TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 32f8f4d1a0fb12ee29fb8501e3bef1846abb580a / . / tests / ssl-opt.sh
blob: 1f7a4adb3531351913002103db6861a54bfd6c69 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
9# Assumes all options are compiled in.
10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]13# test if it is defined from the environment before assining default
14# if yes, assume it means it's a build with all the options we need (SSLv2)
15if [ -n "${OPENSSL_CMD:-}" ]; then
16 OPENSSL_OK=1
17else
18 OPENSSL_OK=0
19fi
20
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]21# default values, can be overriden by the environment
22: ${P_SRV:=../programs/ssl/ssl_server2}
23: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]24: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]25
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]26O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
27O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]28
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]29TESTS=0
30FAILS=0
31
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]32CONFIG_H='../include/polarssl/config.h'
33
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]35FILTER='.*'
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]36if [ "$OPENSSL_OK" -gt 0 ]; then
37 EXCLUDE='^$'
38else
39 EXCLUDE='SSLv2'
40fi
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]41
42print_usage() {
43 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]44 echo -e " -h|--help\tPrint this help."
45 echo -e " -m|--memcheck\tCheck memory leaks and errors."
46 echo -e " -f|--filter\tOnly matching tests are executed (default: '$FILTER')"
47 echo -e " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48}
49
50get_options() {
51 while [ $# -gt 0 ]; do
52 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]53 -f|--filter)
54 shift; FILTER=$1
55 ;;
56 -e|--exclude)
57 shift; EXCLUDE=$1
58 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]59 -m|--memcheck)
60 MEMCHECK=1
61 ;;
62 -h|--help)
63 print_usage
64 exit 0
65 ;;
66 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]67 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]68 print_usage
69 exit 1
70 ;;
71 esac
72 shift
73 done
74}
75
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]76# print_name <name>
77print_name() {
78 echo -n "$1 "
79 LEN=`echo "$1" | wc -c`
80 LEN=`echo 72 - $LEN | bc`
81 for i in `seq 1 $LEN`; do echo -n '.'; done
82 echo -n ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]83
84 TESTS=`echo $TESTS + 1 | bc`
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]85}
86
87# fail <message>
88fail() {
89 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]90 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]91
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]92 cp $SRV_OUT o-srv-${TESTS}.log
93 cp $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]94 echo " ! outputs saved to o-srv-${TESTS}.log and o-cli-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]95
96 FAILS=`echo $FAILS + 1 | bc`
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]97}
98
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]99# is_polar <cmd_line>
100is_polar() {
101 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
102}
103
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104# has_mem_err <log_file_name>
105has_mem_err() {
106 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
107 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
108 then
109 return 1 # false: does not have errors
110 else
111 return 0 # true: has errors
112 fi
113}
114
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]115# Usage: run_test name srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]116# Options: -s pattern pattern that must be present in server output
117# -c pattern pattern that must be present in client output
118# -S pattern pattern that must be absent in server output
119# -C pattern pattern that must be absent in client output
120run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]121 NAME="$1"
122 SRV_CMD="$2"
123 CLI_CMD="$3"
124 CLI_EXPECT="$4"
125 shift 4
126
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]127 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
128 else
129 return
130 fi
131
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]132 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]133
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]134 # prepend valgrind to our commands if active
135 if [ "$MEMCHECK" -gt 0 ]; then
136 if is_polar "$SRV_CMD"; then
137 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
138 fi
139 if is_polar "$CLI_CMD"; then
140 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
141 fi
142 fi
143
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]144 # run the commands
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]145 echo "$SRV_CMD" > $SRV_OUT
146 $SRV_CMD >> $SRV_OUT 2>&1 &
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]147 SRV_PID=$!
148 sleep 1
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]149 echo "$CLI_CMD" > $CLI_OUT
150 eval "$CLI_CMD" >> $CLI_OUT 2>&1
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]151 CLI_EXIT=$?
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]152 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]153
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]154 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame^]155 # start watchdog in case SERVERQUIT fails
156 ( sleep 10; echo "SERVERQUIT TIMEOUT"; kill $MAIN_PID ) &
157 WATCHDOG_PID=$!
158
159 # psk is useful when server only has bad certs
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]160 $P_CLI request_page=SERVERQUIT tickets=0 auth_mode=none psk=abc123 \
Manuel Pégourié-Gonnard84fd6872014-03-13 18:35:10 +0100[diff] [blame]161 crt_file=data_files/cli2.crt key_file=data_files/cli2.key \
162 >/dev/null
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame^]163
164 wait $SRV_PID
165 kill $WATCHDOG_PID
166 wait $WATCHDOG_PID
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]167 else
168 kill $SRV_PID
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame^]169 wait $SRV_PID
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]170 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]171
172 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]173 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]174 # expected client exit to incorrectly succeed in case of catastrophic
175 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]176 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]177 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]178 else
179 fail "server failed to start"
180 return
181 fi
182 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]183 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]184 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]185 else
186 fail "client failed to start"
187 return
188 fi
189 fi
190
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]191 # check server exit code
192 if [ $? != 0 ]; then
193 fail "server fail"
194 return
195 fi
196
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]197 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]198 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
199 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]200 then
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]201 fail "bad client exit code"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]202 return
203 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]204
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]205 # check other assertions
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]206 while [ $# -gt 0 ]
207 do
208 case $1 in
209 "-s")
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]210 if grep "$2" $SRV_OUT >/dev/null; then :; else
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]211 fail "-s $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]212 return
213 fi
214 ;;
215
216 "-c")
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]217 if grep "$2" $CLI_OUT >/dev/null; then :; else
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]218 fail "-c $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]219 return
220 fi
221 ;;
222
223 "-S")
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]224 if grep "$2" $SRV_OUT >/dev/null; then
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]225 fail "-S $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]226 return
227 fi
228 ;;
229
230 "-C")
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]231 if grep "$2" $CLI_OUT >/dev/null; then
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]232 fail "-C $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]233 return
234 fi
235 ;;
236
237 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]238 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]239 exit 1
240 esac
241 shift 2
242 done
243
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]244 # check valgrind's results
245 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]246 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]247 fail "Server has memory errors"
248 return
249 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]250 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]251 fail "Client has memory errors"
252 return
253 fi
254 fi
255
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]256 # if we're here, everything is ok
257 echo "PASS"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]258 rm -f $SRV_OUT $CLI_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]259}
260
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]261cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]262 rm -f $CLI_OUT $SRV_OUT $SESSION
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]263 kill $SRV_PID
264 exit 1
265}
266
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]267#
268# MAIN
269#
270
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]271get_options "$@"
272
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]273# sanity checks, avoid an avalanche of errors
274if [ ! -x "$P_SRV" ]; then
275 echo "Command '$P_SRV' is not an executable file"
276 exit 1
277fi
278if [ ! -x "$P_CLI" ]; then
279 echo "Command '$P_CLI' is not an executable file"
280 exit 1
281fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]282if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
283 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]284 exit 1
285fi
286
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame^]287# used by watchdog
288MAIN_PID="$$"
289
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]290# Pick a "unique" port in the range 10000-19999.
291PORT="0000$$"
292PORT="1$(echo $PORT | tail -c 4)"
293
294# fix commands to use this port
295P_SRV="$P_SRV server_port=$PORT"
296P_CLI="$P_CLI server_port=$PORT"
297O_SRV="$O_SRV -accept $PORT"
298O_CLI="$O_CLI -connect localhost:$PORT"
299
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]300# Also pick a unique name for intermediate files
301SRV_OUT="srv_out.$$"
302CLI_OUT="cli_out.$$"
303SESSION="session.$$"
304
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]305trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]306
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]307# Test for SSLv2 ClientHello
308
309run_test "SSLv2 ClientHello #0 (reference)" \
310 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]311 "$O_CLI -no_ssl2" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]312 0 \
313 -S "parse client hello v2" \
314 -S "ssl_handshake returned"
315
316# Adding a SSL2-only suite makes OpenSSL client send SSLv2 ClientHello
317run_test "SSLv2 ClientHello #1 (actual test)" \
318 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]319 "$O_CLI -cipher 'DES-CBC-MD5:ALL'" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]320 0 \
321 -s "parse client hello v2" \
322 -S "ssl_handshake returned"
323
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]324# Tests for Truncated HMAC extension
325
326run_test "Truncated HMAC #0" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]327 "$P_SRV debug_level=5" \
328 "$P_CLI trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]329 0 \
330 -s "dumping 'computed mac' (20 bytes)"
331
332run_test "Truncated HMAC #1" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]333 "$P_SRV debug_level=5" \
334 "$P_CLI trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]335 0 \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]336 -s "dumping 'computed mac' (10 bytes)"
337
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]338# Tests for Session Tickets
339
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]340run_test "Session resume using tickets #1 (basic)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]341 "$P_SRV debug_level=4 tickets=1" \
342 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]343 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]344 -c "client hello, adding session ticket extension" \
345 -s "found session ticket extension" \
346 -s "server hello, adding session ticket extension" \
347 -c "found session_ticket extension" \
348 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]349 -S "session successfully restored from cache" \
350 -s "session successfully restored from ticket" \
351 -s "a session has been resumed" \
352 -c "a session has been resumed"
353
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]354run_test "Session resume using tickets #2 (cache disabled)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]355 "$P_SRV debug_level=4 tickets=1 cache_max=0" \
356 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]357 0 \
358 -c "client hello, adding session ticket extension" \
359 -s "found session ticket extension" \
360 -s "server hello, adding session ticket extension" \
361 -c "found session_ticket extension" \
362 -c "parse new session ticket" \
363 -S "session successfully restored from cache" \
364 -s "session successfully restored from ticket" \
365 -s "a session has been resumed" \
366 -c "a session has been resumed"
367
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]368run_test "Session resume using tickets #3 (timeout)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]369 "$P_SRV debug_level=4 tickets=1 cache_max=0 ticket_timeout=1" \
370 "$P_CLI debug_level=4 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]371 0 \
372 -c "client hello, adding session ticket extension" \
373 -s "found session ticket extension" \
374 -s "server hello, adding session ticket extension" \
375 -c "found session_ticket extension" \
376 -c "parse new session ticket" \
377 -S "session successfully restored from cache" \
378 -S "session successfully restored from ticket" \
379 -S "a session has been resumed" \
380 -C "a session has been resumed"
381
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]382run_test "Session resume using tickets #4 (openssl server)" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]383 "$O_SRV" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]384 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
385 0 \
386 -c "client hello, adding session ticket extension" \
387 -c "found session_ticket extension" \
388 -c "parse new session ticket" \
389 -c "a session has been resumed"
390
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]391run_test "Session resume using tickets #5 (openssl client)" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]392 "$P_SRV debug_level=4 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]393 "( $O_CLI -sess_out $SESSION; \
394 $O_CLI -sess_in $SESSION; \
395 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]396 0 \
397 -s "found session ticket extension" \
398 -s "server hello, adding session ticket extension" \
399 -S "session successfully restored from cache" \
400 -s "session successfully restored from ticket" \
401 -s "a session has been resumed"
402
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]403# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]404
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]405run_test "Session resume using cache #1 (tickets enabled on client)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]406 "$P_SRV debug_level=4 tickets=0" \
407 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]408 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]409 -c "client hello, adding session ticket extension" \
410 -s "found session ticket extension" \
411 -S "server hello, adding session ticket extension" \
412 -C "found session_ticket extension" \
413 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]414 -s "session successfully restored from cache" \
415 -S "session successfully restored from ticket" \
416 -s "a session has been resumed" \
417 -c "a session has been resumed"
418
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]419run_test "Session resume using cache #2 (tickets enabled on server)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]420 "$P_SRV debug_level=4 tickets=1" \
421 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]422 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]423 -C "client hello, adding session ticket extension" \
424 -S "found session ticket extension" \
425 -S "server hello, adding session ticket extension" \
426 -C "found session_ticket extension" \
427 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]428 -s "session successfully restored from cache" \
429 -S "session successfully restored from ticket" \
430 -s "a session has been resumed" \
431 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]432
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]433run_test "Session resume using cache #3 (cache_max=0)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]434 "$P_SRV debug_level=4 tickets=0 cache_max=0" \
435 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]436 0 \
437 -S "session successfully restored from cache" \
438 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]439 -S "a session has been resumed" \
440 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]441
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]442run_test "Session resume using cache #4 (cache_max=1)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]443 "$P_SRV debug_level=4 tickets=0 cache_max=1" \
444 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]445 0 \
446 -s "session successfully restored from cache" \
447 -S "session successfully restored from ticket" \
448 -s "a session has been resumed" \
449 -c "a session has been resumed"
450
451run_test "Session resume using cache #5 (timemout > delay)" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]452 "$P_SRV debug_level=4 tickets=0" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]453 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]454 0 \
455 -s "session successfully restored from cache" \
456 -S "session successfully restored from ticket" \
457 -s "a session has been resumed" \
458 -c "a session has been resumed"
459
460run_test "Session resume using cache #6 (timeout < delay)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]461 "$P_SRV debug_level=4 tickets=0 cache_timeout=1" \
462 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]463 0 \
464 -S "session successfully restored from cache" \
465 -S "session successfully restored from ticket" \
466 -S "a session has been resumed" \
467 -C "a session has been resumed"
468
469run_test "Session resume using cache #7 (no timeout)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]470 "$P_SRV debug_level=4 tickets=0 cache_timeout=0" \
471 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]472 0 \
473 -s "session successfully restored from cache" \
474 -S "session successfully restored from ticket" \
475 -s "a session has been resumed" \
476 -c "a session has been resumed"
477
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]478run_test "Session resume using cache #8 (openssl client)" \
479 "$P_SRV debug_level=4 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]480 "( $O_CLI -sess_out $SESSION; \
481 $O_CLI -sess_in $SESSION; \
482 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]483 0 \
484 -s "found session ticket extension" \
485 -S "server hello, adding session ticket extension" \
486 -s "session successfully restored from cache" \
487 -S "session successfully restored from ticket" \
488 -s "a session has been resumed"
489
490run_test "Session resume using cache #9 (openssl server)" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]491 "$O_SRV" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]492 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
493 0 \
494 -C "found session_ticket extension" \
495 -C "parse new session ticket" \
496 -c "a session has been resumed"
497
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]498# Tests for Max Fragment Length extension
499
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]500run_test "Max fragment length #1" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]501 "$P_SRV debug_level=4" \
502 "$P_CLI debug_level=4" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]503 0 \
504 -C "client hello, adding max_fragment_length extension" \
505 -S "found max fragment length extension" \
506 -S "server hello, max_fragment_length extension" \
507 -C "found max_fragment_length extension"
508
509run_test "Max fragment length #2" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]510 "$P_SRV debug_level=4" \
511 "$P_CLI debug_level=4 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]512 0 \
513 -c "client hello, adding max_fragment_length extension" \
514 -s "found max fragment length extension" \
515 -s "server hello, max_fragment_length extension" \
516 -c "found max_fragment_length extension"
517
518run_test "Max fragment length #3" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]519 "$P_SRV debug_level=4 max_frag_len=4096" \
520 "$P_CLI debug_level=4" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]521 0 \
522 -C "client hello, adding max_fragment_length extension" \
523 -S "found max fragment length extension" \
524 -S "server hello, max_fragment_length extension" \
525 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]526
527# Tests for renegotiation
528
529run_test "Renegotiation #0 (none)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]530 "$P_SRV debug_level=4" \
531 "$P_CLI debug_level=4" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]532 0 \
533 -C "client hello, adding renegotiation extension" \
534 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
535 -S "found renegotiation extension" \
536 -s "server hello, secure renegotiation extension" \
537 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]538 -C "=> renegotiate" \
539 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]540 -S "write hello request"
541
542run_test "Renegotiation #1 (enabled, client-initiated)" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]543 "$P_SRV debug_level=4 renegotiation=1" \
544 "$P_CLI debug_level=4 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]545 0 \
546 -c "client hello, adding renegotiation extension" \
547 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
548 -s "found renegotiation extension" \
549 -s "server hello, secure renegotiation extension" \
550 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]551 -c "=> renegotiate" \
552 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]553 -S "write hello request"
554
555run_test "Renegotiation #2 (enabled, server-initiated)" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]556 "$P_SRV debug_level=4 renegotiation=1 renegotiate=1" \
557 "$P_CLI debug_level=4 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]558 0 \
559 -c "client hello, adding renegotiation extension" \
560 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
561 -s "found renegotiation extension" \
562 -s "server hello, secure renegotiation extension" \
563 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]564 -c "=> renegotiate" \
565 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]566 -s "write hello request"
567
568run_test "Renegotiation #3 (enabled, double)" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]569 "$P_SRV debug_level=4 renegotiation=1 renegotiate=1" \
570 "$P_CLI debug_level=4 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]571 0 \
572 -c "client hello, adding renegotiation extension" \
573 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
574 -s "found renegotiation extension" \
575 -s "server hello, secure renegotiation extension" \
576 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]577 -c "=> renegotiate" \
578 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]579 -s "write hello request"
580
581run_test "Renegotiation #4 (client-initiated, server-rejected)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]582 "$P_SRV debug_level=4 renegotiation=0" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]583 "$P_CLI debug_level=4 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]584 1 \
585 -c "client hello, adding renegotiation extension" \
586 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
587 -S "found renegotiation extension" \
588 -s "server hello, secure renegotiation extension" \
589 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]590 -c "=> renegotiate" \
591 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]592 -S "write hello request"
593
594run_test "Renegotiation #5 (server-initiated, client-rejected)" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]595 "$P_SRV debug_level=4 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]596 "$P_CLI debug_level=4 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]597 0 \
598 -C "client hello, adding renegotiation extension" \
599 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
600 -S "found renegotiation extension" \
601 -s "server hello, secure renegotiation extension" \
602 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]603 -C "=> renegotiate" \
604 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]605 -s "write hello request" \
606 -s "SSL - An unexpected message was received from our peer" \
607 -s "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]608
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]609# Tests for auth_mode
610
611run_test "Authentication #1 (server badcert, client required)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]612 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]613 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]614 "$P_CLI debug_level=2 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]615 1 \
616 -c "x509_verify_cert() returned" \
617 -c "! self-signed or not signed by a trusted CA" \
618 -c "! ssl_handshake returned" \
619 -c "X509 - Certificate verification failed"
620
621run_test "Authentication #2 (server badcert, client optional)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]622 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]623 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]624 "$P_CLI debug_level=2 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]625 0 \
626 -c "x509_verify_cert() returned" \
627 -c "! self-signed or not signed by a trusted CA" \
628 -C "! ssl_handshake returned" \
629 -C "X509 - Certificate verification failed"
630
631run_test "Authentication #3 (server badcert, client none)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]632 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]633 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]634 "$P_CLI debug_level=2 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]635 0 \
636 -C "x509_verify_cert() returned" \
637 -C "! self-signed or not signed by a trusted CA" \
638 -C "! ssl_handshake returned" \
639 -C "X509 - Certificate verification failed"
640
641run_test "Authentication #4 (client badcert, server required)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]642 "$P_SRV debug_level=4 auth_mode=required" \
643 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]644 key_file=data_files/server5.key" \
645 1 \
646 -S "skip write certificate request" \
647 -C "skip parse certificate request" \
648 -c "got a certificate request" \
649 -C "skip write certificate" \
650 -C "skip write certificate verify" \
651 -S "skip parse certificate verify" \
652 -s "x509_verify_cert() returned" \
653 -S "! self-signed or not signed by a trusted CA" \
654 -s "! ssl_handshake returned" \
655 -c "! ssl_handshake returned" \
656 -s "X509 - Certificate verification failed"
657
658run_test "Authentication #5 (client badcert, server optional)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]659 "$P_SRV debug_level=4 auth_mode=optional" \
660 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]661 key_file=data_files/server5.key" \
662 0 \
663 -S "skip write certificate request" \
664 -C "skip parse certificate request" \
665 -c "got a certificate request" \
666 -C "skip write certificate" \
667 -C "skip write certificate verify" \
668 -S "skip parse certificate verify" \
669 -s "x509_verify_cert() returned" \
670 -s "! self-signed or not signed by a trusted CA" \
671 -S "! ssl_handshake returned" \
672 -C "! ssl_handshake returned" \
673 -S "X509 - Certificate verification failed"
674
675run_test "Authentication #6 (client badcert, server none)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]676 "$P_SRV debug_level=4 auth_mode=none" \
677 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]678 key_file=data_files/server5.key" \
679 0 \
680 -s "skip write certificate request" \
681 -C "skip parse certificate request" \
682 -c "got no certificate request" \
683 -c "skip write certificate" \
684 -c "skip write certificate verify" \
685 -s "skip parse certificate verify" \
686 -S "x509_verify_cert() returned" \
687 -S "! self-signed or not signed by a trusted CA" \
688 -S "! ssl_handshake returned" \
689 -C "! ssl_handshake returned" \
690 -S "X509 - Certificate verification failed"
691
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]692run_test "Authentication #7 (client no cert, server optional)" \
693 "$P_SRV debug_level=4 auth_mode=optional" \
694 "$P_CLI debug_level=4 crt_file=none key_file=none" \
695 0 \
696 -S "skip write certificate request" \
697 -C "skip parse certificate request" \
698 -c "got a certificate request" \
699 -C "skip write certificate$" \
700 -C "got no certificate to send" \
701 -S "SSLv3 client has no certificate" \
702 -c "skip write certificate verify" \
703 -s "skip parse certificate verify" \
704 -s "! no client certificate sent" \
705 -S "! ssl_handshake returned" \
706 -C "! ssl_handshake returned" \
707 -S "X509 - Certificate verification failed"
708
709run_test "Authentication #8 (openssl client no cert, server optional)" \
710 "$P_SRV debug_level=4 auth_mode=optional" \
711 "$O_CLI" \
712 0 \
713 -S "skip write certificate request" \
714 -s "skip parse certificate verify" \
715 -s "! no client certificate sent" \
716 -S "! ssl_handshake returned" \
717 -S "X509 - Certificate verification failed"
718
719run_test "Authentication #9 (client no cert, openssl server optional)" \
720 "$O_SRV -verify 10" \
721 "$P_CLI debug_level=4 crt_file=none key_file=none" \
722 0 \
723 -C "skip parse certificate request" \
724 -c "got a certificate request" \
725 -C "skip write certificate$" \
726 -c "skip write certificate verify" \
727 -C "! ssl_handshake returned"
728
729run_test "Authentication #10 (client no cert, ssl3)" \
730 "$P_SRV debug_level=4 auth_mode=optional force_version=ssl3" \
731 "$P_CLI debug_level=4 crt_file=none key_file=none" \
732 0 \
733 -S "skip write certificate request" \
734 -C "skip parse certificate request" \
735 -c "got a certificate request" \
736 -C "skip write certificate$" \
737 -c "skip write certificate verify" \
738 -c "got no certificate to send" \
739 -s "SSLv3 client has no certificate" \
740 -s "skip parse certificate verify" \
741 -s "! no client certificate sent" \
742 -S "! ssl_handshake returned" \
743 -C "! ssl_handshake returned" \
744 -S "X509 - Certificate verification failed"
745
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]746# tests for SNI
747
748run_test "SNI #0 (no SNI callback)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]749 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]750 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]751 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]752 server_name=localhost" \
753 0 \
754 -S "parse ServerName extension" \
755 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
756 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
757
758run_test "SNI #1 (matching cert 1)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]759 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]760 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]761 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]762 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]763 server_name=localhost" \
764 0 \
765 -s "parse ServerName extension" \
766 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
767 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
768
769run_test "SNI #2 (matching cert 2)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]770 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]771 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]772 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]773 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]774 server_name=polarssl.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]775 0 \
776 -s "parse ServerName extension" \
777 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]778 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]779
780run_test "SNI #3 (no matching cert)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]781 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]782 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]783 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]784 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]785 server_name=nonesuch.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]786 1 \
787 -s "parse ServerName extension" \
788 -s "ssl_sni_wrapper() returned" \
789 -s "ssl_handshake returned" \
790 -c "ssl_handshake returned" \
791 -c "SSL - A fatal alert message was received from our peer"
792
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]793# Tests for non-blocking I/O: exercise a variety of handshake flows
794
795run_test "Non-blocking I/O #1 (basic handshake)" \
796 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
797 "$P_CLI nbio=2 tickets=0" \
798 0 \
799 -S "ssl_handshake returned" \
800 -C "ssl_handshake returned" \
801 -c "Read from server: .* bytes read"
802
803run_test "Non-blocking I/O #2 (client auth)" \
804 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
805 "$P_CLI nbio=2 tickets=0" \
806 0 \
807 -S "ssl_handshake returned" \
808 -C "ssl_handshake returned" \
809 -c "Read from server: .* bytes read"
810
811run_test "Non-blocking I/O #3 (ticket)" \
812 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
813 "$P_CLI nbio=2 tickets=1" \
814 0 \
815 -S "ssl_handshake returned" \
816 -C "ssl_handshake returned" \
817 -c "Read from server: .* bytes read"
818
819run_test "Non-blocking I/O #4 (ticket + client auth)" \
820 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
821 "$P_CLI nbio=2 tickets=1" \
822 0 \
823 -S "ssl_handshake returned" \
824 -C "ssl_handshake returned" \
825 -c "Read from server: .* bytes read"
826
827run_test "Non-blocking I/O #5 (ticket + client auth + resume)" \
828 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
829 "$P_CLI nbio=2 tickets=1 reconnect=1" \
830 0 \
831 -S "ssl_handshake returned" \
832 -C "ssl_handshake returned" \
833 -c "Read from server: .* bytes read"
834
835run_test "Non-blocking I/O #6 (ticket + resume)" \
836 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
837 "$P_CLI nbio=2 tickets=1 reconnect=1" \
838 0 \
839 -S "ssl_handshake returned" \
840 -C "ssl_handshake returned" \
841 -c "Read from server: .* bytes read"
842
843run_test "Non-blocking I/O #7 (session-id resume)" \
844 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
845 "$P_CLI nbio=2 tickets=0 reconnect=1" \
846 0 \
847 -S "ssl_handshake returned" \
848 -C "ssl_handshake returned" \
849 -c "Read from server: .* bytes read"
850
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]851# Tests for version negotiation
852
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]853run_test "Version check #1 (all -> 1.2)" \
854 "$P_SRV" \
855 "$P_CLI" \
856 0 \
857 -S "ssl_handshake returned" \
858 -C "ssl_handshake returned" \
859 -s "Protocol is TLSv1.2" \
860 -c "Protocol is TLSv1.2"
861
862run_test "Version check #2 (cli max 1.1 -> 1.1)" \
863 "$P_SRV" \
864 "$P_CLI max_version=tls1_1" \
865 0 \
866 -S "ssl_handshake returned" \
867 -C "ssl_handshake returned" \
868 -s "Protocol is TLSv1.1" \
869 -c "Protocol is TLSv1.1"
870
871run_test "Version check #3 (srv max 1.1 -> 1.1)" \
872 "$P_SRV max_version=tls1_1" \
873 "$P_CLI" \
874 0 \
875 -S "ssl_handshake returned" \
876 -C "ssl_handshake returned" \
877 -s "Protocol is TLSv1.1" \
878 -c "Protocol is TLSv1.1"
879
880run_test "Version check #4 (cli+srv max 1.1 -> 1.1)" \
881 "$P_SRV max_version=tls1_1" \
882 "$P_CLI max_version=tls1_1" \
883 0 \
884 -S "ssl_handshake returned" \
885 -C "ssl_handshake returned" \
886 -s "Protocol is TLSv1.1" \
887 -c "Protocol is TLSv1.1"
888
889run_test "Version check #5 (cli max 1.1, srv min 1.1 -> 1.1)" \
890 "$P_SRV min_version=tls1_1" \
891 "$P_CLI max_version=tls1_1" \
892 0 \
893 -S "ssl_handshake returned" \
894 -C "ssl_handshake returned" \
895 -s "Protocol is TLSv1.1" \
896 -c "Protocol is TLSv1.1"
897
898run_test "Version check #6 (cli min 1.1, srv max 1.1 -> 1.1)" \
899 "$P_SRV max_version=tls1_1" \
900 "$P_CLI min_version=tls1_1" \
901 0 \
902 -S "ssl_handshake returned" \
903 -C "ssl_handshake returned" \
904 -s "Protocol is TLSv1.1" \
905 -c "Protocol is TLSv1.1"
906
907run_test "Version check #7 (cli min 1.2, srv max 1.1 -> fail)" \
908 "$P_SRV max_version=tls1_1" \
909 "$P_CLI min_version=tls1_2" \
910 1 \
911 -s "ssl_handshake returned" \
912 -c "ssl_handshake returned" \
913 -c "SSL - Handshake protocol not within min/max boundaries"
914
915run_test "Version check #8 (srv min 1.2, cli max 1.1 -> fail)" \
916 "$P_SRV min_version=tls1_2" \
917 "$P_CLI max_version=tls1_1" \
918 1 \
919 -s "ssl_handshake returned" \
920 -c "ssl_handshake returned" \
921 -s "SSL - Handshake protocol not within min/max boundaries"
922
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]923# Tests for ALPN extension
924
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]925if grep '^#define POLARSSL_SSL_ALPN' $CONFIG_H >/dev/null; then
926
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]927run_test "ALPN #0 (none)" \
928 "$P_SRV debug_level=4" \
929 "$P_CLI debug_level=4" \
930 0 \
931 -C "client hello, adding alpn extension" \
932 -S "found alpn extension" \
933 -C "got an alert message, type: \\[2:120]" \
934 -S "server hello, adding alpn extension" \
935 -C "found alpn extension " \
936 -C "Application Layer Protocol is" \
937 -S "Application Layer Protocol is"
938
939run_test "ALPN #1 (client only)" \
940 "$P_SRV debug_level=4" \
941 "$P_CLI debug_level=4 alpn=abc,1234" \
942 0 \
943 -c "client hello, adding alpn extension" \
944 -s "found alpn extension" \
945 -C "got an alert message, type: \\[2:120]" \
946 -S "server hello, adding alpn extension" \
947 -C "found alpn extension " \
948 -c "Application Layer Protocol is (none)" \
949 -S "Application Layer Protocol is"
950
951run_test "ALPN #2 (server only)" \
952 "$P_SRV debug_level=4 alpn=abc,1234" \
953 "$P_CLI debug_level=4" \
954 0 \
955 -C "client hello, adding alpn extension" \
956 -S "found alpn extension" \
957 -C "got an alert message, type: \\[2:120]" \
958 -S "server hello, adding alpn extension" \
959 -C "found alpn extension " \
960 -C "Application Layer Protocol is" \
961 -s "Application Layer Protocol is (none)"
962
963run_test "ALPN #3 (both, common cli1-srv1)" \
964 "$P_SRV debug_level=4 alpn=abc,1234" \
965 "$P_CLI debug_level=4 alpn=abc,1234" \
966 0 \
967 -c "client hello, adding alpn extension" \
968 -s "found alpn extension" \
969 -C "got an alert message, type: \\[2:120]" \
970 -s "server hello, adding alpn extension" \
971 -c "found alpn extension" \
972 -c "Application Layer Protocol is abc" \
973 -s "Application Layer Protocol is abc"
974
975run_test "ALPN #4 (both, common cli2-srv1)" \
976 "$P_SRV debug_level=4 alpn=abc,1234" \
977 "$P_CLI debug_level=4 alpn=1234,abc" \
978 0 \
979 -c "client hello, adding alpn extension" \
980 -s "found alpn extension" \
981 -C "got an alert message, type: \\[2:120]" \
982 -s "server hello, adding alpn extension" \
983 -c "found alpn extension" \
984 -c "Application Layer Protocol is abc" \
985 -s "Application Layer Protocol is abc"
986
987run_test "ALPN #5 (both, common cli1-srv2)" \
988 "$P_SRV debug_level=4 alpn=abc,1234" \
989 "$P_CLI debug_level=4 alpn=1234,abcde" \
990 0 \
991 -c "client hello, adding alpn extension" \
992 -s "found alpn extension" \
993 -C "got an alert message, type: \\[2:120]" \
994 -s "server hello, adding alpn extension" \
995 -c "found alpn extension" \
996 -c "Application Layer Protocol is 1234" \
997 -s "Application Layer Protocol is 1234"
998
999run_test "ALPN #6 (both, no common)" \
1000 "$P_SRV debug_level=4 alpn=abc,123" \
1001 "$P_CLI debug_level=4 alpn=1234,abcde" \
1002 1 \
1003 -c "client hello, adding alpn extension" \
1004 -s "found alpn extension" \
1005 -c "got an alert message, type: \\[2:120]" \
1006 -S "server hello, adding alpn extension" \
1007 -C "found alpn extension" \
1008 -C "Application Layer Protocol is 1234" \
1009 -S "Application Layer Protocol is 1234"
1010
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]1011fi
1012
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1013# Tests for keyUsage in leaf certificates, part 1:
1014# server-side certificate/suite selection
1015
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]1016run_test "keyUsage srv #1 (RSA, digitalSignature -> (EC)DHE-RSA)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1017 "$P_SRV key_file=data_files/server2.key \
1018 crt_file=data_files/server2.ku-ds.crt" \
1019 "$P_CLI" \
1020 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]1021 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1022
1023
1024run_test "keyUsage srv #2 (RSA, keyEncipherment -> RSA)" \
1025 "$P_SRV key_file=data_files/server2.key \
1026 crt_file=data_files/server2.ku-ke.crt" \
1027 "$P_CLI" \
1028 0 \
1029 -c "Ciphersuite is TLS-RSA-WITH-"
1030
1031# add psk to leave an option for client to send SERVERQUIT
1032run_test "keyUsage srv #3 (RSA, keyAgreement -> fail)" \
1033 "$P_SRV psk=abc123 key_file=data_files/server2.key \
1034 crt_file=data_files/server2.ku-ka.crt" \
1035 "$P_CLI psk=badbad" \
1036 1 \
1037 -C "Ciphersuite is "
1038
1039run_test "keyUsage srv #4 (ECDSA, digitalSignature -> ECDHE-ECDSA)" \
1040 "$P_SRV key_file=data_files/server5.key \
1041 crt_file=data_files/server5.ku-ds.crt" \
1042 "$P_CLI" \
1043 0 \
1044 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
1045
1046
1047run_test "keyUsage srv #5 (ECDSA, keyAgreement -> ECDH-)" \
1048 "$P_SRV key_file=data_files/server5.key \
1049 crt_file=data_files/server5.ku-ka.crt" \
1050 "$P_CLI" \
1051 0 \
1052 -c "Ciphersuite is TLS-ECDH-"
1053
1054# add psk to leave an option for client to send SERVERQUIT
1055run_test "keyUsage srv #6 (ECDSA, keyEncipherment -> fail)" \
1056 "$P_SRV psk=abc123 key_file=data_files/server5.key \
1057 crt_file=data_files/server5.ku-ke.crt" \
1058 "$P_CLI psk=badbad" \
1059 1 \
1060 -C "Ciphersuite is "
1061
1062# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1063# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1064
1065run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \
1066 "$O_SRV -key data_files/server2.key \
1067 -cert data_files/server2.ku-ds_ke.crt" \
1068 "$P_CLI debug_level=2 \
1069 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1070 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1071 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1072 -C "Processing of the Certificate handshake message failed" \
1073 -c "Ciphersuite is TLS-"
1074
1075run_test "keyUsage cli #2 (DigitalSignature+KeyEncipherment, DHE-RSA: OK)" \
1076 "$O_SRV -key data_files/server2.key \
1077 -cert data_files/server2.ku-ds_ke.crt" \
1078 "$P_CLI debug_level=2 \
1079 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1080 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1081 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1082 -C "Processing of the Certificate handshake message failed" \
1083 -c "Ciphersuite is TLS-"
1084
1085run_test "keyUsage cli #3 (KeyEncipherment, RSA: OK)" \
1086 "$O_SRV -key data_files/server2.key \
1087 -cert data_files/server2.ku-ke.crt" \
1088 "$P_CLI debug_level=2 \
1089 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1090 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1091 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1092 -C "Processing of the Certificate handshake message failed" \
1093 -c "Ciphersuite is TLS-"
1094
1095run_test "keyUsage cli #4 (KeyEncipherment, DHE-RSA: fail)" \
1096 "$O_SRV -key data_files/server2.key \
1097 -cert data_files/server2.ku-ke.crt" \
1098 "$P_CLI debug_level=2 \
1099 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1100 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1101 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1102 -c "Processing of the Certificate handshake message failed" \
1103 -C "Ciphersuite is TLS-"
1104
1105run_test "keyUsage cli #5 (DigitalSignature, DHE-RSA: OK)" \
1106 "$O_SRV -key data_files/server2.key \
1107 -cert data_files/server2.ku-ds.crt" \
1108 "$P_CLI debug_level=2 \
1109 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1110 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1111 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1112 -C "Processing of the Certificate handshake message failed" \
1113 -c "Ciphersuite is TLS-"
1114
1115run_test "keyUsage cli #5 (DigitalSignature, RSA: fail)" \
1116 "$O_SRV -key data_files/server2.key \
1117 -cert data_files/server2.ku-ds.crt" \
1118 "$P_CLI debug_level=2 \
1119 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1120 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1121 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1122 -c "Processing of the Certificate handshake message failed" \
1123 -C "Ciphersuite is TLS-"
1124
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1125# Tests for keyUsage in leaf certificates, part 3:
1126# server-side checking of client cert
1127
1128run_test "keyUsage cli-auth #1 (RSA, DigitalSignature: OK)" \
1129 "$P_SRV debug_level=2 auth_mode=optional" \
1130 "$O_CLI -key data_files/server2.key \
1131 -cert data_files/server2.ku-ds.crt" \
1132 0 \
1133 -S "bad certificate (usage extensions)" \
1134 -S "Processing of the Certificate handshake message failed"
1135
1136run_test "keyUsage cli-auth #2 (RSA, KeyEncipherment: fail (soft))" \
1137 "$P_SRV debug_level=2 auth_mode=optional" \
1138 "$O_CLI -key data_files/server2.key \
1139 -cert data_files/server2.ku-ke.crt" \
1140 0 \
1141 -s "bad certificate (usage extensions)" \
1142 -S "Processing of the Certificate handshake message failed"
1143
1144run_test "keyUsage cli-auth #3 (RSA, KeyEncipherment: fail (hard))" \
1145 "$P_SRV debug_level=2 auth_mode=required" \
1146 "$O_CLI -key data_files/server2.key \
1147 -cert data_files/server2.ku-ke.crt" \
1148 1 \
1149 -s "bad certificate (usage extensions)" \
1150 -s "Processing of the Certificate handshake message failed"
1151
1152run_test "keyUsage cli-auth #4 (ECDSA, DigitalSignature: OK)" \
1153 "$P_SRV debug_level=2 auth_mode=optional" \
1154 "$O_CLI -key data_files/server5.key \
1155 -cert data_files/server5.ku-ds.crt" \
1156 0 \
1157 -S "bad certificate (usage extensions)" \
1158 -S "Processing of the Certificate handshake message failed"
1159
1160run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \
1161 "$P_SRV debug_level=2 auth_mode=optional" \
1162 "$O_CLI -key data_files/server5.key \
1163 -cert data_files/server5.ku-ka.crt" \
1164 0 \
1165 -s "bad certificate (usage extensions)" \
1166 -S "Processing of the Certificate handshake message failed"
1167
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]1168# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
1169
1170run_test "extKeyUsage srv #1 (serverAuth -> OK)" \
1171 "$P_SRV key_file=data_files/server5.key \
1172 crt_file=data_files/server5.eku-srv.crt" \
1173 "$P_CLI" \
1174 0
1175
1176run_test "extKeyUsage srv #2 (serverAuth,clientAuth -> OK)" \
1177 "$P_SRV key_file=data_files/server5.key \
1178 crt_file=data_files/server5.eku-srv.crt" \
1179 "$P_CLI" \
1180 0
1181
1182run_test "extKeyUsage srv #3 (codeSign,anyEKU -> OK)" \
1183 "$P_SRV key_file=data_files/server5.key \
1184 crt_file=data_files/server5.eku-cs_any.crt" \
1185 "$P_CLI" \
1186 0
1187
1188# add psk to leave an option for client to send SERVERQUIT
1189run_test "extKeyUsage srv #4 (codeSign -> fail)" \
1190 "$P_SRV psk=abc123 key_file=data_files/server5.key \
1191 crt_file=data_files/server5.eku-cli.crt" \
1192 "$P_CLI psk=badbad" \
1193 1
1194
1195# Tests for extendedKeyUsage, part 2: client-side checking of server cert
1196
1197run_test "extKeyUsage cli #1 (serverAuth -> OK)" \
1198 "$O_SRV -key data_files/server5.key \
1199 -cert data_files/server5.eku-srv.crt" \
1200 "$P_CLI debug_level=2" \
1201 0 \
1202 -C "bad certificate (usage extensions)" \
1203 -C "Processing of the Certificate handshake message failed" \
1204 -c "Ciphersuite is TLS-"
1205
1206run_test "extKeyUsage cli #2 (serverAuth,clientAuth -> OK)" \
1207 "$O_SRV -key data_files/server5.key \
1208 -cert data_files/server5.eku-srv_cli.crt" \
1209 "$P_CLI debug_level=2" \
1210 0 \
1211 -C "bad certificate (usage extensions)" \
1212 -C "Processing of the Certificate handshake message failed" \
1213 -c "Ciphersuite is TLS-"
1214
1215run_test "extKeyUsage cli #3 (codeSign,anyEKU -> OK)" \
1216 "$O_SRV -key data_files/server5.key \
1217 -cert data_files/server5.eku-cs_any.crt" \
1218 "$P_CLI debug_level=2" \
1219 0 \
1220 -C "bad certificate (usage extensions)" \
1221 -C "Processing of the Certificate handshake message failed" \
1222 -c "Ciphersuite is TLS-"
1223
1224run_test "extKeyUsage cli #4 (codeSign -> fail)" \
1225 "$O_SRV -key data_files/server5.key \
1226 -cert data_files/server5.eku-cs.crt" \
1227 "$P_CLI debug_level=2" \
1228 1 \
1229 -c "bad certificate (usage extensions)" \
1230 -c "Processing of the Certificate handshake message failed" \
1231 -C "Ciphersuite is TLS-"
1232
1233# Tests for extendedKeyUsage, part 3: server-side checking of client cert
1234
1235run_test "extKeyUsage cli-auth #1 (clientAuth -> OK)" \
1236 "$P_SRV debug_level=2 auth_mode=optional" \
1237 "$O_CLI -key data_files/server5.key \
1238 -cert data_files/server5.eku-cli.crt" \
1239 0 \
1240 -S "bad certificate (usage extensions)" \
1241 -S "Processing of the Certificate handshake message failed"
1242
1243run_test "extKeyUsage cli-auth #2 (serverAuth,clientAuth -> OK)" \
1244 "$P_SRV debug_level=2 auth_mode=optional" \
1245 "$O_CLI -key data_files/server5.key \
1246 -cert data_files/server5.eku-srv_cli.crt" \
1247 0 \
1248 -S "bad certificate (usage extensions)" \
1249 -S "Processing of the Certificate handshake message failed"
1250
1251run_test "extKeyUsage cli-auth #3 (codeSign,anyEKU -> OK)" \
1252 "$P_SRV debug_level=2 auth_mode=optional" \
1253 "$O_CLI -key data_files/server5.key \
1254 -cert data_files/server5.eku-cs_any.crt" \
1255 0 \
1256 -S "bad certificate (usage extensions)" \
1257 -S "Processing of the Certificate handshake message failed"
1258
1259run_test "extKeyUsage cli-auth #4 (codeSign -> fail (soft))" \
1260 "$P_SRV debug_level=2 auth_mode=optional" \
1261 "$O_CLI -key data_files/server5.key \
1262 -cert data_files/server5.eku-cs.crt" \
1263 0 \
1264 -s "bad certificate (usage extensions)" \
1265 -S "Processing of the Certificate handshake message failed"
1266
1267run_test "extKeyUsage cli-auth #4b (codeSign -> fail (hard))" \
1268 "$P_SRV debug_level=2 auth_mode=required" \
1269 "$O_CLI -key data_files/server5.key \
1270 -cert data_files/server5.eku-cs.crt" \
1271 1 \
1272 -s "bad certificate (usage extensions)" \
1273 -s "Processing of the Certificate handshake message failed"
1274
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1275# Final report
1276
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1277echo "------------------------------------------------------------------------"
1278
1279if [ $FAILS = 0 ]; then
1280 echo -n "PASSED"
1281else
1282 echo -n "FAILED"
1283fi
1284PASSES=`echo $TESTS - $FAILS | bc`
Manuel Pégourié-Gonnard4145b892014-02-24 13:20:14 +0100[diff] [blame]1285echo " ($PASSES / $TESTS tests)"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1286
1287exit $FAILS