
118 fi
119}
120
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]121# print_name <name>
122print_name() {
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]123 printf "$1 "
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]124 LEN=$(( 72 - `echo "$1" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]125 for i in `seq 1 $LEN`; do printf '.'; done
126 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]127
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]128 TESTS=$(( $TESTS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]129}
130
131# fail <message>
132fail() {
133 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]134 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]135
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]136 mv $SRV_OUT o-srv-${TESTS}.log
137 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]138 echo " ! outputs saved to o-srv-${TESTS}.log and o-cli-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]139
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]140 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
141 echo " ! server output:"
142 cat o-srv-${TESTS}.log
143 echo " ! ============================================================"
144 echo " ! client output:"
145 cat o-cli-${TESTS}.log
146 fi
147
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]148 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]149}
150
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]151# is_polar <cmd_line>
152is_polar() {
153 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
154}
155
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]156# has_mem_err <log_file_name>
157has_mem_err() {
158 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
159 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
160 then
161 return 1 # false: does not have errors
162 else
163 return 0 # true: has errors
164 fi
165}
166
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]167# wait for server to start: two versions depending on lsof availability
168wait_server_start() {
Manuel Pégourié-Gonnard84690c32015-08-04 20:34:39 +0200[diff] [blame]169 if which lsof >/dev/null 2>&1; then
170 START_TIME=$( date +%s )
171 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]172
173 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard84690c32015-08-04 20:34:39 +0200[diff] [blame]174 while [ $DONE -eq 0 ]; do
175 if lsof -nbi TCP:"$PORT" 2>/dev/null | grep LISTEN >/dev/null
176 then
177 DONE=1
178 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
179 echo "SERVERSTART TIMEOUT"
180 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
181 DONE=1
182 fi
183 done
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]184 else
185 sleep "$START_DELAY"
186 fi
187}
188
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]189# wait for client to terminate and set CLI_EXIT
190# must be called right after starting the client
191wait_client_done() {
192 CLI_PID=$!
193
194 ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) &
195 WATCHDOG_PID=$!
196
197 wait $CLI_PID
198 CLI_EXIT=$?
199
200 kill $WATCHDOG_PID
201 wait $WATCHDOG_PID
202
203 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
204}
205
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]206# Usage: run_test name srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]207# Options: -s pattern pattern that must be present in server output
208# -c pattern pattern that must be present in client output
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]209# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]210# -S pattern pattern that must be absent in server output
211# -C pattern pattern that must be absent in client output
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]212# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]213run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]214 NAME="$1"
215 SRV_CMD="$2"
216 CLI_CMD="$3"
217 CLI_EXPECT="$4"
218 shift 4
219
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]220 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
221 else
Manuel Pégourié-Gonnard33e8d342017-07-10 11:55:31 +0200[diff] [blame]222 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]223 return
224 fi
225
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]226 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]227
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]228 # should we skip?
229 if [ "X$SKIP_NEXT" = "XYES" ]; then
230 SKIP_NEXT="NO"
231 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]232 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]233 return
234 fi
235
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]236 # prepend valgrind to our commands if active
237 if [ "$MEMCHECK" -gt 0 ]; then
238 if is_polar "$SRV_CMD"; then
239 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
240 fi
241 if is_polar "$CLI_CMD"; then
242 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
243 fi
244 fi
245
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]246 # run the commands
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]247 echo "$SRV_CMD" > $SRV_OUT
248 $SRV_CMD >> $SRV_OUT 2>&1 &
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]249 SRV_PID=$!
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]250 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]251
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]252 echo "$CLI_CMD" > $CLI_OUT
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]253 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
254 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]255
Manuel Pégourié-Gonnard74b11702014-08-14 15:47:33 +0200[diff] [blame]256 # kill the server
257 kill $SRV_PID
258 wait $SRV_PID
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]259
260 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]261 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]262 # expected client exit to incorrectly succeed in case of catastrophic
263 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]264 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]265 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]266 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]267 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]268 return
269 fi
270 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]271 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]272 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]273 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]274 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]275 return
276 fi
277 fi
278
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]279 # check server exit code
280 if [ $? != 0 ]; then
281 fail "server fail"
282 return
283 fi
284
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]285 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]286 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
287 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]288 then
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]289 fail "bad client exit code"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]290 return
291 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]292
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]293 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]294 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]295 while [ $# -gt 0 ]
296 do
297 case $1 in
298 "-s")
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]299 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
300 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]301 return
302 fi
303 ;;
304
305 "-c")
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]306 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
307 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]308 return
309 fi
310 ;;
311
312 "-S")
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]313 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
314 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]315 return
316 fi
317 ;;
318
319 "-C")
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]320 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
321 fail "pattern '$2' MUST NOT be present in the Client output"
322 return
323 fi
324 ;;
325
326 # The filtering in the following two options (-u and -U) do the following
327 # - ignore valgrind output
328 # - filter out everything but lines right after the pattern occurances
329 # - keep one of each non-unique line
330 # - count how many lines remain
331 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
332 # if there were no duplicates.
333 "-U")
334 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
335 fail "lines following pattern '$2' must be unique in Server output"
336 return
337 fi
338 ;;
339
340 "-u")
341 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
342 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]343 return
344 fi
345 ;;
346
347 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]348 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]349 exit 1
350 esac
351 shift 2
352 done
353
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]354 # check valgrind's results
355 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]356 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]357 fail "Server has memory errors"
358 return
359 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]360 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]361 fail "Client has memory errors"
362 return
363 fi
364 fi
365
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]366 # if we're here, everything is ok
367 echo "PASS"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]368 rm -f $SRV_OUT $CLI_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]369}
370
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]371cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]372 rm -f $CLI_OUT $SRV_OUT $SESSION
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]373 kill $SRV_PID >/dev/null 2>&1
374 kill $WATCHDOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]375 exit 1
376}
377
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]378#
379# MAIN
380#
381
Manuel Pégourié-Gonnard751286b2015-03-10 13:41:04 +0000[diff] [blame]382if cd $( dirname $0 ); then :; else
383 echo "cd $( dirname $0 ) failed" >&2
384 exit 1
385fi
386
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]387get_options "$@"
388
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]389# sanity checks, avoid an avalanche of errors
390if [ ! -x "$P_SRV" ]; then
391 echo "Command '$P_SRV' is not an executable file"
392 exit 1
393fi
394if [ ! -x "$P_CLI" ]; then
395 echo "Command '$P_CLI' is not an executable file"
396 exit 1
397fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]398if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
399 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]400 exit 1
401fi
402
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]403# used by watchdog
404MAIN_PID="$$"
405
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]406# be more patient with valgrind
407if [ "$MEMCHECK" -gt 0 ]; then
408 START_DELAY=3
409 DOG_DELAY=30
410else
411 START_DELAY=1
412 DOG_DELAY=10
413fi
414
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]415# Pick a "unique" port in the range 10000-19999.
416PORT="0000$$"
Manuel Pégourié-Gonnarddc370e42015-01-22 10:24:59 +0000[diff] [blame]417PORT="1$( printf $PORT | tail -c 4 )"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]418
419# fix commands to use this port
420P_SRV="$P_SRV server_port=$PORT"
421P_CLI="$P_CLI server_port=$PORT"
422O_SRV="$O_SRV -accept $PORT"
423O_CLI="$O_CLI -connect localhost:$PORT"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]424G_SRV="$G_SRV -p $PORT"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]425G_CLI="$G_CLI -p $PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]426
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]427# Also pick a unique name for intermediate files
428SRV_OUT="srv_out.$$"
429CLI_OUT="cli_out.$$"
430SESSION="session.$$"
431
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]432SKIP_NEXT="NO"
433
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]434trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]435
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]436# Basic test
437
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]438# Checks that:
439# - things work with all ciphersuites active (used with config-full in all.sh)
440# - the expected (highest security) parameters are selected
441# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]442run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]443 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]444 "$P_CLI" \
445 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]446 -s "Protocol is TLSv1.2" \
447 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
448 -s "client hello v3, signature_algorithm ext: 6" \
449 -s "ECDHE curve: secp521r1" \
450 -S "error" \
451 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]452
Simon Butcher696f92e2016-10-13 14:13:17 +0100[diff] [blame]453# Test for uniqueness of IVs in AEAD ciphersuites
454run_test "Unique IV in GCM" \
455 "$P_SRV exchanges=20 debug_level=4" \
456 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
457 0 \
458 -u "IV used" \
459 -U "IV used"
460
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]461# Tests for rc4 option
462
463run_test "RC4: server disabled, client enabled" \
464 "$P_SRV" \
465 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
466 1 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]467 -s "SSL - None of the common ciphersuites is usable"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]468
469run_test "RC4: server enabled, client disabled" \
470 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
471 "$P_CLI" \
472 1 \
473 -s "SSL - The server has no ciphersuites in common"
474
475run_test "RC4: both enabled" \
476 "$P_SRV arc4=1" \
477 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
478 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]479 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]480 -S "SSL - The server has no ciphersuites in common"
481
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]482# Test for SSLv2 ClientHello
483
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]484requires_openssl_with_sslv2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]485run_test "SSLv2 ClientHello: reference" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]486 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]487 "$O_CLI -no_ssl2" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]488 0 \
489 -S "parse client hello v2" \
490 -S "ssl_handshake returned"
491
492# Adding a SSL2-only suite makes OpenSSL client send SSLv2 ClientHello
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]493requires_openssl_with_sslv2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]494run_test "SSLv2 ClientHello: actual test" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]495 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]496 "$O_CLI -cipher 'DES-CBC-MD5:ALL'" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]497 0 \
498 -s "parse client hello v2" \
499 -S "ssl_handshake returned"
500
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]501# Tests for Truncated HMAC extension
502
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]503run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]504 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]505 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]506 0 \
Hanno Becker251bab52017-11-20 10:30:08 +0000[diff] [blame^]507 -s "dumping 'expected mac' (20 bytes)" \
508 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]509
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]510run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]511 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]512 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
513 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]514 0 \
Hanno Becker251bab52017-11-20 10:30:08 +0000[diff] [blame^]515 -s "dumping 'expected mac' (20 bytes)" \
516 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]517
518run_test "Truncated HMAC: client enabled, server default" \
519 "$P_SRV debug_level=4" \
520 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
521 trunc_hmac=1" \
522 0 \
Hanno Becker251bab52017-11-20 10:30:08 +0000[diff] [blame^]523 -S "dumping 'expected mac' (20 bytes)" \
524 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]525
526run_test "Truncated HMAC: client enabled, server disabled" \
527 "$P_SRV debug_level=4 trunc_hmac=0" \
528 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
529 trunc_hmac=1" \
530 0 \
Hanno Becker251bab52017-11-20 10:30:08 +0000[diff] [blame^]531 -s "dumping 'expected mac' (20 bytes)" \
532 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]533
534run_test "Truncated HMAC: client enabled, server enabled" \
535 "$P_SRV debug_level=4 trunc_hmac=1" \
536 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
537 trunc_hmac=1" \
538 0 \
Hanno Becker251bab52017-11-20 10:30:08 +0000[diff] [blame^]539 -S "dumping 'expected mac' (20 bytes)" \
540 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]541
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]542# Tests for Encrypt-then-MAC extension
543
544run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]545 "$P_SRV debug_level=3 \
546 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]547 "$P_CLI debug_level=3" \
548 0 \
549 -c "client hello, adding encrypt_then_mac extension" \
550 -s "found encrypt then mac extension" \
551 -s "server hello, adding encrypt then mac extension" \
552 -c "found encrypt_then_mac extension" \
553 -c "using encrypt then mac" \
554 -s "using encrypt then mac"
555
556run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]557 "$P_SRV debug_level=3 etm=0 \
558 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]559 "$P_CLI debug_level=3 etm=1" \
560 0 \
561 -c "client hello, adding encrypt_then_mac extension" \
562 -s "found encrypt then mac extension" \
563 -S "server hello, adding encrypt then mac extension" \
564 -C "found encrypt_then_mac extension" \
565 -C "using encrypt then mac" \
566 -S "using encrypt then mac"
567
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]568run_test "Encrypt then MAC: client enabled, aead cipher" \
569 "$P_SRV debug_level=3 etm=1 \
570 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
571 "$P_CLI debug_level=3 etm=1" \
572 0 \
573 -c "client hello, adding encrypt_then_mac extension" \
574 -s "found encrypt then mac extension" \
575 -S "server hello, adding encrypt then mac extension" \
576 -C "found encrypt_then_mac extension" \
577 -C "using encrypt then mac" \
578 -S "using encrypt then mac"
579
580run_test "Encrypt then MAC: client enabled, stream cipher" \
581 "$P_SRV debug_level=3 etm=1 \
582 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]583 "$P_CLI debug_level=3 etm=1 arc4=1" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]584 0 \
585 -c "client hello, adding encrypt_then_mac extension" \
586 -s "found encrypt then mac extension" \
587 -S "server hello, adding encrypt then mac extension" \
588 -C "found encrypt_then_mac extension" \
589 -C "using encrypt then mac" \
590 -S "using encrypt then mac"
591
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]592run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]593 "$P_SRV debug_level=3 etm=1 \
594 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]595 "$P_CLI debug_level=3 etm=0" \
596 0 \
597 -C "client hello, adding encrypt_then_mac extension" \
598 -S "found encrypt then mac extension" \
599 -S "server hello, adding encrypt then mac extension" \
600 -C "found encrypt_then_mac extension" \
601 -C "using encrypt then mac" \
602 -S "using encrypt then mac"
603
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]604requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]605run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]606 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]607 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]608 "$P_CLI debug_level=3 force_version=ssl3" \
609 0 \
610 -C "client hello, adding encrypt_then_mac extension" \
611 -S "found encrypt then mac extension" \
612 -S "server hello, adding encrypt then mac extension" \
613 -C "found encrypt_then_mac extension" \
614 -C "using encrypt then mac" \
615 -S "using encrypt then mac"
616
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]617requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]618run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]619 "$P_SRV debug_level=3 force_version=ssl3 \
620 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]621 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]622 0 \
623 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath8abaa8b2016-05-06 13:48:23 +0100[diff] [blame]624 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]625 -S "server hello, adding encrypt then mac extension" \
626 -C "found encrypt_then_mac extension" \
627 -C "using encrypt then mac" \
628 -S "using encrypt then mac"
629
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]630# Tests for Extended Master Secret extension
631
632run_test "Extended Master Secret: default" \
633 "$P_SRV debug_level=3" \
634 "$P_CLI debug_level=3" \
635 0 \
636 -c "client hello, adding extended_master_secret extension" \
637 -s "found extended master secret extension" \
638 -s "server hello, adding extended master secret extension" \
639 -c "found extended_master_secret extension" \
640 -c "using extended master secret" \
641 -s "using extended master secret"
642
643run_test "Extended Master Secret: client enabled, server disabled" \
644 "$P_SRV debug_level=3 extended_ms=0" \
645 "$P_CLI debug_level=3 extended_ms=1" \
646 0 \
647 -c "client hello, adding extended_master_secret extension" \
648 -s "found extended master secret extension" \
649 -S "server hello, adding extended master secret extension" \
650 -C "found extended_master_secret extension" \
651 -C "using extended master secret" \
652 -S "using extended master secret"
653
654run_test "Extended Master Secret: client disabled, server enabled" \
655 "$P_SRV debug_level=3 extended_ms=1" \
656 "$P_CLI debug_level=3 extended_ms=0" \
657 0 \
658 -C "client hello, adding extended_master_secret extension" \
659 -S "found extended master secret extension" \
660 -S "server hello, adding extended master secret extension" \
661 -C "found extended_master_secret extension" \
662 -C "using extended master secret" \
663 -S "using extended master secret"
664
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]665requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]666run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]667 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]668 "$P_CLI debug_level=3 force_version=ssl3" \
669 0 \
670 -C "client hello, adding extended_master_secret extension" \
671 -S "found extended master secret extension" \
672 -S "server hello, adding extended master secret extension" \
673 -C "found extended_master_secret extension" \
674 -C "using extended master secret" \
675 -S "using extended master secret"
676
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]677requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]678run_test "Extended Master Secret: client enabled, server SSLv3" \
679 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]680 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]681 0 \
682 -c "client hello, adding extended_master_secret extension" \
Janos Follath8abaa8b2016-05-06 13:48:23 +0100[diff] [blame]683 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]684 -S "server hello, adding extended master secret extension" \
685 -C "found extended_master_secret extension" \
686 -C "using extended master secret" \
687 -S "using extended master secret"
688
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]689# Tests for FALLBACK_SCSV
690
691run_test "Fallback SCSV: default" \
692 "$P_SRV" \
693 "$P_CLI debug_level=3 force_version=tls1_1" \
694 0 \
695 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]696 -S "received FALLBACK_SCSV" \
697 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]698 -C "is a fatal alert message (msg 86)"
699
700run_test "Fallback SCSV: explicitly disabled" \
701 "$P_SRV" \
702 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
703 0 \
704 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]705 -S "received FALLBACK_SCSV" \
706 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]707 -C "is a fatal alert message (msg 86)"
708
709run_test "Fallback SCSV: enabled" \
710 "$P_SRV" \
711 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]712 1 \
713 -c "adding FALLBACK_SCSV" \
714 -s "received FALLBACK_SCSV" \
715 -s "inapropriate fallback" \
716 -c "is a fatal alert message (msg 86)"
717
718run_test "Fallback SCSV: enabled, max version" \
719 "$P_SRV" \
720 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]721 0 \
722 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]723 -s "received FALLBACK_SCSV" \
724 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]725 -C "is a fatal alert message (msg 86)"
726
727requires_openssl_with_fallback_scsv
728run_test "Fallback SCSV: default, openssl server" \
729 "$O_SRV" \
730 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
731 0 \
732 -C "adding FALLBACK_SCSV" \
733 -C "is a fatal alert message (msg 86)"
734
735requires_openssl_with_fallback_scsv
736run_test "Fallback SCSV: enabled, openssl server" \
737 "$O_SRV" \
738 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
739 1 \
740 -c "adding FALLBACK_SCSV" \
741 -c "is a fatal alert message (msg 86)"
742
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]743requires_openssl_with_fallback_scsv
744run_test "Fallback SCSV: disabled, openssl client" \
745 "$P_SRV" \
746 "$O_CLI -tls1_1" \
747 0 \
748 -S "received FALLBACK_SCSV" \
749 -S "inapropriate fallback"
750
751requires_openssl_with_fallback_scsv
752run_test "Fallback SCSV: enabled, openssl client" \
753 "$P_SRV" \
754 "$O_CLI -tls1_1 -fallback_scsv" \
755 1 \
756 -s "received FALLBACK_SCSV" \
757 -s "inapropriate fallback"
758
759requires_openssl_with_fallback_scsv
760run_test "Fallback SCSV: enabled, max version, openssl client" \
761 "$P_SRV" \
762 "$O_CLI -fallback_scsv" \
763 0 \
764 -s "received FALLBACK_SCSV" \
765 -S "inapropriate fallback"
766
Gilles Peskinea1cf6c82017-05-17 14:50:38 +0200[diff] [blame]767## ClientHello generated with
768## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
769## then manually twiddling the ciphersuite list.
770## The ClientHello content is spelled out below as a hex string as
771## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
772## The expected response is an inappropriate_fallback alert.
773requires_openssl_with_fallback_scsv
774run_test "Fallback SCSV: beginning of list" \
775 "$P_SRV debug_level=2" \
776 "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
777 0 \
778 -s "received FALLBACK_SCSV" \
779 -s "inapropriate fallback"
780
781requires_openssl_with_fallback_scsv
782run_test "Fallback SCSV: end of list" \
783 "$P_SRV debug_level=2" \
784 "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
785 0 \
786 -s "received FALLBACK_SCSV" \
787 -s "inapropriate fallback"
788
789## Here the expected response is a valid ServerHello prefix, up to the random.
790requires_openssl_with_fallback_scsv
791run_test "Fallback SCSV: not in list" \
792 "$P_SRV debug_level=2" \
793 "$TCP_CLIENT localhost $PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
794 0 \
795 -S "received FALLBACK_SCSV" \
796 -S "inapropriate fallback"
797
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]798# Tests for CBC 1/n-1 record splitting
799
800run_test "CBC Record splitting: TLS 1.2, no splitting" \
801 "$P_SRV" \
802 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
803 request_size=123 force_version=tls1_2" \
804 0 \
805 -s "Read from client: 123 bytes read" \
806 -S "Read from client: 1 bytes read" \
807 -S "122 bytes read"
808
809run_test "CBC Record splitting: TLS 1.1, no splitting" \
810 "$P_SRV" \
811 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
812 request_size=123 force_version=tls1_1" \
813 0 \
814 -s "Read from client: 123 bytes read" \
815 -S "Read from client: 1 bytes read" \
816 -S "122 bytes read"
817
818run_test "CBC Record splitting: TLS 1.0, splitting" \
819 "$P_SRV" \
820 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
821 request_size=123 force_version=tls1" \
822 0 \
823 -S "Read from client: 123 bytes read" \
824 -s "Read from client: 1 bytes read" \
825 -s "122 bytes read"
826
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]827requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]828run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]829 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]830 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
831 request_size=123 force_version=ssl3" \
832 0 \
833 -S "Read from client: 123 bytes read" \
834 -s "Read from client: 1 bytes read" \
835 -s "122 bytes read"
836
837run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]838 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]839 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
840 request_size=123 force_version=tls1" \
841 0 \
842 -s "Read from client: 123 bytes read" \
843 -S "Read from client: 1 bytes read" \
844 -S "122 bytes read"
845
846run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
847 "$P_SRV" \
848 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
849 request_size=123 force_version=tls1 recsplit=0" \
850 0 \
851 -s "Read from client: 123 bytes read" \
852 -S "Read from client: 1 bytes read" \
853 -S "122 bytes read"
854
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]855run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
856 "$P_SRV nbio=2" \
857 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
858 request_size=123 force_version=tls1" \
859 0 \
860 -S "Read from client: 123 bytes read" \
861 -s "Read from client: 1 bytes read" \
862 -s "122 bytes read"
863
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]864# Tests for Session Tickets
865
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]866run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]867 "$P_SRV debug_level=3 tickets=1" \
868 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]869 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]870 -c "client hello, adding session ticket extension" \
871 -s "found session ticket extension" \
872 -s "server hello, adding session ticket extension" \
873 -c "found session_ticket extension" \
874 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]875 -S "session successfully restored from cache" \
876 -s "session successfully restored from ticket" \
877 -s "a session has been resumed" \
878 -c "a session has been resumed"
879
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]880run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]881 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
882 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]883 0 \
884 -c "client hello, adding session ticket extension" \
885 -s "found session ticket extension" \
886 -s "server hello, adding session ticket extension" \
887 -c "found session_ticket extension" \
888 -c "parse new session ticket" \
889 -S "session successfully restored from cache" \
890 -s "session successfully restored from ticket" \
891 -s "a session has been resumed" \
892 -c "a session has been resumed"
893
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]894run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]895 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
896 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]897 0 \
898 -c "client hello, adding session ticket extension" \
899 -s "found session ticket extension" \
900 -s "server hello, adding session ticket extension" \
901 -c "found session_ticket extension" \
902 -c "parse new session ticket" \
903 -S "session successfully restored from cache" \
904 -S "session successfully restored from ticket" \
905 -S "a session has been resumed" \
906 -C "a session has been resumed"
907
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]908run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]909 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]910 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]911 0 \
912 -c "client hello, adding session ticket extension" \
913 -c "found session_ticket extension" \
914 -c "parse new session ticket" \
915 -c "a session has been resumed"
916
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]917run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]918 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]919 "( $O_CLI -sess_out $SESSION; \
920 $O_CLI -sess_in $SESSION; \
921 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]922 0 \
923 -s "found session ticket extension" \
924 -s "server hello, adding session ticket extension" \
925 -S "session successfully restored from cache" \
926 -s "session successfully restored from ticket" \
927 -s "a session has been resumed"
928
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]929# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]930
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]931run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]932 "$P_SRV debug_level=3 tickets=0" \
933 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]934 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]935 -c "client hello, adding session ticket extension" \
936 -s "found session ticket extension" \
937 -S "server hello, adding session ticket extension" \
938 -C "found session_ticket extension" \
939 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]940 -s "session successfully restored from cache" \
941 -S "session successfully restored from ticket" \
942 -s "a session has been resumed" \
943 -c "a session has been resumed"
944
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]945run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]946 "$P_SRV debug_level=3 tickets=1" \
947 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]948 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]949 -C "client hello, adding session ticket extension" \
950 -S "found session ticket extension" \
951 -S "server hello, adding session ticket extension" \
952 -C "found session_ticket extension" \
953 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]954 -s "session successfully restored from cache" \
955 -S "session successfully restored from ticket" \
956 -s "a session has been resumed" \
957 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]958
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]959run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]960 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
961 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]962 0 \
963 -S "session successfully restored from cache" \
964 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]965 -S "a session has been resumed" \
966 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]967
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]968run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]969 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
970 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]971 0 \
972 -s "session successfully restored from cache" \
973 -S "session successfully restored from ticket" \
974 -s "a session has been resumed" \
975 -c "a session has been resumed"
976
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]977run_test "Session resume using cache: timemout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]978 "$P_SRV debug_level=3 tickets=0" \
979 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]980 0 \
981 -s "session successfully restored from cache" \
982 -S "session successfully restored from ticket" \
983 -s "a session has been resumed" \
984 -c "a session has been resumed"
985
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]986run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]987 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
988 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]989 0 \
990 -S "session successfully restored from cache" \
991 -S "session successfully restored from ticket" \
992 -S "a session has been resumed" \
993 -C "a session has been resumed"
994
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]995run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]996 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
997 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]998 0 \
999 -s "session successfully restored from cache" \
1000 -S "session successfully restored from ticket" \
1001 -s "a session has been resumed" \
1002 -c "a session has been resumed"
1003
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1004run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1005 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1006 "( $O_CLI -sess_out $SESSION; \
1007 $O_CLI -sess_in $SESSION; \
1008 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1009 0 \
1010 -s "found session ticket extension" \
1011 -S "server hello, adding session ticket extension" \
1012 -s "session successfully restored from cache" \
1013 -S "session successfully restored from ticket" \
1014 -s "a session has been resumed"
1015
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1016run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1017 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1018 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1019 0 \
1020 -C "found session_ticket extension" \
1021 -C "parse new session ticket" \
1022 -c "a session has been resumed"
1023
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1024# Tests for Max Fragment Length extension
1025
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1026run_test "Max fragment length: not used, reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1027 "$P_SRV debug_level=3" \
1028 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1029 0 \
1030 -C "client hello, adding max_fragment_length extension" \
1031 -S "found max fragment length extension" \
1032 -S "server hello, max_fragment_length extension" \
1033 -C "found max_fragment_length extension"
1034
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1035run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1036 "$P_SRV debug_level=3" \
1037 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1038 0 \
1039 -c "client hello, adding max_fragment_length extension" \
1040 -s "found max fragment length extension" \
1041 -s "server hello, max_fragment_length extension" \
1042 -c "found max_fragment_length extension"
1043
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1044run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1045 "$P_SRV debug_level=3 max_frag_len=4096" \
1046 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1047 0 \
1048 -C "client hello, adding max_fragment_length extension" \
1049 -S "found max fragment length extension" \
1050 -S "server hello, max_fragment_length extension" \
1051 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1052
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1053requires_gnutls
1054run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1055 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1056 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1057 0 \
1058 -c "client hello, adding max_fragment_length extension" \
1059 -c "found max_fragment_length extension"
1060
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1061# Tests for renegotiation
1062
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1063run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1064 "$P_SRV debug_level=3 exchanges=2" \
1065 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1066 0 \
1067 -C "client hello, adding renegotiation extension" \
1068 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1069 -S "found renegotiation extension" \
1070 -s "server hello, secure renegotiation extension" \
1071 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1072 -C "=> renegotiate" \
1073 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1074 -S "write hello request"
1075
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1076run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1077 "$P_SRV debug_level=3 exchanges=2 renegotiation=1" \
1078 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1079 0 \
1080 -c "client hello, adding renegotiation extension" \
1081 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1082 -s "found renegotiation extension" \
1083 -s "server hello, secure renegotiation extension" \
1084 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1085 -c "=> renegotiate" \
1086 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1087 -S "write hello request"
1088
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1089run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1090 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1091 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1092 0 \
1093 -c "client hello, adding renegotiation extension" \
1094 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1095 -s "found renegotiation extension" \
1096 -s "server hello, secure renegotiation extension" \
1097 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1098 -c "=> renegotiate" \
1099 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1100 -s "write hello request"
1101
Janos Follathea111c52017-10-05 12:29:42 +0100[diff] [blame]1102# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1103# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1104# algorithm stronger than SHA-1 is enabled in config.h
1105run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1106 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1107 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1108 0 \
1109 -c "client hello, adding renegotiation extension" \
1110 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1111 -s "found renegotiation extension" \
1112 -s "server hello, secure renegotiation extension" \
1113 -c "found renegotiation extension" \
1114 -c "=> renegotiate" \
1115 -s "=> renegotiate" \
1116 -S "write hello request" \
1117 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1118
1119# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1120# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1121# algorithm stronger than SHA-1 is enabled in config.h
1122run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1123 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1124 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1125 0 \
1126 -c "client hello, adding renegotiation extension" \
1127 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1128 -s "found renegotiation extension" \
1129 -s "server hello, secure renegotiation extension" \
1130 -c "found renegotiation extension" \
1131 -c "=> renegotiate" \
1132 -s "=> renegotiate" \
1133 -s "write hello request" \
1134 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1135
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1136run_test "Renegotiation: double" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1137 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1138 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1139 0 \
1140 -c "client hello, adding renegotiation extension" \
1141 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1142 -s "found renegotiation extension" \
1143 -s "server hello, secure renegotiation extension" \
1144 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1145 -c "=> renegotiate" \
1146 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1147 -s "write hello request"
1148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1149run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1150 "$P_SRV debug_level=3 exchanges=2 renegotiation=0" \
1151 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1152 1 \
1153 -c "client hello, adding renegotiation extension" \
1154 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1155 -S "found renegotiation extension" \
1156 -s "server hello, secure renegotiation extension" \
1157 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1158 -c "=> renegotiate" \
1159 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1160 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1161 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1162 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1163
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1164run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1165 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1166 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1167 0 \
1168 -C "client hello, adding renegotiation extension" \
1169 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1170 -S "found renegotiation extension" \
1171 -s "server hello, secure renegotiation extension" \
1172 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1173 -C "=> renegotiate" \
1174 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1175 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1176 -S "SSL - An unexpected message was received from our peer" \
1177 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1178
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1179run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1180 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1181 renego_delay=-1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1182 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1183 0 \
1184 -C "client hello, adding renegotiation extension" \
1185 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1186 -S "found renegotiation extension" \
1187 -s "server hello, secure renegotiation extension" \
1188 -c "found renegotiation extension" \
1189 -C "=> renegotiate" \
1190 -S "=> renegotiate" \
1191 -s "write hello request" \
1192 -S "SSL - An unexpected message was received from our peer" \
1193 -S "failed"
1194
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1195# delay 2 for 1 alert record + 1 application data record
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1196run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1197 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1198 renego_delay=2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1199 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1200 0 \
1201 -C "client hello, adding renegotiation extension" \
1202 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1203 -S "found renegotiation extension" \
1204 -s "server hello, secure renegotiation extension" \
1205 -c "found renegotiation extension" \
1206 -C "=> renegotiate" \
1207 -S "=> renegotiate" \
1208 -s "write hello request" \
1209 -S "SSL - An unexpected message was received from our peer" \
1210 -S "failed"
1211
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1212run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1213 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1214 renego_delay=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1215 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1216 0 \
1217 -C "client hello, adding renegotiation extension" \
1218 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1219 -S "found renegotiation extension" \
1220 -s "server hello, secure renegotiation extension" \
1221 -c "found renegotiation extension" \
1222 -C "=> renegotiate" \
1223 -S "=> renegotiate" \
1224 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1225 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1226
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1227run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1228 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1229 renego_delay=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1230 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1231 0 \
1232 -c "client hello, adding renegotiation extension" \
1233 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1234 -s "found renegotiation extension" \
1235 -s "server hello, secure renegotiation extension" \
1236 -c "found renegotiation extension" \
1237 -c "=> renegotiate" \
1238 -s "=> renegotiate" \
1239 -s "write hello request" \
1240 -S "SSL - An unexpected message was received from our peer" \
1241 -S "failed"
1242
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1243run_test "Renegotiation: periodic, just below period" \
1244 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
1245 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1246 0 \
1247 -C "client hello, adding renegotiation extension" \
1248 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1249 -S "found renegotiation extension" \
1250 -s "server hello, secure renegotiation extension" \
1251 -c "found renegotiation extension" \
1252 -S "record counter limit reached: renegotiate" \
1253 -C "=> renegotiate" \
1254 -S "=> renegotiate" \
1255 -S "write hello request" \
1256 -S "SSL - An unexpected message was received from our peer" \
1257 -S "failed"
1258
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1259# one extra exchange to be able to complete renego
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1260run_test "Renegotiation: periodic, just above period" \
1261 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1262 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1263 0 \
1264 -c "client hello, adding renegotiation extension" \
1265 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1266 -s "found renegotiation extension" \
1267 -s "server hello, secure renegotiation extension" \
1268 -c "found renegotiation extension" \
1269 -s "record counter limit reached: renegotiate" \
1270 -c "=> renegotiate" \
1271 -s "=> renegotiate" \
1272 -s "write hello request" \
1273 -S "SSL - An unexpected message was received from our peer" \
1274 -S "failed"
1275
1276run_test "Renegotiation: periodic, two times period" \
1277 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1278 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1279 0 \
1280 -c "client hello, adding renegotiation extension" \
1281 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1282 -s "found renegotiation extension" \
1283 -s "server hello, secure renegotiation extension" \
1284 -c "found renegotiation extension" \
1285 -s "record counter limit reached: renegotiate" \
1286 -c "=> renegotiate" \
1287 -s "=> renegotiate" \
1288 -s "write hello request" \
1289 -S "SSL - An unexpected message was received from our peer" \
1290 -S "failed"
1291
1292run_test "Renegotiation: periodic, above period, disabled" \
1293 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3" \
1294 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1295 0 \
1296 -C "client hello, adding renegotiation extension" \
1297 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1298 -S "found renegotiation extension" \
1299 -s "server hello, secure renegotiation extension" \
1300 -c "found renegotiation extension" \
1301 -S "record counter limit reached: renegotiate" \
1302 -C "=> renegotiate" \
1303 -S "=> renegotiate" \
1304 -S "write hello request" \
1305 -S "SSL - An unexpected message was received from our peer" \
1306 -S "failed"
1307
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1308run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1309 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
1310 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1311 0 \
1312 -c "client hello, adding renegotiation extension" \
1313 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1314 -s "found renegotiation extension" \
1315 -s "server hello, secure renegotiation extension" \
1316 -c "found renegotiation extension" \
1317 -c "=> renegotiate" \
1318 -s "=> renegotiate" \
1319 -S "write hello request"
1320
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1321run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1322 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
1323 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1324 0 \
1325 -c "client hello, adding renegotiation extension" \
1326 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1327 -s "found renegotiation extension" \
1328 -s "server hello, secure renegotiation extension" \
1329 -c "found renegotiation extension" \
1330 -c "=> renegotiate" \
1331 -s "=> renegotiate" \
1332 -s "write hello request"
1333
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1334run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1335 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1336 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1337 0 \
1338 -c "client hello, adding renegotiation extension" \
1339 -c "found renegotiation extension" \
1340 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1341 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1342 -C "error" \
1343 -c "HTTP/1.0 200 [Oo][Kk]"
1344
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1345requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1346run_test "Renegotiation: gnutls server strict, client-initiated" \
1347 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1348 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1349 0 \
1350 -c "client hello, adding renegotiation extension" \
1351 -c "found renegotiation extension" \
1352 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1353 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1354 -C "error" \
1355 -c "HTTP/1.0 200 [Oo][Kk]"
1356
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1357requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1358run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1359 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1360 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1361 1 \
1362 -c "client hello, adding renegotiation extension" \
1363 -C "found renegotiation extension" \
1364 -c "=> renegotiate" \
1365 -c "ssl_handshake() returned" \
1366 -c "error" \
1367 -C "HTTP/1.0 200 [Oo][Kk]"
1368
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1369requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1370run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1371 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1372 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1373 allow_legacy=0" \
1374 1 \
1375 -c "client hello, adding renegotiation extension" \
1376 -C "found renegotiation extension" \
1377 -c "=> renegotiate" \
1378 -c "ssl_handshake() returned" \
1379 -c "error" \
1380 -C "HTTP/1.0 200 [Oo][Kk]"
1381
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1382requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1383run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1384 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1385 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1386 allow_legacy=1" \
1387 0 \
1388 -c "client hello, adding renegotiation extension" \
1389 -C "found renegotiation extension" \
1390 -c "=> renegotiate" \
1391 -C "ssl_hanshake() returned" \
1392 -C "error" \
1393 -c "HTTP/1.0 200 [Oo][Kk]"
1394
1395# Test for the "secure renegotation" extension only (no actual renegotiation)
1396
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1397requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1398run_test "Renego ext: gnutls server strict, client default" \
1399 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1400 "$P_CLI debug_level=3" \
1401 0 \
1402 -c "found renegotiation extension" \
1403 -C "error" \
1404 -c "HTTP/1.0 200 [Oo][Kk]"
1405
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1406requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1407run_test "Renego ext: gnutls server unsafe, client default" \
1408 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1409 "$P_CLI debug_level=3" \
1410 0 \
1411 -C "found renegotiation extension" \
1412 -C "error" \
1413 -c "HTTP/1.0 200 [Oo][Kk]"
1414
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1415requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1416run_test "Renego ext: gnutls server unsafe, client break legacy" \
1417 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1418 "$P_CLI debug_level=3 allow_legacy=-1" \
1419 1 \
1420 -C "found renegotiation extension" \
1421 -c "error" \
1422 -C "HTTP/1.0 200 [Oo][Kk]"
1423
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1424requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1425run_test "Renego ext: gnutls client strict, server default" \
1426 "$P_SRV debug_level=3" \
1427 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1428 0 \
1429 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1430 -s "server hello, secure renegotiation extension"
1431
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1432requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1433run_test "Renego ext: gnutls client unsafe, server default" \
1434 "$P_SRV debug_level=3" \
1435 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1436 0 \
1437 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1438 -S "server hello, secure renegotiation extension"
1439
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1440requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1441run_test "Renego ext: gnutls client unsafe, server break legacy" \
1442 "$P_SRV debug_level=3 allow_legacy=-1" \
1443 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1444 1 \
1445 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1446 -S "server hello, secure renegotiation extension"
1447
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1448# Tests for auth_mode
1449
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1450run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1451 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1452 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1453 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1454 1 \
1455 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1456 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1457 -c "! ssl_handshake returned" \
1458 -c "X509 - Certificate verification failed"
1459
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1460run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1461 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1462 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1463 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1464 0 \
1465 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1466 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1467 -C "! ssl_handshake returned" \
1468 -C "X509 - Certificate verification failed"
1469
Hanno Becker6fd6d242017-05-25 17:51:31 +0100[diff] [blame]1470run_test "Authentication: server goodcert, client optional, no trusted CA" \
1471 "$P_SRV" \
1472 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1473 0 \
1474 -c "x509_verify_cert() returned" \
1475 -c "! The certificate is not correctly signed by the trusted CA" \
1476 -c "! Certificate verification flags"\
1477 -C "! ssl_handshake returned" \
1478 -C "X509 - Certificate verification failed" \
1479 -C "SSL - No CA Chain is set, but required to operate"
1480
1481run_test "Authentication: server goodcert, client required, no trusted CA" \
1482 "$P_SRV" \
1483 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1484 1 \
1485 -c "x509_verify_cert() returned" \
1486 -c "! The certificate is not correctly signed by the trusted CA" \
1487 -c "! Certificate verification flags"\
1488 -c "! ssl_handshake returned" \
1489 -c "SSL - No CA Chain is set, but required to operate"
1490
1491# The purpose of the next two tests is to test the client's behaviour when receiving a server
1492# certificate with an unsupported elliptic curve. This should usually not happen because
1493# the client informs the server about the supported curves - it does, though, in the
1494# corner case of a static ECDH suite, because the server doesn't check the curve on that
1495# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1496# different means to have the server ignoring the client's supported curve list.
1497
1498requires_config_enabled POLARSSL_SSL_SET_CURVES
1499run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1500 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1501 crt_file=data_files/server5.ku-ka.crt" \
1502 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1503 1 \
1504 -c "bad certificate (EC key curve)"\
1505 -c "! Certificate verification flags"\
1506 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1507
1508requires_config_enabled POLARSSL_SSL_SET_CURVES
1509run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1510 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1511 crt_file=data_files/server5.ku-ka.crt" \
1512 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1513 1 \
1514 -c "bad certificate (EC key curve)"\
1515 -c "! Certificate verification flags"\
1516 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1517
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1518run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1519 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1520 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1521 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1522 0 \
1523 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1524 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1525 -C "! ssl_handshake returned" \
1526 -C "X509 - Certificate verification failed"
1527
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1528run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1529 "$P_SRV debug_level=3 auth_mode=required" \
1530 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1531 key_file=data_files/server5.key" \
1532 1 \
1533 -S "skip write certificate request" \
1534 -C "skip parse certificate request" \
1535 -c "got a certificate request" \
1536 -C "skip write certificate" \
1537 -C "skip write certificate verify" \
1538 -S "skip parse certificate verify" \
1539 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1540 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1541 -s "! ssl_handshake returned" \
1542 -c "! ssl_handshake returned" \
1543 -s "X509 - Certificate verification failed"
1544
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1545run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1546 "$P_SRV debug_level=3 auth_mode=optional" \
1547 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1548 key_file=data_files/server5.key" \
1549 0 \
1550 -S "skip write certificate request" \
1551 -C "skip parse certificate request" \
1552 -c "got a certificate request" \
1553 -C "skip write certificate" \
1554 -C "skip write certificate verify" \
1555 -S "skip parse certificate verify" \
1556 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1557 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1558 -S "! ssl_handshake returned" \
1559 -C "! ssl_handshake returned" \
1560 -S "X509 - Certificate verification failed"
1561
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1562run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1563 "$P_SRV debug_level=3 auth_mode=none" \
1564 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1565 key_file=data_files/server5.key" \
1566 0 \
1567 -s "skip write certificate request" \
1568 -C "skip parse certificate request" \
1569 -c "got no certificate request" \
1570 -c "skip write certificate" \
1571 -c "skip write certificate verify" \
1572 -s "skip parse certificate verify" \
1573 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1574 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1575 -S "! ssl_handshake returned" \
1576 -C "! ssl_handshake returned" \
1577 -S "X509 - Certificate verification failed"
1578
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1579run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1580 "$P_SRV debug_level=3 auth_mode=optional" \
1581 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1582 0 \
1583 -S "skip write certificate request" \
1584 -C "skip parse certificate request" \
1585 -c "got a certificate request" \
1586 -C "skip write certificate$" \
1587 -C "got no certificate to send" \
1588 -S "SSLv3 client has no certificate" \
1589 -c "skip write certificate verify" \
1590 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1591 -s "! Certificate was missing" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1592 -S "! ssl_handshake returned" \
1593 -C "! ssl_handshake returned" \
1594 -S "X509 - Certificate verification failed"
1595
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1596run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1597 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1598 "$O_CLI" \
1599 0 \
1600 -S "skip write certificate request" \
1601 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1602 -s "! Certificate was missing" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1603 -S "! ssl_handshake returned" \
1604 -S "X509 - Certificate verification failed"
1605
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1606run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1607 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1608 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1609 0 \
1610 -C "skip parse certificate request" \
1611 -c "got a certificate request" \
1612 -C "skip write certificate$" \
1613 -c "skip write certificate verify" \
1614 -C "! ssl_handshake returned"
1615
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]1616requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1617run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1618 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]1619 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1620 0 \
1621 -S "skip write certificate request" \
1622 -C "skip parse certificate request" \
1623 -c "got a certificate request" \
1624 -C "skip write certificate$" \
1625 -c "skip write certificate verify" \
1626 -c "got no certificate to send" \
1627 -s "SSLv3 client has no certificate" \
1628 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard0c6ce2f2015-04-17 16:32:21 +0200[diff] [blame]1629 -s "! Certificate was missing" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]1630 -S "! ssl_handshake returned" \
1631 -C "! ssl_handshake returned" \
1632 -S "X509 - Certificate verification failed"
1633
Manuel Pégourié-Gonnarda68d5912017-07-10 11:31:43 +0200[diff] [blame]1634run_test "Authentication: server max_int chain, client default" \
1635 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
1636 key_file=data_files/dir-maxpath/09.key" \
1637 "$P_CLI server_name=CA09 server_addr=127.0.0.1 \
1638 ca_file=data_files/dir-maxpath/00.crt" \
1639 0 \
1640 -C "X509 - A fatal error occured"
1641
1642run_test "Authentication: server max_int+1 chain, client default" \
1643 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
1644 key_file=data_files/dir-maxpath/10.key" \
1645 "$P_CLI server_name=CA10 server_addr=127.0.0.1 \
1646 ca_file=data_files/dir-maxpath/00.crt" \
1647 1 \
1648 -c "X509 - A fatal error occured"
1649
1650run_test "Authentication: server max_int+1 chain, client optional" \
1651 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
1652 key_file=data_files/dir-maxpath/10.key" \
1653 "$P_CLI server_name=CA10 server_addr=127.0.0.1 \
1654 ca_file=data_files/dir-maxpath/00.crt \
1655 auth_mode=optional" \
1656 1 \
1657 -c "X509 - A fatal error occured"
1658
1659run_test "Authentication: server max_int+1 chain, client none" \
1660 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
1661 key_file=data_files/dir-maxpath/10.key" \
1662 "$P_CLI server_name=CA10 server_addr=127.0.0.1 ca_file=data_files/dir-maxpath/00.crt \
1663 auth_mode=none" \
1664 0 \
1665 -C "X509 - A fatal error occured"
1666
1667run_test "Authentication: client max_int+1 chain, server none" \
1668 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=none" \
1669 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
1670 key_file=data_files/dir-maxpath/10.key" \
1671 0 \
1672 -S "X509 - A fatal error occured"
1673
1674run_test "Authentication: client max_int+1 chain, server optional" \
1675 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
1676 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
1677 key_file=data_files/dir-maxpath/10.key" \
1678 1 \
1679 -s "X509 - A fatal error occured"
1680
1681run_test "Authentication: client max_int+1 chain, server required" \
1682 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
1683 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
1684 key_file=data_files/dir-maxpath/10.key" \
1685 1 \
1686 -s "X509 - A fatal error occured"
1687
1688run_test "Authentication: client max_int chain, server required" \
1689 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
1690 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
1691 key_file=data_files/dir-maxpath/09.key" \
1692 0 \
1693 -S "X509 - A fatal error occured"
1694
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]1695# Tests for certificate selection based on SHA verson
1696
1697run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
1698 "$P_SRV crt_file=data_files/server5.crt \
1699 key_file=data_files/server5.key \
1700 crt_file2=data_files/server5-sha1.crt \
1701 key_file2=data_files/server5.key" \
1702 "$P_CLI force_version=tls1_2" \
1703 0 \
1704 -c "signed using.*ECDSA with SHA256" \
1705 -C "signed using.*ECDSA with SHA1"
1706
1707run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
1708 "$P_SRV crt_file=data_files/server5.crt \
1709 key_file=data_files/server5.key \
1710 crt_file2=data_files/server5-sha1.crt \
1711 key_file2=data_files/server5.key" \
1712 "$P_CLI force_version=tls1_1" \
1713 0 \
1714 -C "signed using.*ECDSA with SHA256" \
1715 -c "signed using.*ECDSA with SHA1"
1716
1717run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
1718 "$P_SRV crt_file=data_files/server5.crt \
1719 key_file=data_files/server5.key \
1720 crt_file2=data_files/server5-sha1.crt \
1721 key_file2=data_files/server5.key" \
1722 "$P_CLI force_version=tls1" \
1723 0 \
1724 -C "signed using.*ECDSA with SHA256" \
1725 -c "signed using.*ECDSA with SHA1"
1726
1727run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
1728 "$P_SRV crt_file=data_files/server5.crt \
1729 key_file=data_files/server5.key \
1730 crt_file2=data_files/server6.crt \
1731 key_file2=data_files/server6.key" \
1732 "$P_CLI force_version=tls1_1" \
1733 0 \
1734 -c "serial number.*09" \
1735 -c "signed using.*ECDSA with SHA256" \
1736 -C "signed using.*ECDSA with SHA1"
1737
1738run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
1739 "$P_SRV crt_file=data_files/server6.crt \
1740 key_file=data_files/server6.key \
1741 crt_file2=data_files/server5.crt \
1742 key_file2=data_files/server5.key" \
1743 "$P_CLI force_version=tls1_1" \
1744 0 \
1745 -c "serial number.*0A" \
1746 -c "signed using.*ECDSA with SHA256" \
1747 -C "signed using.*ECDSA with SHA1"
1748
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1749# tests for SNI
1750
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1751run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1752 "$P_SRV debug_level=3 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1753 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1754 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1755 server_name=localhost" \
1756 0 \
1757 -S "parse ServerName extension" \
1758 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
1759 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
1760
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1761run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1762 "$P_SRV debug_level=3 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1763 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1764 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1765 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1766 server_name=localhost" \
1767 0 \
1768 -s "parse ServerName extension" \
1769 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
1770 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
1771
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1772run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1773 "$P_SRV debug_level=3 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1774 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1775 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1776 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1777 server_name=polarssl.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1778 0 \
1779 -s "parse ServerName extension" \
1780 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1781 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1782
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1783run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1784 "$P_SRV debug_level=3 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1785 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1786 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1787 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]1788 server_name=nonesuch.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]1789 1 \
1790 -s "parse ServerName extension" \
1791 -s "ssl_sni_wrapper() returned" \
1792 -s "ssl_handshake returned" \
1793 -c "ssl_handshake returned" \
1794 -c "SSL - A fatal alert message was received from our peer"
1795
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1796# Tests for non-blocking I/O: exercise a variety of handshake flows
1797
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1798run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1799 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
1800 "$P_CLI nbio=2 tickets=0" \
1801 0 \
1802 -S "ssl_handshake returned" \
1803 -C "ssl_handshake returned" \
1804 -c "Read from server: .* bytes read"
1805
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1806run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1807 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
1808 "$P_CLI nbio=2 tickets=0" \
1809 0 \
1810 -S "ssl_handshake returned" \
1811 -C "ssl_handshake returned" \
1812 -c "Read from server: .* bytes read"
1813
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1814run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1815 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
1816 "$P_CLI nbio=2 tickets=1" \
1817 0 \
1818 -S "ssl_handshake returned" \
1819 -C "ssl_handshake returned" \
1820 -c "Read from server: .* bytes read"
1821
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1822run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1823 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
1824 "$P_CLI nbio=2 tickets=1" \
1825 0 \
1826 -S "ssl_handshake returned" \
1827 -C "ssl_handshake returned" \
1828 -c "Read from server: .* bytes read"
1829
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1830run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1831 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
1832 "$P_CLI nbio=2 tickets=1 reconnect=1" \
1833 0 \
1834 -S "ssl_handshake returned" \
1835 -C "ssl_handshake returned" \
1836 -c "Read from server: .* bytes read"
1837
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1838run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1839 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
1840 "$P_CLI nbio=2 tickets=1 reconnect=1" \
1841 0 \
1842 -S "ssl_handshake returned" \
1843 -C "ssl_handshake returned" \
1844 -c "Read from server: .* bytes read"
1845
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1846run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]1847 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
1848 "$P_CLI nbio=2 tickets=0 reconnect=1" \
1849 0 \
1850 -S "ssl_handshake returned" \
1851 -C "ssl_handshake returned" \
1852 -c "Read from server: .* bytes read"
1853
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1854# Tests for version negotiation
1855
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1856run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1857 "$P_SRV" \
1858 "$P_CLI" \
1859 0 \
1860 -S "ssl_handshake returned" \
1861 -C "ssl_handshake returned" \
1862 -s "Protocol is TLSv1.2" \
1863 -c "Protocol is TLSv1.2"
1864
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1865run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1866 "$P_SRV" \
1867 "$P_CLI max_version=tls1_1" \
1868 0 \
1869 -S "ssl_handshake returned" \
1870 -C "ssl_handshake returned" \
1871 -s "Protocol is TLSv1.1" \
1872 -c "Protocol is TLSv1.1"
1873
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1874run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1875 "$P_SRV max_version=tls1_1" \
1876 "$P_CLI" \
1877 0 \
1878 -S "ssl_handshake returned" \
1879 -C "ssl_handshake returned" \
1880 -s "Protocol is TLSv1.1" \
1881 -c "Protocol is TLSv1.1"
1882
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1883run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1884 "$P_SRV max_version=tls1_1" \
1885 "$P_CLI max_version=tls1_1" \
1886 0 \
1887 -S "ssl_handshake returned" \
1888 -C "ssl_handshake returned" \
1889 -s "Protocol is TLSv1.1" \
1890 -c "Protocol is TLSv1.1"
1891
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1892run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1893 "$P_SRV min_version=tls1_1" \
1894 "$P_CLI max_version=tls1_1" \
1895 0 \
1896 -S "ssl_handshake returned" \
1897 -C "ssl_handshake returned" \
1898 -s "Protocol is TLSv1.1" \
1899 -c "Protocol is TLSv1.1"
1900
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1901run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1902 "$P_SRV max_version=tls1_1" \
1903 "$P_CLI min_version=tls1_1" \
1904 0 \
1905 -S "ssl_handshake returned" \
1906 -C "ssl_handshake returned" \
1907 -s "Protocol is TLSv1.1" \
1908 -c "Protocol is TLSv1.1"
1909
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1910run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1911 "$P_SRV max_version=tls1_1" \
1912 "$P_CLI min_version=tls1_2" \
1913 1 \
1914 -s "ssl_handshake returned" \
1915 -c "ssl_handshake returned" \
1916 -c "SSL - Handshake protocol not within min/max boundaries"
1917
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1918run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1919 "$P_SRV min_version=tls1_2" \
1920 "$P_CLI max_version=tls1_1" \
1921 1 \
1922 -s "ssl_handshake returned" \
1923 -c "ssl_handshake returned" \
1924 -s "SSL - Handshake protocol not within min/max boundaries"
1925
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1926# Tests for ALPN extension
1927
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]1928if grep '^#define POLARSSL_SSL_ALPN' $CONFIG_H >/dev/null; then
1929
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1930run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1931 "$P_SRV debug_level=3" \
1932 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1933 0 \
1934 -C "client hello, adding alpn extension" \
1935 -S "found alpn extension" \
1936 -C "got an alert message, type: \\[2:120]" \
1937 -S "server hello, adding alpn extension" \
1938 -C "found alpn extension " \
1939 -C "Application Layer Protocol is" \
1940 -S "Application Layer Protocol is"
1941
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1942run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1943 "$P_SRV debug_level=3" \
1944 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1945 0 \
1946 -c "client hello, adding alpn extension" \
1947 -s "found alpn extension" \
1948 -C "got an alert message, type: \\[2:120]" \
1949 -S "server hello, adding alpn extension" \
1950 -C "found alpn extension " \
1951 -c "Application Layer Protocol is (none)" \
1952 -S "Application Layer Protocol is"
1953
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1954run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1955 "$P_SRV debug_level=3 alpn=abc,1234" \
1956 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1957 0 \
1958 -C "client hello, adding alpn extension" \
1959 -S "found alpn extension" \
1960 -C "got an alert message, type: \\[2:120]" \
1961 -S "server hello, adding alpn extension" \
1962 -C "found alpn extension " \
1963 -C "Application Layer Protocol is" \
1964 -s "Application Layer Protocol is (none)"
1965
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1966run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1967 "$P_SRV debug_level=3 alpn=abc,1234" \
1968 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1969 0 \
1970 -c "client hello, adding alpn extension" \
1971 -s "found alpn extension" \
1972 -C "got an alert message, type: \\[2:120]" \
1973 -s "server hello, adding alpn extension" \
1974 -c "found alpn extension" \
1975 -c "Application Layer Protocol is abc" \
1976 -s "Application Layer Protocol is abc"
1977
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1978run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1979 "$P_SRV debug_level=3 alpn=abc,1234" \
1980 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1981 0 \
1982 -c "client hello, adding alpn extension" \
1983 -s "found alpn extension" \
1984 -C "got an alert message, type: \\[2:120]" \
1985 -s "server hello, adding alpn extension" \
1986 -c "found alpn extension" \
1987 -c "Application Layer Protocol is abc" \
1988 -s "Application Layer Protocol is abc"
1989
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1990run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1991 "$P_SRV debug_level=3 alpn=abc,1234" \
1992 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1993 0 \
1994 -c "client hello, adding alpn extension" \
1995 -s "found alpn extension" \
1996 -C "got an alert message, type: \\[2:120]" \
1997 -s "server hello, adding alpn extension" \
1998 -c "found alpn extension" \
1999 -c "Application Layer Protocol is 1234" \
2000 -s "Application Layer Protocol is 1234"
2001
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2002run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2003 "$P_SRV debug_level=3 alpn=abc,123" \
2004 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2005 1 \
2006 -c "client hello, adding alpn extension" \
2007 -s "found alpn extension" \
2008 -c "got an alert message, type: \\[2:120]" \
2009 -S "server hello, adding alpn extension" \
2010 -C "found alpn extension" \
2011 -C "Application Layer Protocol is 1234" \
2012 -S "Application Layer Protocol is 1234"
2013
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2014fi
2015
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2016# Tests for keyUsage in leaf certificates, part 1:
2017# server-side certificate/suite selection
2018
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2019run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2020 "$P_SRV key_file=data_files/server2.key \
2021 crt_file=data_files/server2.ku-ds.crt" \
2022 "$P_CLI" \
2023 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2024 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2025
2026
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2027run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2028 "$P_SRV key_file=data_files/server2.key \
2029 crt_file=data_files/server2.ku-ke.crt" \
2030 "$P_CLI" \
2031 0 \
2032 -c "Ciphersuite is TLS-RSA-WITH-"
2033
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2034run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2035 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2036 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2037 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2038 1 \
2039 -C "Ciphersuite is "
2040
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2041run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2042 "$P_SRV key_file=data_files/server5.key \
2043 crt_file=data_files/server5.ku-ds.crt" \
2044 "$P_CLI" \
2045 0 \
2046 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2047
2048
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2049run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2050 "$P_SRV key_file=data_files/server5.key \
2051 crt_file=data_files/server5.ku-ka.crt" \
2052 "$P_CLI" \
2053 0 \
2054 -c "Ciphersuite is TLS-ECDH-"
2055
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2056run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2057 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2058 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2059 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2060 1 \
2061 -C "Ciphersuite is "
2062
2063# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2064# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2065
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2066run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2067 "$O_SRV -key data_files/server2.key \
2068 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2069 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2070 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2071 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2072 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2073 -C "Processing of the Certificate handshake message failed" \
2074 -c "Ciphersuite is TLS-"
2075
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2076run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2077 "$O_SRV -key data_files/server2.key \
2078 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2079 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2080 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2081 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2082 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2083 -C "Processing of the Certificate handshake message failed" \
2084 -c "Ciphersuite is TLS-"
2085
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2086run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2087 "$O_SRV -key data_files/server2.key \
2088 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2089 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2090 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2091 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2092 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2093 -C "Processing of the Certificate handshake message failed" \
2094 -c "Ciphersuite is TLS-"
2095
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2096run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2097 "$O_SRV -key data_files/server2.key \
2098 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2099 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2100 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2101 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2102 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2103 -c "Processing of the Certificate handshake message failed" \
2104 -C "Ciphersuite is TLS-"
2105
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +0200[diff] [blame]2106run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2107 "$O_SRV -key data_files/server2.key \
2108 -cert data_files/server2.ku-ke.crt" \
2109 "$P_CLI debug_level=1 auth_mode=optional \
2110 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2111 0 \
2112 -c "bad certificate (usage extensions)" \
2113 -C "Processing of the Certificate handshake message failed" \
2114 -c "Ciphersuite is TLS-" \
2115 -c "! Usage does not match the keyUsage extension"
2116
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2117run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2118 "$O_SRV -key data_files/server2.key \
2119 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2120 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2121 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2122 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2123 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2124 -C "Processing of the Certificate handshake message failed" \
2125 -c "Ciphersuite is TLS-"
2126
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2127run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2128 "$O_SRV -key data_files/server2.key \
2129 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2130 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2131 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2132 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2133 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2134 -c "Processing of the Certificate handshake message failed" \
2135 -C "Ciphersuite is TLS-"
2136
Manuel Pégourié-Gonnarde16b62c2015-04-17 16:55:53 +0200[diff] [blame]2137run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2138 "$O_SRV -key data_files/server2.key \
2139 -cert data_files/server2.ku-ds.crt" \
2140 "$P_CLI debug_level=1 auth_mode=optional \
2141 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2142 0 \
2143 -c "bad certificate (usage extensions)" \
2144 -C "Processing of the Certificate handshake message failed" \
2145 -c "Ciphersuite is TLS-" \
2146 -c "! Usage does not match the keyUsage extension"
2147
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2148# Tests for keyUsage in leaf certificates, part 3:
2149# server-side checking of client cert
2150
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2151run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2152 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2153 "$O_CLI -key data_files/server2.key \
2154 -cert data_files/server2.ku-ds.crt" \
2155 0 \
2156 -S "bad certificate (usage extensions)" \
2157 -S "Processing of the Certificate handshake message failed"
2158
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2159run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2160 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2161 "$O_CLI -key data_files/server2.key \
2162 -cert data_files/server2.ku-ke.crt" \
2163 0 \
2164 -s "bad certificate (usage extensions)" \
2165 -S "Processing of the Certificate handshake message failed"
2166
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2167run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2168 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2169 "$O_CLI -key data_files/server2.key \
2170 -cert data_files/server2.ku-ke.crt" \
2171 1 \
2172 -s "bad certificate (usage extensions)" \
2173 -s "Processing of the Certificate handshake message failed"
2174
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2175run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2176 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2177 "$O_CLI -key data_files/server5.key \
2178 -cert data_files/server5.ku-ds.crt" \
2179 0 \
2180 -S "bad certificate (usage extensions)" \
2181 -S "Processing of the Certificate handshake message failed"
2182
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2183run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2184 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2185 "$O_CLI -key data_files/server5.key \
2186 -cert data_files/server5.ku-ka.crt" \
2187 0 \
2188 -s "bad certificate (usage extensions)" \
2189 -S "Processing of the Certificate handshake message failed"
2190
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2191# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2192
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2193run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2194 "$P_SRV key_file=data_files/server5.key \
2195 crt_file=data_files/server5.eku-srv.crt" \
2196 "$P_CLI" \
2197 0
2198
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2199run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2200 "$P_SRV key_file=data_files/server5.key \
2201 crt_file=data_files/server5.eku-srv.crt" \
2202 "$P_CLI" \
2203 0
2204
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2205run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2206 "$P_SRV key_file=data_files/server5.key \
2207 crt_file=data_files/server5.eku-cs_any.crt" \
2208 "$P_CLI" \
2209 0
2210
2211# add psk to leave an option for client to send SERVERQUIT
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2212run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2213 "$P_SRV psk=abc123 key_file=data_files/server5.key \
2214 crt_file=data_files/server5.eku-cli.crt" \
2215 "$P_CLI psk=badbad" \
2216 1
2217
2218# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2219
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2220run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2221 "$O_SRV -key data_files/server5.key \
2222 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2223 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2224 0 \
2225 -C "bad certificate (usage extensions)" \
2226 -C "Processing of the Certificate handshake message failed" \
2227 -c "Ciphersuite is TLS-"
2228
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2229run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2230 "$O_SRV -key data_files/server5.key \
2231 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2232 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2233 0 \
2234 -C "bad certificate (usage extensions)" \
2235 -C "Processing of the Certificate handshake message failed" \
2236 -c "Ciphersuite is TLS-"
2237
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2238run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2239 "$O_SRV -key data_files/server5.key \
2240 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2241 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2242 0 \
2243 -C "bad certificate (usage extensions)" \
2244 -C "Processing of the Certificate handshake message failed" \
2245 -c "Ciphersuite is TLS-"
2246
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2247run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2248 "$O_SRV -key data_files/server5.key \
2249 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2250 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2251 1 \
2252 -c "bad certificate (usage extensions)" \
2253 -c "Processing of the Certificate handshake message failed" \
2254 -C "Ciphersuite is TLS-"
2255
2256# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2257
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2258run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2259 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2260 "$O_CLI -key data_files/server5.key \
2261 -cert data_files/server5.eku-cli.crt" \
2262 0 \
2263 -S "bad certificate (usage extensions)" \
2264 -S "Processing of the Certificate handshake message failed"
2265
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2266run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2267 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2268 "$O_CLI -key data_files/server5.key \
2269 -cert data_files/server5.eku-srv_cli.crt" \
2270 0 \
2271 -S "bad certificate (usage extensions)" \
2272 -S "Processing of the Certificate handshake message failed"
2273
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2274run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2275 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2276 "$O_CLI -key data_files/server5.key \
2277 -cert data_files/server5.eku-cs_any.crt" \
2278 0 \
2279 -S "bad certificate (usage extensions)" \
2280 -S "Processing of the Certificate handshake message failed"
2281
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2282run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2283 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2284 "$O_CLI -key data_files/server5.key \
2285 -cert data_files/server5.eku-cs.crt" \
2286 0 \
2287 -s "bad certificate (usage extensions)" \
2288 -S "Processing of the Certificate handshake message failed"
2289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2290run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2291 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2292 "$O_CLI -key data_files/server5.key \
2293 -cert data_files/server5.eku-cs.crt" \
2294 1 \
2295 -s "bad certificate (usage extensions)" \
2296 -s "Processing of the Certificate handshake message failed"
2297
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2298# Tests for DHM parameters loading
2299
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2300run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2301 "$P_SRV" \
2302 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2303 debug_level=3" \
2304 0 \
2305 -c "value of 'DHM: P ' (2048 bits)" \
2306 -c "value of 'DHM: G ' (2048 bits)"
2307
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2308run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2309 "$P_SRV dhm_file=data_files/dhparams.pem" \
2310 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2311 debug_level=3" \
2312 0 \
2313 -c "value of 'DHM: P ' (1024 bits)" \
2314 -c "value of 'DHM: G ' (2 bits)"
2315
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2316# Tests for PSK callback
2317
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2318run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2319 "$P_SRV psk=abc123 psk_identity=foo" \
2320 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2321 psk_identity=foo psk=abc123" \
2322 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2323 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2324 -S "SSL - Unknown identity received" \
2325 -S "SSL - Verification of the message MAC failed"
2326
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2327run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2328 "$P_SRV" \
2329 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2330 psk_identity=foo psk=abc123" \
2331 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2332 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2333 -S "SSL - Unknown identity received" \
2334 -S "SSL - Verification of the message MAC failed"
2335
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2336run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2337 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2338 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2339 psk_identity=foo psk=abc123" \
2340 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2341 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2342 -s "SSL - Unknown identity received" \
2343 -S "SSL - Verification of the message MAC failed"
2344
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2345run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2346 "$P_SRV psk_list=abc,dead,def,beef" \
2347 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2348 psk_identity=abc psk=dead" \
2349 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2350 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2351 -S "SSL - Unknown identity received" \
2352 -S "SSL - Verification of the message MAC failed"
2353
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2354run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2355 "$P_SRV psk_list=abc,dead,def,beef" \
2356 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2357 psk_identity=def psk=beef" \
2358 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2359 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2360 -S "SSL - Unknown identity received" \
2361 -S "SSL - Verification of the message MAC failed"
2362
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2363run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2364 "$P_SRV psk_list=abc,dead,def,beef" \
2365 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2366 psk_identity=ghi psk=beef" \
2367 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2368 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2369 -s "SSL - Unknown identity received" \
2370 -S "SSL - Verification of the message MAC failed"
2371
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2372run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2373 "$P_SRV psk_list=abc,dead,def,beef" \
2374 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2375 psk_identity=abc psk=beef" \
2376 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2377 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2378 -S "SSL - Unknown identity received" \
2379 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2380
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2381# Tests for ciphersuites per version
2382
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2383requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2384run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2385 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2386 "$P_CLI force_version=ssl3" \
2387 0 \
2388 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
2389
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2390run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2391 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
2392 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2393 0 \
2394 -c "Ciphersuite is TLS-RSA-WITH-RC4-128-SHA"
2395
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2396run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2397 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
2398 "$P_CLI force_version=tls1_1" \
2399 0 \
2400 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
2401
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2402run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2403 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
2404 "$P_CLI force_version=tls1_2" \
2405 0 \
2406 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
2407
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2408# Tests for ssl_get_bytes_avail()
2409
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2410run_test "ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2411 "$P_SRV" \
2412 "$P_CLI request_size=100" \
2413 0 \
2414 -s "Read from client: 100 bytes read$"
2415
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2416run_test "ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]2417 "$P_SRV" \
2418 "$P_CLI request_size=500" \
2419 0 \
2420 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]2421
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2422# Tests for small packets
2423
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2424requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2425run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2426 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2427 "$P_CLI request_size=1 force_version=ssl3 \
2428 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2429 0 \
2430 -s "Read from client: 1 bytes read"
2431
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2432requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2433run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2434 "$P_SRV min_version=ssl3 arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2435 "$P_CLI request_size=1 force_version=ssl3 \
2436 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2437 0 \
2438 -s "Read from client: 1 bytes read"
2439
2440run_test "Small packet TLS 1.0 BlockCipher" \
2441 "$P_SRV" \
2442 "$P_CLI request_size=1 force_version=tls1 \
2443 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2444 0 \
2445 -s "Read from client: 1 bytes read"
2446
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]2447run_test "Small packet TLS 1.0 BlockCipher without EtM" \
2448 "$P_SRV" \
2449 "$P_CLI request_size=1 force_version=tls1 etm=0 \
2450 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2451 0 \
2452 -s "Read from client: 1 bytes read"
2453
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2454run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
2455 "$P_SRV" \
2456 "$P_CLI request_size=1 force_version=tls1 \
2457 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2458 trunc_hmac=1" \
2459 0 \
2460 -s "Read from client: 1 bytes read"
2461
2462run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2463 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2464 "$P_CLI request_size=1 force_version=tls1 \
2465 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2466 trunc_hmac=1" \
2467 0 \
2468 -s "Read from client: 1 bytes read"
2469
2470run_test "Small packet TLS 1.1 BlockCipher" \
2471 "$P_SRV" \
2472 "$P_CLI request_size=1 force_version=tls1_1 \
2473 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2474 0 \
2475 -s "Read from client: 1 bytes read"
2476
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]2477run_test "Small packet TLS 1.1 BlockCipher without EtM" \
2478 "$P_SRV" \
2479 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
2480 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2481 0 \
2482 -s "Read from client: 1 bytes read"
2483
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2484run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2485 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2486 "$P_CLI request_size=1 force_version=tls1_1 \
2487 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2488 0 \
2489 -s "Read from client: 1 bytes read"
2490
2491run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
2492 "$P_SRV" \
2493 "$P_CLI request_size=1 force_version=tls1_1 \
2494 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2495 trunc_hmac=1" \
2496 0 \
2497 -s "Read from client: 1 bytes read"
2498
2499run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2500 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2501 "$P_CLI request_size=1 force_version=tls1_1 \
2502 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2503 trunc_hmac=1" \
2504 0 \
2505 -s "Read from client: 1 bytes read"
2506
2507run_test "Small packet TLS 1.2 BlockCipher" \
2508 "$P_SRV" \
2509 "$P_CLI request_size=1 force_version=tls1_2 \
2510 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2511 0 \
2512 -s "Read from client: 1 bytes read"
2513
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]2514run_test "Small packet TLS 1.2 BlockCipher without EtM" \
2515 "$P_SRV" \
2516 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
2517 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2518 0 \
2519 -s "Read from client: 1 bytes read"
2520
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2521run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
2522 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2523 "$P_CLI request_size=1 force_version=tls1_2 \
2524 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2525 0 \
2526 -s "Read from client: 1 bytes read"
2527
2528run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
2529 "$P_SRV" \
2530 "$P_CLI request_size=1 force_version=tls1_2 \
2531 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2532 trunc_hmac=1" \
2533 0 \
2534 -s "Read from client: 1 bytes read"
2535
2536run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2537 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2538 "$P_CLI request_size=1 force_version=tls1_2 \
2539 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2540 0 \
2541 -s "Read from client: 1 bytes read"
2542
2543run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2544 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]2545 "$P_CLI request_size=1 force_version=tls1_2 \
2546 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2547 trunc_hmac=1" \
2548 0 \
2549 -s "Read from client: 1 bytes read"
2550
2551run_test "Small packet TLS 1.2 AEAD" \
2552 "$P_SRV" \
2553 "$P_CLI request_size=1 force_version=tls1_2 \
2554 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
2555 0 \
2556 -s "Read from client: 1 bytes read"
2557
2558run_test "Small packet TLS 1.2 AEAD shorter tag" \
2559 "$P_SRV" \
2560 "$P_CLI request_size=1 force_version=tls1_2 \
2561 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
2562 0 \
2563 -s "Read from client: 1 bytes read"
2564
Janos Follath8abaa8b2016-05-06 13:48:23 +0100[diff] [blame]2565# A test for extensions in SSLv3
2566
Hanno Becker6fd6d242017-05-25 17:51:31 +0100[diff] [blame]2567requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Janos Follath8abaa8b2016-05-06 13:48:23 +0100[diff] [blame]2568run_test "SSLv3 with extensions, server side" \
2569 "$P_SRV min_version=ssl3 debug_level=3" \
2570 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
2571 0 \
2572 -S "dumping 'client hello extensions'" \
2573 -S "server hello, total extension length:"
2574
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2575# Test for large packets
2576
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2577requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2578run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2579 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2580 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2581 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2582 0 \
2583 -s "Read from client: 16384 bytes read"
2584
Janos Follath4dfecab2016-03-14 13:40:43 +0000[diff] [blame]2585requires_config_enabled POLARSSL_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2586run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2587 "$P_SRV min_version=ssl3 arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2588 "$P_CLI request_size=16384 force_version=ssl3 \
2589 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2590 0 \
2591 -s "Read from client: 16384 bytes read"
2592
2593run_test "Large packet TLS 1.0 BlockCipher" \
2594 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2595 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2596 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2597 0 \
2598 -s "Read from client: 16384 bytes read"
2599
2600run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
2601 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2602 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2603 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2604 trunc_hmac=1" \
2605 0 \
2606 -s "Read from client: 16384 bytes read"
2607
2608run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2609 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2610 "$P_CLI request_size=16384 force_version=tls1 \
2611 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2612 trunc_hmac=1" \
2613 0 \
2614 -s "Read from client: 16384 bytes read"
2615
2616run_test "Large packet TLS 1.1 BlockCipher" \
2617 "$P_SRV" \
2618 "$P_CLI request_size=16384 force_version=tls1_1 \
2619 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2620 0 \
2621 -s "Read from client: 16384 bytes read"
2622
2623run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2624 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2625 "$P_CLI request_size=16384 force_version=tls1_1 \
2626 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2627 0 \
2628 -s "Read from client: 16384 bytes read"
2629
2630run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
2631 "$P_SRV" \
2632 "$P_CLI request_size=16384 force_version=tls1_1 \
2633 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2634 trunc_hmac=1" \
2635 0 \
2636 -s "Read from client: 16384 bytes read"
2637
2638run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2639 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2640 "$P_CLI request_size=16384 force_version=tls1_1 \
2641 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2642 trunc_hmac=1" \
2643 0 \
2644 -s "Read from client: 16384 bytes read"
2645
2646run_test "Large packet TLS 1.2 BlockCipher" \
2647 "$P_SRV" \
2648 "$P_CLI request_size=16384 force_version=tls1_2 \
2649 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
2650 0 \
2651 -s "Read from client: 16384 bytes read"
2652
2653run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
2654 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]2655 "$P_CLI request_size=16384 force_version=tls1_2 \
2656 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2657 0 \
2658 -s "Read from client: 16384 bytes read"
2659
2660run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
2661 "$P_SRV" \
2662 "$P_CLI request_size=16384 force_version=tls1_2 \
2663 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
2664 trunc_hmac=1" \
2665 0 \
2666 -s "Read from client: 16384 bytes read"
2667
2668run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2669 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2670 "$P_CLI request_size=16384 force_version=tls1_2 \
2671 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
2672 0 \
2673 -s "Read from client: 16384 bytes read"
2674
2675run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2676 "$P_SRV arc4=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]2677 "$P_CLI request_size=16384 force_version=tls1_2 \
2678 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2679 trunc_hmac=1" \
2680 0 \
2681 -s "Read from client: 16384 bytes read"
2682
2683run_test "Large packet TLS 1.2 AEAD" \
2684 "$P_SRV" \
2685 "$P_CLI request_size=16384 force_version=tls1_2 \
2686 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
2687 0 \
2688 -s "Read from client: 16384 bytes read"
2689
2690run_test "Large packet TLS 1.2 AEAD shorter tag" \
2691 "$P_SRV" \
2692 "$P_CLI request_size=16384 force_version=tls1_2 \
2693 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
2694 0 \
2695 -s "Read from client: 16384 bytes read"
2696
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2697# Final report
2698
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2699echo "------------------------------------------------------------------------"
2700
2701if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]2702 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2703else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]2704 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2705fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]2706PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]2707echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2708
2709exit $FAILS