TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 3c9e2b5004cf288af6c7a5f0b6223bd8c31e1ab6 / . / tests / ssl-opt.sh
blob: f13c38f6813802ff0d39fc1a3548227fe50617b8 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]24# default values, can be overriden by the environment
25: ${P_SRV:=../programs/ssl/ssl_server2}
26: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]27: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]28: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]29: ${GNUTLS_CLI:=gnutls-cli}
30: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]31: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]33O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]34O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]35G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]36G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]37TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]38
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]39TESTS=0
40FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]41SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]44
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]47EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]49SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]50RUN_TEST_NUMBER=''
51
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]52PRESERVE_LOGS=0
53
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]54# Pick a "unique" server port in the range 10000-19999, and a proxy
55# port which is this plus 10000. Each port number may be independently
56# overridden by a command line option.
57SRV_PORT=$(($$ % 10000 + 10000))
58PXY_PORT=$((SRV_PORT + 10000))
59
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]60print_usage() {
61 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]62 printf " -h|--help\tPrint this help.\n"
63 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]64 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
65 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]66 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]67 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]68 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
70 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]71 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72}
73
74get_options() {
75 while [ $# -gt 0 ]; do
76 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77 -f|--filter)
78 shift; FILTER=$1
79 ;;
80 -e|--exclude)
81 shift; EXCLUDE=$1
82 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]83 -m|--memcheck)
84 MEMCHECK=1
85 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]86 -n|--number)
87 shift; RUN_TEST_NUMBER=$1
88 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]89 -s|--show-numbers)
90 SHOW_TEST_NUMBER=1
91 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]92 -p|--preserve-logs)
93 PRESERVE_LOGS=1
94 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 --port)
96 shift; SRV_PORT=$1
97 ;;
98 --proxy-port)
99 shift; PXY_PORT=$1
100 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]101 --seed)
102 shift; SEED="$1"
103 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104 -h|--help)
105 print_usage
106 exit 0
107 ;;
108 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]109 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 print_usage
111 exit 1
112 ;;
113 esac
114 shift
115 done
116}
117
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]118# skip next test if the flag is not enabled in config.h
119requires_config_enabled() {
120 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
121 SKIP_NEXT="YES"
122 fi
123}
124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]125# skip next test if the flag is enabled in config.h
126requires_config_disabled() {
127 if grep "^#define $1" $CONFIG_H > /dev/null; then
128 SKIP_NEXT="YES"
129 fi
130}
131
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]132# skip next test if OpenSSL doesn't support FALLBACK_SCSV
133requires_openssl_with_fallback_scsv() {
134 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
135 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
136 then
137 OPENSSL_HAS_FBSCSV="YES"
138 else
139 OPENSSL_HAS_FBSCSV="NO"
140 fi
141 fi
142 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
143 SKIP_NEXT="YES"
144 fi
145}
146
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]147# skip next test if GnuTLS isn't available
148requires_gnutls() {
149 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]150 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]151 GNUTLS_AVAILABLE="YES"
152 else
153 GNUTLS_AVAILABLE="NO"
154 fi
155 fi
156 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]161# skip next test if IPv6 isn't available on this host
162requires_ipv6() {
163 if [ -z "${HAS_IPV6:-}" ]; then
164 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
165 SRV_PID=$!
166 sleep 1
167 kill $SRV_PID >/dev/null 2>&1
168 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
169 HAS_IPV6="NO"
170 else
171 HAS_IPV6="YES"
172 fi
173 rm -r $SRV_OUT
174 fi
175
176 if [ "$HAS_IPV6" = "NO" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]181# skip the next test if valgrind is in use
182not_with_valgrind() {
183 if [ "$MEMCHECK" -gt 0 ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]188# skip the next test if valgrind is NOT in use
189only_with_valgrind() {
190 if [ "$MEMCHECK" -eq 0 ]; then
191 SKIP_NEXT="YES"
192 fi
193}
194
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]195# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]196client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]197 CLI_DELAY_FACTOR=$1
198}
199
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]200# wait for the given seconds after the client finished in the next test
201server_needs_more_time() {
202 SRV_DELAY_SECONDS=$1
203}
204
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]205# print_name <name>
206print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]207 TESTS=$(( $TESTS + 1 ))
208 LINE=""
209
210 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
211 LINE="$TESTS "
212 fi
213
214 LINE="$LINE$1"
215 printf "$LINE "
216 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]217 for i in `seq 1 $LEN`; do printf '.'; done
218 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]219
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]220}
221
222# fail <message>
223fail() {
224 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]225 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]227 mv $SRV_OUT o-srv-${TESTS}.log
228 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]229 if [ -n "$PXY_CMD" ]; then
230 mv $PXY_OUT o-pxy-${TESTS}.log
231 fi
232 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]233
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]234 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
235 echo " ! server output:"
236 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]237 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]238 echo " ! client output:"
239 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]240 if [ -n "$PXY_CMD" ]; then
241 echo " ! ========================================================"
242 echo " ! proxy output:"
243 cat o-pxy-${TESTS}.log
244 fi
245 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]246 fi
247
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]248 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249}
250
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]251# is_polar <cmd_line>
252is_polar() {
253 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
254}
255
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]256# openssl s_server doesn't have -www with DTLS
257check_osrv_dtls() {
258 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
259 NEEDS_INPUT=1
260 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
261 else
262 NEEDS_INPUT=0
263 fi
264}
265
266# provide input to commands that need it
267provide_input() {
268 if [ $NEEDS_INPUT -eq 0 ]; then
269 return
270 fi
271
272 while true; do
273 echo "HTTP/1.0 200 OK"
274 sleep 1
275 done
276}
277
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]278# has_mem_err <log_file_name>
279has_mem_err() {
280 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
281 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
282 then
283 return 1 # false: does not have errors
284 else
285 return 0 # true: has errors
286 fi
287}
288
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]289# Wait for process $2 to be listening on port $1
290if type lsof >/dev/null 2>/dev/null; then
291 wait_server_start() {
292 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]293 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]294 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]295 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]296 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]297 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]298 # Make a tight loop, server normally takes less than 1s to start.
299 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
300 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
301 echo "SERVERSTART TIMEOUT"
302 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
303 break
304 fi
305 # Linux and *BSD support decimal arguments to sleep. On other
306 # OSes this may be a tight loop.
307 sleep 0.1 2>/dev/null || true
308 done
309 }
310else
Gilles Peskine3c9e2b52018-01-08 12:38:15 +0100[diff] [blame^]311 echo "Warning: lsof not available, wait_server_start = sleep $START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]312 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]313 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]314 }
315fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]316
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]317# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]318# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]319# acceptable bounds
320check_server_hello_time() {
321 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]322 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]323 # Get the Unix timestamp for now
324 CUR_TIME=$(date +'%s')
325 THRESHOLD_IN_SECS=300
326
327 # Check if the ServerHello time was printed
328 if [ -z "$SERVER_HELLO_TIME" ]; then
329 return 1
330 fi
331
332 # Check the time in ServerHello is within acceptable bounds
333 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
334 # The time in ServerHello is at least 5 minutes before now
335 return 1
336 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]337 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]338 return 1
339 else
340 return 0
341 fi
342}
343
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]344# wait for client to terminate and set CLI_EXIT
345# must be called right after starting the client
346wait_client_done() {
347 CLI_PID=$!
348
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]349 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
350 CLI_DELAY_FACTOR=1
351
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]352 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]353 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]354
355 wait $CLI_PID
356 CLI_EXIT=$?
357
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]358 kill $DOG_PID >/dev/null 2>&1
359 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]360
361 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]362
363 sleep $SRV_DELAY_SECONDS
364 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]365}
366
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]367# check if the given command uses dtls and sets global variable DTLS
368detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]369 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]370 DTLS=1
371 else
372 DTLS=0
373 fi
374}
375
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]376# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]377# Options: -s pattern pattern that must be present in server output
378# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]379# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]380# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]381# -S pattern pattern that must be absent in server output
382# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]383# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]384# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]385run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]386 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]387 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]388
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]389 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
390 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]391 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]392 return
393 fi
394
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]395 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]396
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]397 # Do we only run numbered tests?
398 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
399 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
400 else
401 SKIP_NEXT="YES"
402 fi
403
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]404 # should we skip?
405 if [ "X$SKIP_NEXT" = "XYES" ]; then
406 SKIP_NEXT="NO"
407 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]408 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]409 return
410 fi
411
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]412 # does this test use a proxy?
413 if [ "X$1" = "X-p" ]; then
414 PXY_CMD="$2"
415 shift 2
416 else
417 PXY_CMD=""
418 fi
419
420 # get commands and client output
421 SRV_CMD="$1"
422 CLI_CMD="$2"
423 CLI_EXPECT="$3"
424 shift 3
425
426 # fix client port
427 if [ -n "$PXY_CMD" ]; then
428 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
429 else
430 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
431 fi
432
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]433 # update DTLS variable
434 detect_dtls "$SRV_CMD"
435
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]436 # prepend valgrind to our commands if active
437 if [ "$MEMCHECK" -gt 0 ]; then
438 if is_polar "$SRV_CMD"; then
439 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
440 fi
441 if is_polar "$CLI_CMD"; then
442 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
443 fi
444 fi
445
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]446 TIMES_LEFT=2
447 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]448 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]449
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]450 # run the commands
451 if [ -n "$PXY_CMD" ]; then
452 echo "$PXY_CMD" > $PXY_OUT
453 $PXY_CMD >> $PXY_OUT 2>&1 &
454 PXY_PID=$!
455 # assume proxy starts faster than server
456 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]457
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]458 check_osrv_dtls
459 echo "$SRV_CMD" > $SRV_OUT
460 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
461 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]462 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]463
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]464 echo "$CLI_CMD" > $CLI_OUT
465 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
466 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]467
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]468 # terminate the server (and the proxy)
469 kill $SRV_PID
470 wait $SRV_PID
471 if [ -n "$PXY_CMD" ]; then
472 kill $PXY_PID >/dev/null 2>&1
473 wait $PXY_PID
474 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]475
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]476 # retry only on timeouts
477 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
478 printf "RETRY "
479 else
480 TIMES_LEFT=0
481 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]482 done
483
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]484 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]485 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]486 # expected client exit to incorrectly succeed in case of catastrophic
487 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]488 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]489 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]490 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]491 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]492 return
493 fi
494 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]495 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]496 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]497 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]498 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]499 return
500 fi
501 fi
502
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]503 # check server exit code
504 if [ $? != 0 ]; then
505 fail "server fail"
506 return
507 fi
508
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]509 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]510 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
511 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]512 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]513 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]514 return
515 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]516
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]517 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]518 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]519 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]520 while [ $# -gt 0 ]
521 do
522 case $1 in
523 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]524 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]525 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]526 return
527 fi
528 ;;
529
530 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]531 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]532 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]533 return
534 fi
535 ;;
536
537 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]538 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]539 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]540 return
541 fi
542 ;;
543
544 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]545 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]546 fail "pattern '$2' MUST NOT be present in the Client output"
547 return
548 fi
549 ;;
550
551 # The filtering in the following two options (-u and -U) do the following
552 # - ignore valgrind output
553 # - filter out everything but lines right after the pattern occurances
554 # - keep one of each non-unique line
555 # - count how many lines remain
556 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
557 # if there were no duplicates.
558 "-U")
559 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
560 fail "lines following pattern '$2' must be unique in Server output"
561 return
562 fi
563 ;;
564
565 "-u")
566 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
567 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]568 return
569 fi
570 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]571 "-F")
572 if ! $2 "$SRV_OUT"; then
573 fail "function call to '$2' failed on Server output"
574 return
575 fi
576 ;;
577 "-f")
578 if ! $2 "$CLI_OUT"; then
579 fail "function call to '$2' failed on Client output"
580 return
581 fi
582 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]583
584 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]585 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]586 exit 1
587 esac
588 shift 2
589 done
590
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]591 # check valgrind's results
592 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]593 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]594 fail "Server has memory errors"
595 return
596 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]597 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]598 fail "Client has memory errors"
599 return
600 fi
601 fi
602
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]603 # if we're here, everything is ok
604 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]605 if [ "$PRESERVE_LOGS" -gt 0 ]; then
606 mv $SRV_OUT o-srv-${TESTS}.log
607 mv $CLI_OUT o-cli-${TESTS}.log
608 fi
609
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]610 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]611}
612
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]613cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]614 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]615 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
616 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
617 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
618 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]619 exit 1
620}
621
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]622#
623# MAIN
624#
625
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]626if cd $( dirname $0 ); then :; else
627 echo "cd $( dirname $0 ) failed" >&2
628 exit 1
629fi
630
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]631get_options "$@"
632
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]633# sanity checks, avoid an avalanche of errors
634if [ ! -x "$P_SRV" ]; then
635 echo "Command '$P_SRV' is not an executable file"
636 exit 1
637fi
638if [ ! -x "$P_CLI" ]; then
639 echo "Command '$P_CLI' is not an executable file"
640 exit 1
641fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]642if [ ! -x "$P_PXY" ]; then
643 echo "Command '$P_PXY' is not an executable file"
644 exit 1
645fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]646if [ "$MEMCHECK" -gt 0 ]; then
647 if which valgrind >/dev/null 2>&1; then :; else
648 echo "Memcheck not possible. Valgrind not found"
649 exit 1
650 fi
651fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]652if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
653 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]654 exit 1
655fi
656
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]657# used by watchdog
658MAIN_PID="$$"
659
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]660# We use somewhat arbitrary delays for tests:
661# - how long do we wait for the server to start (when lsof not available)?
662# - how long do we allow for the client to finish?
663# (not to check performance, just to avoid waiting indefinitely)
664# Things are slower with valgrind, so give extra time here.
665#
666# Note: without lsof, there is a trade-off between the running time of this
667# script and the risk of spurious errors because we didn't wait long enough.
668# The watchdog delay on the other hand doesn't affect normal running time of
669# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]670if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]671 START_DELAY=6
672 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]673else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]674 START_DELAY=2
675 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]676fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]677
678# some particular tests need more time:
679# - for the client, we multiply the usual watchdog limit by a factor
680# - for the server, we sleep for a number of seconds after the client exits
681# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]682CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]683SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]684
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]685# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]686# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]687P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
688P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]689P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]690O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]691O_CLI="$O_CLI -connect localhost:+SRV_PORT"
692G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]693G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]694
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]695# Allow SHA-1, because many of our test certificates use it
696P_SRV="$P_SRV allow_sha1=1"
697P_CLI="$P_CLI allow_sha1=1"
698
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]699# Also pick a unique name for intermediate files
700SRV_OUT="srv_out.$$"
701CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]702PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]703SESSION="session.$$"
704
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]705SKIP_NEXT="NO"
706
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]707trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]708
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]709# Basic test
710
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]711# Checks that:
712# - things work with all ciphersuites active (used with config-full in all.sh)
713# - the expected (highest security) parameters are selected
714# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]715run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]716 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]717 "$P_CLI" \
718 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]719 -s "Protocol is TLSv1.2" \
720 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
721 -s "client hello v3, signature_algorithm ext: 6" \
722 -s "ECDHE curve: secp521r1" \
723 -S "error" \
724 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]725
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]726run_test "Default, DTLS" \
727 "$P_SRV dtls=1" \
728 "$P_CLI dtls=1" \
729 0 \
730 -s "Protocol is DTLSv1.2" \
731 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
732
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]733# Test current time in ServerHello
734requires_config_enabled MBEDTLS_HAVE_TIME
735run_test "Default, ServerHello contains gmt_unix_time" \
736 "$P_SRV debug_level=3" \
737 "$P_CLI debug_level=3" \
738 0 \
739 -s "Protocol is TLSv1.2" \
740 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
741 -s "client hello v3, signature_algorithm ext: 6" \
742 -s "ECDHE curve: secp521r1" \
743 -S "error" \
744 -C "error" \
745 -f "check_server_hello_time" \
746 -F "check_server_hello_time"
747
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]748# Test for uniqueness of IVs in AEAD ciphersuites
749run_test "Unique IV in GCM" \
750 "$P_SRV exchanges=20 debug_level=4" \
751 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
752 0 \
753 -u "IV used" \
754 -U "IV used"
755
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]756# Tests for rc4 option
757
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]758requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]759run_test "RC4: server disabled, client enabled" \
760 "$P_SRV" \
761 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
762 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]763 -s "SSL - The server has no ciphersuites in common"
764
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]765requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]766run_test "RC4: server half, client enabled" \
767 "$P_SRV arc4=1" \
768 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
769 1 \
770 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]771
772run_test "RC4: server enabled, client disabled" \
773 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
774 "$P_CLI" \
775 1 \
776 -s "SSL - The server has no ciphersuites in common"
777
778run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]779 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]780 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
781 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]782 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]783 -S "SSL - The server has no ciphersuites in common"
784
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]785# Tests for SHA-1 support
786
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]787requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]788run_test "SHA-1 forbidden by default in server certificate" \
789 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
790 "$P_CLI debug_level=2 allow_sha1=0" \
791 1 \
792 -c "The certificate is signed with an unacceptable hash"
793
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]794requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
795run_test "SHA-1 forbidden by default in server certificate" \
796 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
797 "$P_CLI debug_level=2 allow_sha1=0" \
798 0
799
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]800run_test "SHA-1 explicitly allowed in server certificate" \
801 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
802 "$P_CLI allow_sha1=1" \
803 0
804
805run_test "SHA-256 allowed by default in server certificate" \
806 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
807 "$P_CLI allow_sha1=0" \
808 0
809
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]810requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]811run_test "SHA-1 forbidden by default in client certificate" \
812 "$P_SRV auth_mode=required allow_sha1=0" \
813 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
814 1 \
815 -s "The certificate is signed with an unacceptable hash"
816
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]817requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
818run_test "SHA-1 forbidden by default in client certificate" \
819 "$P_SRV auth_mode=required allow_sha1=0" \
820 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
821 0
822
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]823run_test "SHA-1 explicitly allowed in client certificate" \
824 "$P_SRV auth_mode=required allow_sha1=1" \
825 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
826 0
827
828run_test "SHA-256 allowed by default in client certificate" \
829 "$P_SRV auth_mode=required allow_sha1=0" \
830 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
831 0
832
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]833# Tests for Truncated HMAC extension
834
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]835run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]836 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]837 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]838 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]839 -s "dumping 'computed mac' (20 bytes)" \
840 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]841
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]842run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]843 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]844 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
845 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]846 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]847 -s "dumping 'computed mac' (20 bytes)" \
848 -S "dumping 'computed mac' (10 bytes)"
849
850run_test "Truncated HMAC: client enabled, server default" \
851 "$P_SRV debug_level=4" \
852 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
853 trunc_hmac=1" \
854 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]855 -s "dumping 'computed mac' (20 bytes)" \
856 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]857
858run_test "Truncated HMAC: client enabled, server disabled" \
859 "$P_SRV debug_level=4 trunc_hmac=0" \
860 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
861 trunc_hmac=1" \
862 0 \
863 -s "dumping 'computed mac' (20 bytes)" \
864 -S "dumping 'computed mac' (10 bytes)"
865
866run_test "Truncated HMAC: client enabled, server enabled" \
867 "$P_SRV debug_level=4 trunc_hmac=1" \
868 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
869 trunc_hmac=1" \
870 0 \
871 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]872 -s "dumping 'computed mac' (10 bytes)"
873
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]874# Tests for Encrypt-then-MAC extension
875
876run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]877 "$P_SRV debug_level=3 \
878 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]879 "$P_CLI debug_level=3" \
880 0 \
881 -c "client hello, adding encrypt_then_mac extension" \
882 -s "found encrypt then mac extension" \
883 -s "server hello, adding encrypt then mac extension" \
884 -c "found encrypt_then_mac extension" \
885 -c "using encrypt then mac" \
886 -s "using encrypt then mac"
887
888run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]889 "$P_SRV debug_level=3 etm=0 \
890 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]891 "$P_CLI debug_level=3 etm=1" \
892 0 \
893 -c "client hello, adding encrypt_then_mac extension" \
894 -s "found encrypt then mac extension" \
895 -S "server hello, adding encrypt then mac extension" \
896 -C "found encrypt_then_mac extension" \
897 -C "using encrypt then mac" \
898 -S "using encrypt then mac"
899
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]900run_test "Encrypt then MAC: client enabled, aead cipher" \
901 "$P_SRV debug_level=3 etm=1 \
902 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
903 "$P_CLI debug_level=3 etm=1" \
904 0 \
905 -c "client hello, adding encrypt_then_mac extension" \
906 -s "found encrypt then mac extension" \
907 -S "server hello, adding encrypt then mac extension" \
908 -C "found encrypt_then_mac extension" \
909 -C "using encrypt then mac" \
910 -S "using encrypt then mac"
911
912run_test "Encrypt then MAC: client enabled, stream cipher" \
913 "$P_SRV debug_level=3 etm=1 \
914 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]915 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]916 0 \
917 -c "client hello, adding encrypt_then_mac extension" \
918 -s "found encrypt then mac extension" \
919 -S "server hello, adding encrypt then mac extension" \
920 -C "found encrypt_then_mac extension" \
921 -C "using encrypt then mac" \
922 -S "using encrypt then mac"
923
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]924run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]925 "$P_SRV debug_level=3 etm=1 \
926 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]927 "$P_CLI debug_level=3 etm=0" \
928 0 \
929 -C "client hello, adding encrypt_then_mac extension" \
930 -S "found encrypt then mac extension" \
931 -S "server hello, adding encrypt then mac extension" \
932 -C "found encrypt_then_mac extension" \
933 -C "using encrypt then mac" \
934 -S "using encrypt then mac"
935
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]936requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]937run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]938 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]939 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]940 "$P_CLI debug_level=3 force_version=ssl3" \
941 0 \
942 -C "client hello, adding encrypt_then_mac extension" \
943 -S "found encrypt then mac extension" \
944 -S "server hello, adding encrypt then mac extension" \
945 -C "found encrypt_then_mac extension" \
946 -C "using encrypt then mac" \
947 -S "using encrypt then mac"
948
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]949requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]950run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]951 "$P_SRV debug_level=3 force_version=ssl3 \
952 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]953 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]954 0 \
955 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]956 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]957 -S "server hello, adding encrypt then mac extension" \
958 -C "found encrypt_then_mac extension" \
959 -C "using encrypt then mac" \
960 -S "using encrypt then mac"
961
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]962# Tests for Extended Master Secret extension
963
964run_test "Extended Master Secret: default" \
965 "$P_SRV debug_level=3" \
966 "$P_CLI debug_level=3" \
967 0 \
968 -c "client hello, adding extended_master_secret extension" \
969 -s "found extended master secret extension" \
970 -s "server hello, adding extended master secret extension" \
971 -c "found extended_master_secret extension" \
972 -c "using extended master secret" \
973 -s "using extended master secret"
974
975run_test "Extended Master Secret: client enabled, server disabled" \
976 "$P_SRV debug_level=3 extended_ms=0" \
977 "$P_CLI debug_level=3 extended_ms=1" \
978 0 \
979 -c "client hello, adding extended_master_secret extension" \
980 -s "found extended master secret extension" \
981 -S "server hello, adding extended master secret extension" \
982 -C "found extended_master_secret extension" \
983 -C "using extended master secret" \
984 -S "using extended master secret"
985
986run_test "Extended Master Secret: client disabled, server enabled" \
987 "$P_SRV debug_level=3 extended_ms=1" \
988 "$P_CLI debug_level=3 extended_ms=0" \
989 0 \
990 -C "client hello, adding extended_master_secret extension" \
991 -S "found extended master secret extension" \
992 -S "server hello, adding extended master secret extension" \
993 -C "found extended_master_secret extension" \
994 -C "using extended master secret" \
995 -S "using extended master secret"
996
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]997requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]998run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]999 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1000 "$P_CLI debug_level=3 force_version=ssl3" \
1001 0 \
1002 -C "client hello, adding extended_master_secret extension" \
1003 -S "found extended master secret extension" \
1004 -S "server hello, adding extended master secret extension" \
1005 -C "found extended_master_secret extension" \
1006 -C "using extended master secret" \
1007 -S "using extended master secret"
1008
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1009requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1010run_test "Extended Master Secret: client enabled, server SSLv3" \
1011 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1012 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1013 0 \
1014 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1015 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1016 -S "server hello, adding extended master secret extension" \
1017 -C "found extended_master_secret extension" \
1018 -C "using extended master secret" \
1019 -S "using extended master secret"
1020
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1021# Tests for FALLBACK_SCSV
1022
1023run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1024 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1025 "$P_CLI debug_level=3 force_version=tls1_1" \
1026 0 \
1027 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1028 -S "received FALLBACK_SCSV" \
1029 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1030 -C "is a fatal alert message (msg 86)"
1031
1032run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1033 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1034 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1035 0 \
1036 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1037 -S "received FALLBACK_SCSV" \
1038 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1039 -C "is a fatal alert message (msg 86)"
1040
1041run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1042 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1043 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1044 1 \
1045 -c "adding FALLBACK_SCSV" \
1046 -s "received FALLBACK_SCSV" \
1047 -s "inapropriate fallback" \
1048 -c "is a fatal alert message (msg 86)"
1049
1050run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1051 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1052 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1053 0 \
1054 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1055 -s "received FALLBACK_SCSV" \
1056 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1057 -C "is a fatal alert message (msg 86)"
1058
1059requires_openssl_with_fallback_scsv
1060run_test "Fallback SCSV: default, openssl server" \
1061 "$O_SRV" \
1062 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1063 0 \
1064 -C "adding FALLBACK_SCSV" \
1065 -C "is a fatal alert message (msg 86)"
1066
1067requires_openssl_with_fallback_scsv
1068run_test "Fallback SCSV: enabled, openssl server" \
1069 "$O_SRV" \
1070 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1071 1 \
1072 -c "adding FALLBACK_SCSV" \
1073 -c "is a fatal alert message (msg 86)"
1074
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1075requires_openssl_with_fallback_scsv
1076run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1077 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1078 "$O_CLI -tls1_1" \
1079 0 \
1080 -S "received FALLBACK_SCSV" \
1081 -S "inapropriate fallback"
1082
1083requires_openssl_with_fallback_scsv
1084run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1085 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1086 "$O_CLI -tls1_1 -fallback_scsv" \
1087 1 \
1088 -s "received FALLBACK_SCSV" \
1089 -s "inapropriate fallback"
1090
1091requires_openssl_with_fallback_scsv
1092run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1093 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1094 "$O_CLI -fallback_scsv" \
1095 0 \
1096 -s "received FALLBACK_SCSV" \
1097 -S "inapropriate fallback"
1098
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1099## ClientHello generated with
1100## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1101## then manually twiddling the ciphersuite list.
1102## The ClientHello content is spelled out below as a hex string as
1103## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1104## The expected response is an inappropriate_fallback alert.
1105requires_openssl_with_fallback_scsv
1106run_test "Fallback SCSV: beginning of list" \
1107 "$P_SRV debug_level=2" \
1108 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1109 0 \
1110 -s "received FALLBACK_SCSV" \
1111 -s "inapropriate fallback"
1112
1113requires_openssl_with_fallback_scsv
1114run_test "Fallback SCSV: end of list" \
1115 "$P_SRV debug_level=2" \
1116 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1117 0 \
1118 -s "received FALLBACK_SCSV" \
1119 -s "inapropriate fallback"
1120
1121## Here the expected response is a valid ServerHello prefix, up to the random.
1122requires_openssl_with_fallback_scsv
1123run_test "Fallback SCSV: not in list" \
1124 "$P_SRV debug_level=2" \
1125 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1126 0 \
1127 -S "received FALLBACK_SCSV" \
1128 -S "inapropriate fallback"
1129
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1130# Tests for CBC 1/n-1 record splitting
1131
1132run_test "CBC Record splitting: TLS 1.2, no splitting" \
1133 "$P_SRV" \
1134 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1135 request_size=123 force_version=tls1_2" \
1136 0 \
1137 -s "Read from client: 123 bytes read" \
1138 -S "Read from client: 1 bytes read" \
1139 -S "122 bytes read"
1140
1141run_test "CBC Record splitting: TLS 1.1, no splitting" \
1142 "$P_SRV" \
1143 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1144 request_size=123 force_version=tls1_1" \
1145 0 \
1146 -s "Read from client: 123 bytes read" \
1147 -S "Read from client: 1 bytes read" \
1148 -S "122 bytes read"
1149
1150run_test "CBC Record splitting: TLS 1.0, splitting" \
1151 "$P_SRV" \
1152 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1153 request_size=123 force_version=tls1" \
1154 0 \
1155 -S "Read from client: 123 bytes read" \
1156 -s "Read from client: 1 bytes read" \
1157 -s "122 bytes read"
1158
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1159requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1160run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1161 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1162 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1163 request_size=123 force_version=ssl3" \
1164 0 \
1165 -S "Read from client: 123 bytes read" \
1166 -s "Read from client: 1 bytes read" \
1167 -s "122 bytes read"
1168
1169run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1170 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1171 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1172 request_size=123 force_version=tls1" \
1173 0 \
1174 -s "Read from client: 123 bytes read" \
1175 -S "Read from client: 1 bytes read" \
1176 -S "122 bytes read"
1177
1178run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1179 "$P_SRV" \
1180 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1181 request_size=123 force_version=tls1 recsplit=0" \
1182 0 \
1183 -s "Read from client: 123 bytes read" \
1184 -S "Read from client: 1 bytes read" \
1185 -S "122 bytes read"
1186
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1187run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1188 "$P_SRV nbio=2" \
1189 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1190 request_size=123 force_version=tls1" \
1191 0 \
1192 -S "Read from client: 123 bytes read" \
1193 -s "Read from client: 1 bytes read" \
1194 -s "122 bytes read"
1195
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1196# Tests for Session Tickets
1197
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1198run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1199 "$P_SRV debug_level=3 tickets=1" \
1200 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1201 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1202 -c "client hello, adding session ticket extension" \
1203 -s "found session ticket extension" \
1204 -s "server hello, adding session ticket extension" \
1205 -c "found session_ticket extension" \
1206 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1207 -S "session successfully restored from cache" \
1208 -s "session successfully restored from ticket" \
1209 -s "a session has been resumed" \
1210 -c "a session has been resumed"
1211
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1212run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1213 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1214 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1215 0 \
1216 -c "client hello, adding session ticket extension" \
1217 -s "found session ticket extension" \
1218 -s "server hello, adding session ticket extension" \
1219 -c "found session_ticket extension" \
1220 -c "parse new session ticket" \
1221 -S "session successfully restored from cache" \
1222 -s "session successfully restored from ticket" \
1223 -s "a session has been resumed" \
1224 -c "a session has been resumed"
1225
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1226run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1227 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1228 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1229 0 \
1230 -c "client hello, adding session ticket extension" \
1231 -s "found session ticket extension" \
1232 -s "server hello, adding session ticket extension" \
1233 -c "found session_ticket extension" \
1234 -c "parse new session ticket" \
1235 -S "session successfully restored from cache" \
1236 -S "session successfully restored from ticket" \
1237 -S "a session has been resumed" \
1238 -C "a session has been resumed"
1239
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1240run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1241 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1242 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1243 0 \
1244 -c "client hello, adding session ticket extension" \
1245 -c "found session_ticket extension" \
1246 -c "parse new session ticket" \
1247 -c "a session has been resumed"
1248
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1249run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1250 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1251 "( $O_CLI -sess_out $SESSION; \
1252 $O_CLI -sess_in $SESSION; \
1253 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1254 0 \
1255 -s "found session ticket extension" \
1256 -s "server hello, adding session ticket extension" \
1257 -S "session successfully restored from cache" \
1258 -s "session successfully restored from ticket" \
1259 -s "a session has been resumed"
1260
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1261# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1262
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1263run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1264 "$P_SRV debug_level=3 tickets=0" \
1265 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1266 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1267 -c "client hello, adding session ticket extension" \
1268 -s "found session ticket extension" \
1269 -S "server hello, adding session ticket extension" \
1270 -C "found session_ticket extension" \
1271 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1272 -s "session successfully restored from cache" \
1273 -S "session successfully restored from ticket" \
1274 -s "a session has been resumed" \
1275 -c "a session has been resumed"
1276
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1277run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1278 "$P_SRV debug_level=3 tickets=1" \
1279 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1280 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1281 -C "client hello, adding session ticket extension" \
1282 -S "found session ticket extension" \
1283 -S "server hello, adding session ticket extension" \
1284 -C "found session_ticket extension" \
1285 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1286 -s "session successfully restored from cache" \
1287 -S "session successfully restored from ticket" \
1288 -s "a session has been resumed" \
1289 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1290
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1291run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1292 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1293 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1294 0 \
1295 -S "session successfully restored from cache" \
1296 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1297 -S "a session has been resumed" \
1298 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1299
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1300run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1301 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1302 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1303 0 \
1304 -s "session successfully restored from cache" \
1305 -S "session successfully restored from ticket" \
1306 -s "a session has been resumed" \
1307 -c "a session has been resumed"
1308
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1309run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1310 "$P_SRV debug_level=3 tickets=0" \
1311 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1312 0 \
1313 -s "session successfully restored from cache" \
1314 -S "session successfully restored from ticket" \
1315 -s "a session has been resumed" \
1316 -c "a session has been resumed"
1317
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1318run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1319 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1320 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1321 0 \
1322 -S "session successfully restored from cache" \
1323 -S "session successfully restored from ticket" \
1324 -S "a session has been resumed" \
1325 -C "a session has been resumed"
1326
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1327run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1328 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1329 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1330 0 \
1331 -s "session successfully restored from cache" \
1332 -S "session successfully restored from ticket" \
1333 -s "a session has been resumed" \
1334 -c "a session has been resumed"
1335
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1336run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1337 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1338 "( $O_CLI -sess_out $SESSION; \
1339 $O_CLI -sess_in $SESSION; \
1340 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1341 0 \
1342 -s "found session ticket extension" \
1343 -S "server hello, adding session ticket extension" \
1344 -s "session successfully restored from cache" \
1345 -S "session successfully restored from ticket" \
1346 -s "a session has been resumed"
1347
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1348run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1349 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1350 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1351 0 \
1352 -C "found session_ticket extension" \
1353 -C "parse new session ticket" \
1354 -c "a session has been resumed"
1355
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1356# Tests for Max Fragment Length extension
1357
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1358MAX_CONTENT_LEN_EXPECT='16384'
1359MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1360
1361if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1362 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1363 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1364 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1365 printf "\n"
1366 printf "The tests assume this value and if it changes, the tests in this\n"
1367 printf "script should also be adjusted.\n"
1368 printf "\n"
1369
1370 exit 1
1371fi
1372
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1373requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1374run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1375 "$P_SRV debug_level=3" \
1376 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1377 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1378 -c "Maximum fragment length is 16384" \
1379 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1380 -C "client hello, adding max_fragment_length extension" \
1381 -S "found max fragment length extension" \
1382 -S "server hello, max_fragment_length extension" \
1383 -C "found max_fragment_length extension"
1384
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1385requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1386run_test "Max fragment length: enabled, default, larger message" \
1387 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1388 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1389 0 \
1390 -c "Maximum fragment length is 16384" \
1391 -s "Maximum fragment length is 16384" \
1392 -C "client hello, adding max_fragment_length extension" \
1393 -S "found max fragment length extension" \
1394 -S "server hello, max_fragment_length extension" \
1395 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1396 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1397 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1398 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1399
1400requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1401run_test "Max fragment length, DTLS: enabled, default, larger message" \
1402 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1403 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1404 1 \
1405 -c "Maximum fragment length is 16384" \
1406 -s "Maximum fragment length is 16384" \
1407 -C "client hello, adding max_fragment_length extension" \
1408 -S "found max fragment length extension" \
1409 -S "server hello, max_fragment_length extension" \
1410 -C "found max_fragment_length extension" \
1411 -c "fragment larger than.*maximum "
1412
1413requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1414run_test "Max fragment length: disabled, larger message" \
1415 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1416 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1417 0 \
1418 -C "Maximum fragment length is 16384" \
1419 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1420 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1421 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1422 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1423
1424requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1425run_test "Max fragment length DTLS: disabled, larger message" \
1426 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1427 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1428 1 \
1429 -C "Maximum fragment length is 16384" \
1430 -S "Maximum fragment length is 16384" \
1431 -c "fragment larger than.*maximum "
1432
1433requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1434run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1435 "$P_SRV debug_level=3" \
1436 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1437 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1438 -c "Maximum fragment length is 4096" \
1439 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1440 -c "client hello, adding max_fragment_length extension" \
1441 -s "found max fragment length extension" \
1442 -s "server hello, max_fragment_length extension" \
1443 -c "found max_fragment_length extension"
1444
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1445requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1446run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1447 "$P_SRV debug_level=3 max_frag_len=4096" \
1448 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1449 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1450 -c "Maximum fragment length is 16384" \
1451 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1452 -C "client hello, adding max_fragment_length extension" \
1453 -S "found max fragment length extension" \
1454 -S "server hello, max_fragment_length extension" \
1455 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1456
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1457requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1458requires_gnutls
1459run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1460 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1461 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1462 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1463 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1464 -c "client hello, adding max_fragment_length extension" \
1465 -c "found max_fragment_length extension"
1466
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1467requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1468run_test "Max fragment length: client, message just fits" \
1469 "$P_SRV debug_level=3" \
1470 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1471 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1472 -c "Maximum fragment length is 2048" \
1473 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1474 -c "client hello, adding max_fragment_length extension" \
1475 -s "found max fragment length extension" \
1476 -s "server hello, max_fragment_length extension" \
1477 -c "found max_fragment_length extension" \
1478 -c "2048 bytes written in 1 fragments" \
1479 -s "2048 bytes read"
1480
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1481requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1482run_test "Max fragment length: client, larger message" \
1483 "$P_SRV debug_level=3" \
1484 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1485 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1486 -c "Maximum fragment length is 2048" \
1487 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1488 -c "client hello, adding max_fragment_length extension" \
1489 -s "found max fragment length extension" \
1490 -s "server hello, max_fragment_length extension" \
1491 -c "found max_fragment_length extension" \
1492 -c "2345 bytes written in 2 fragments" \
1493 -s "2048 bytes read" \
1494 -s "297 bytes read"
1495
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1496requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1497run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1498 "$P_SRV debug_level=3 dtls=1" \
1499 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1500 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1501 -c "Maximum fragment length is 2048" \
1502 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1503 -c "client hello, adding max_fragment_length extension" \
1504 -s "found max fragment length extension" \
1505 -s "server hello, max_fragment_length extension" \
1506 -c "found max_fragment_length extension" \
1507 -c "fragment larger than.*maximum"
1508
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1509# Tests for renegotiation
1510
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1511# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1512run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1513 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1514 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1515 0 \
1516 -C "client hello, adding renegotiation extension" \
1517 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1518 -S "found renegotiation extension" \
1519 -s "server hello, secure renegotiation extension" \
1520 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1521 -C "=> renegotiate" \
1522 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1523 -S "write hello request"
1524
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1525requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1526run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1527 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1528 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1529 0 \
1530 -c "client hello, adding renegotiation extension" \
1531 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1532 -s "found renegotiation extension" \
1533 -s "server hello, secure renegotiation extension" \
1534 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1535 -c "=> renegotiate" \
1536 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1537 -S "write hello request"
1538
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1539requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1540run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1541 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1542 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1543 0 \
1544 -c "client hello, adding renegotiation extension" \
1545 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1546 -s "found renegotiation extension" \
1547 -s "server hello, secure renegotiation extension" \
1548 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1549 -c "=> renegotiate" \
1550 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1551 -s "write hello request"
1552
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1553# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1554# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1555# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1556requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1557run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1558 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1559 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1560 0 \
1561 -c "client hello, adding renegotiation extension" \
1562 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1563 -s "found renegotiation extension" \
1564 -s "server hello, secure renegotiation extension" \
1565 -c "found renegotiation extension" \
1566 -c "=> renegotiate" \
1567 -s "=> renegotiate" \
1568 -S "write hello request" \
1569 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1570
1571# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1572# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1573# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1574requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1575run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1576 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1577 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1578 0 \
1579 -c "client hello, adding renegotiation extension" \
1580 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1581 -s "found renegotiation extension" \
1582 -s "server hello, secure renegotiation extension" \
1583 -c "found renegotiation extension" \
1584 -c "=> renegotiate" \
1585 -s "=> renegotiate" \
1586 -s "write hello request" \
1587 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1588
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1589requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1590run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1591 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1592 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1593 0 \
1594 -c "client hello, adding renegotiation extension" \
1595 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1596 -s "found renegotiation extension" \
1597 -s "server hello, secure renegotiation extension" \
1598 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1599 -c "=> renegotiate" \
1600 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1601 -s "write hello request"
1602
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1603requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1604run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1605 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1606 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1607 1 \
1608 -c "client hello, adding renegotiation extension" \
1609 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1610 -S "found renegotiation extension" \
1611 -s "server hello, secure renegotiation extension" \
1612 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1613 -c "=> renegotiate" \
1614 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1615 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1616 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1617 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1618
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1619requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1620run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1621 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1622 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1623 0 \
1624 -C "client hello, adding renegotiation extension" \
1625 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1626 -S "found renegotiation extension" \
1627 -s "server hello, secure renegotiation extension" \
1628 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1629 -C "=> renegotiate" \
1630 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1631 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1632 -S "SSL - An unexpected message was received from our peer" \
1633 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1634
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1635requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1636run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1637 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1638 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1639 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1640 0 \
1641 -C "client hello, adding renegotiation extension" \
1642 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1643 -S "found renegotiation extension" \
1644 -s "server hello, secure renegotiation extension" \
1645 -c "found renegotiation extension" \
1646 -C "=> renegotiate" \
1647 -S "=> renegotiate" \
1648 -s "write hello request" \
1649 -S "SSL - An unexpected message was received from our peer" \
1650 -S "failed"
1651
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1652# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1653requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1654run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1655 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1656 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1657 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1658 0 \
1659 -C "client hello, adding renegotiation extension" \
1660 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1661 -S "found renegotiation extension" \
1662 -s "server hello, secure renegotiation extension" \
1663 -c "found renegotiation extension" \
1664 -C "=> renegotiate" \
1665 -S "=> renegotiate" \
1666 -s "write hello request" \
1667 -S "SSL - An unexpected message was received from our peer" \
1668 -S "failed"
1669
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1670requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1671run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1672 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1673 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1674 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1675 0 \
1676 -C "client hello, adding renegotiation extension" \
1677 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1678 -S "found renegotiation extension" \
1679 -s "server hello, secure renegotiation extension" \
1680 -c "found renegotiation extension" \
1681 -C "=> renegotiate" \
1682 -S "=> renegotiate" \
1683 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1684 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1685
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1686requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1687run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1688 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1689 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1690 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1691 0 \
1692 -c "client hello, adding renegotiation extension" \
1693 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1694 -s "found renegotiation extension" \
1695 -s "server hello, secure renegotiation extension" \
1696 -c "found renegotiation extension" \
1697 -c "=> renegotiate" \
1698 -s "=> renegotiate" \
1699 -s "write hello request" \
1700 -S "SSL - An unexpected message was received from our peer" \
1701 -S "failed"
1702
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1703requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1704run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1705 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1706 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1707 0 \
1708 -C "client hello, adding renegotiation extension" \
1709 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1710 -S "found renegotiation extension" \
1711 -s "server hello, secure renegotiation extension" \
1712 -c "found renegotiation extension" \
1713 -S "record counter limit reached: renegotiate" \
1714 -C "=> renegotiate" \
1715 -S "=> renegotiate" \
1716 -S "write hello request" \
1717 -S "SSL - An unexpected message was received from our peer" \
1718 -S "failed"
1719
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1720# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1721requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1722run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1723 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1724 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1725 0 \
1726 -c "client hello, adding renegotiation extension" \
1727 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1728 -s "found renegotiation extension" \
1729 -s "server hello, secure renegotiation extension" \
1730 -c "found renegotiation extension" \
1731 -s "record counter limit reached: renegotiate" \
1732 -c "=> renegotiate" \
1733 -s "=> renegotiate" \
1734 -s "write hello request" \
1735 -S "SSL - An unexpected message was received from our peer" \
1736 -S "failed"
1737
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1738requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1739run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1740 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1741 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1742 0 \
1743 -c "client hello, adding renegotiation extension" \
1744 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1745 -s "found renegotiation extension" \
1746 -s "server hello, secure renegotiation extension" \
1747 -c "found renegotiation extension" \
1748 -s "record counter limit reached: renegotiate" \
1749 -c "=> renegotiate" \
1750 -s "=> renegotiate" \
1751 -s "write hello request" \
1752 -S "SSL - An unexpected message was received from our peer" \
1753 -S "failed"
1754
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1755requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1756run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1757 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1758 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1759 0 \
1760 -C "client hello, adding renegotiation extension" \
1761 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1762 -S "found renegotiation extension" \
1763 -s "server hello, secure renegotiation extension" \
1764 -c "found renegotiation extension" \
1765 -S "record counter limit reached: renegotiate" \
1766 -C "=> renegotiate" \
1767 -S "=> renegotiate" \
1768 -S "write hello request" \
1769 -S "SSL - An unexpected message was received from our peer" \
1770 -S "failed"
1771
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1772requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1773run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1774 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1775 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1776 0 \
1777 -c "client hello, adding renegotiation extension" \
1778 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1779 -s "found renegotiation extension" \
1780 -s "server hello, secure renegotiation extension" \
1781 -c "found renegotiation extension" \
1782 -c "=> renegotiate" \
1783 -s "=> renegotiate" \
1784 -S "write hello request"
1785
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1786requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1787run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1788 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1789 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1790 0 \
1791 -c "client hello, adding renegotiation extension" \
1792 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1793 -s "found renegotiation extension" \
1794 -s "server hello, secure renegotiation extension" \
1795 -c "found renegotiation extension" \
1796 -c "=> renegotiate" \
1797 -s "=> renegotiate" \
1798 -s "write hello request"
1799
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1800requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1801run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1802 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1803 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1804 0 \
1805 -c "client hello, adding renegotiation extension" \
1806 -c "found renegotiation extension" \
1807 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1808 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1809 -C "error" \
1810 -c "HTTP/1.0 200 [Oo][Kk]"
1811
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1812requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1813requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1814run_test "Renegotiation: gnutls server strict, client-initiated" \
1815 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1816 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1817 0 \
1818 -c "client hello, adding renegotiation extension" \
1819 -c "found renegotiation extension" \
1820 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1821 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1822 -C "error" \
1823 -c "HTTP/1.0 200 [Oo][Kk]"
1824
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1825requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1826requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1827run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1828 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1829 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1830 1 \
1831 -c "client hello, adding renegotiation extension" \
1832 -C "found renegotiation extension" \
1833 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1834 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1835 -c "error" \
1836 -C "HTTP/1.0 200 [Oo][Kk]"
1837
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1838requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1839requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1840run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1841 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1842 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1843 allow_legacy=0" \
1844 1 \
1845 -c "client hello, adding renegotiation extension" \
1846 -C "found renegotiation extension" \
1847 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1848 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1849 -c "error" \
1850 -C "HTTP/1.0 200 [Oo][Kk]"
1851
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1852requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1853requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1854run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1855 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1856 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1857 allow_legacy=1" \
1858 0 \
1859 -c "client hello, adding renegotiation extension" \
1860 -C "found renegotiation extension" \
1861 -c "=> renegotiate" \
1862 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1863 -C "error" \
1864 -c "HTTP/1.0 200 [Oo][Kk]"
1865
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1866requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1867run_test "Renegotiation: DTLS, client-initiated" \
1868 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1869 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1870 0 \
1871 -c "client hello, adding renegotiation extension" \
1872 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1873 -s "found renegotiation extension" \
1874 -s "server hello, secure renegotiation extension" \
1875 -c "found renegotiation extension" \
1876 -c "=> renegotiate" \
1877 -s "=> renegotiate" \
1878 -S "write hello request"
1879
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1880requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1881run_test "Renegotiation: DTLS, server-initiated" \
1882 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1883 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1884 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1885 0 \
1886 -c "client hello, adding renegotiation extension" \
1887 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1888 -s "found renegotiation extension" \
1889 -s "server hello, secure renegotiation extension" \
1890 -c "found renegotiation extension" \
1891 -c "=> renegotiate" \
1892 -s "=> renegotiate" \
1893 -s "write hello request"
1894
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1895requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1896run_test "Renegotiation: DTLS, renego_period overflow" \
1897 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1898 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1899 0 \
1900 -c "client hello, adding renegotiation extension" \
1901 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1902 -s "found renegotiation extension" \
1903 -s "server hello, secure renegotiation extension" \
1904 -s "record counter limit reached: renegotiate" \
1905 -c "=> renegotiate" \
1906 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1907 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1908
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1909requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1910requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1911run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1912 "$G_SRV -u --mtu 4096" \
1913 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1914 0 \
1915 -c "client hello, adding renegotiation extension" \
1916 -c "found renegotiation extension" \
1917 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1918 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1919 -C "error" \
1920 -s "Extra-header:"
1921
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1922# Test for the "secure renegotation" extension only (no actual renegotiation)
1923
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1924requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1925run_test "Renego ext: gnutls server strict, client default" \
1926 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1927 "$P_CLI debug_level=3" \
1928 0 \
1929 -c "found renegotiation extension" \
1930 -C "error" \
1931 -c "HTTP/1.0 200 [Oo][Kk]"
1932
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1933requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1934run_test "Renego ext: gnutls server unsafe, client default" \
1935 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1936 "$P_CLI debug_level=3" \
1937 0 \
1938 -C "found renegotiation extension" \
1939 -C "error" \
1940 -c "HTTP/1.0 200 [Oo][Kk]"
1941
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1942requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1943run_test "Renego ext: gnutls server unsafe, client break legacy" \
1944 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1945 "$P_CLI debug_level=3 allow_legacy=-1" \
1946 1 \
1947 -C "found renegotiation extension" \
1948 -c "error" \
1949 -C "HTTP/1.0 200 [Oo][Kk]"
1950
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1951requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1952run_test "Renego ext: gnutls client strict, server default" \
1953 "$P_SRV debug_level=3" \
1954 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1955 0 \
1956 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1957 -s "server hello, secure renegotiation extension"
1958
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1959requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1960run_test "Renego ext: gnutls client unsafe, server default" \
1961 "$P_SRV debug_level=3" \
1962 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1963 0 \
1964 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1965 -S "server hello, secure renegotiation extension"
1966
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1967requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1968run_test "Renego ext: gnutls client unsafe, server break legacy" \
1969 "$P_SRV debug_level=3 allow_legacy=-1" \
1970 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1971 1 \
1972 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1973 -S "server hello, secure renegotiation extension"
1974
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]1975# Tests for silently dropping trailing extra bytes in .der certificates
1976
1977requires_gnutls
1978run_test "DER format: no trailing bytes" \
1979 "$P_SRV crt_file=data_files/server5-der0.crt \
1980 key_file=data_files/server5.key" \
1981 "$G_CLI " \
1982 0 \
1983 -c "Handshake was completed" \
1984
1985requires_gnutls
1986run_test "DER format: with a trailing zero byte" \
1987 "$P_SRV crt_file=data_files/server5-der1a.crt \
1988 key_file=data_files/server5.key" \
1989 "$G_CLI " \
1990 0 \
1991 -c "Handshake was completed" \
1992
1993requires_gnutls
1994run_test "DER format: with a trailing random byte" \
1995 "$P_SRV crt_file=data_files/server5-der1b.crt \
1996 key_file=data_files/server5.key" \
1997 "$G_CLI " \
1998 0 \
1999 -c "Handshake was completed" \
2000
2001requires_gnutls
2002run_test "DER format: with 2 trailing random bytes" \
2003 "$P_SRV crt_file=data_files/server5-der2.crt \
2004 key_file=data_files/server5.key" \
2005 "$G_CLI " \
2006 0 \
2007 -c "Handshake was completed" \
2008
2009requires_gnutls
2010run_test "DER format: with 4 trailing random bytes" \
2011 "$P_SRV crt_file=data_files/server5-der4.crt \
2012 key_file=data_files/server5.key" \
2013 "$G_CLI " \
2014 0 \
2015 -c "Handshake was completed" \
2016
2017requires_gnutls
2018run_test "DER format: with 8 trailing random bytes" \
2019 "$P_SRV crt_file=data_files/server5-der8.crt \
2020 key_file=data_files/server5.key" \
2021 "$G_CLI " \
2022 0 \
2023 -c "Handshake was completed" \
2024
2025requires_gnutls
2026run_test "DER format: with 9 trailing random bytes" \
2027 "$P_SRV crt_file=data_files/server5-der9.crt \
2028 key_file=data_files/server5.key" \
2029 "$G_CLI " \
2030 0 \
2031 -c "Handshake was completed" \
2032
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2033# Tests for auth_mode
2034
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2035run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2036 "$P_SRV crt_file=data_files/server5-badsign.crt \
2037 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2038 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2039 1 \
2040 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2041 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2042 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2043 -c "X509 - Certificate verification failed"
2044
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2045run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2046 "$P_SRV crt_file=data_files/server5-badsign.crt \
2047 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2048 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2049 0 \
2050 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2051 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2052 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2053 -C "X509 - Certificate verification failed"
2054
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2055run_test "Authentication: server goodcert, client optional, no trusted CA" \
2056 "$P_SRV" \
2057 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2058 0 \
2059 -c "x509_verify_cert() returned" \
2060 -c "! The certificate is not correctly signed by the trusted CA" \
2061 -c "! Certificate verification flags"\
2062 -C "! mbedtls_ssl_handshake returned" \
2063 -C "X509 - Certificate verification failed" \
2064 -C "SSL - No CA Chain is set, but required to operate"
2065
2066run_test "Authentication: server goodcert, client required, no trusted CA" \
2067 "$P_SRV" \
2068 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2069 1 \
2070 -c "x509_verify_cert() returned" \
2071 -c "! The certificate is not correctly signed by the trusted CA" \
2072 -c "! Certificate verification flags"\
2073 -c "! mbedtls_ssl_handshake returned" \
2074 -c "SSL - No CA Chain is set, but required to operate"
2075
2076# The purpose of the next two tests is to test the client's behaviour when receiving a server
2077# certificate with an unsupported elliptic curve. This should usually not happen because
2078# the client informs the server about the supported curves - it does, though, in the
2079# corner case of a static ECDH suite, because the server doesn't check the curve on that
2080# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2081# different means to have the server ignoring the client's supported curve list.
2082
2083requires_config_enabled MBEDTLS_ECP_C
2084run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2085 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2086 crt_file=data_files/server5.ku-ka.crt" \
2087 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2088 1 \
2089 -c "bad certificate (EC key curve)"\
2090 -c "! Certificate verification flags"\
2091 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2092
2093requires_config_enabled MBEDTLS_ECP_C
2094run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2095 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2096 crt_file=data_files/server5.ku-ka.crt" \
2097 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2098 1 \
2099 -c "bad certificate (EC key curve)"\
2100 -c "! Certificate verification flags"\
2101 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2102
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2103run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2104 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2105 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2106 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2107 0 \
2108 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2109 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2110 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2111 -C "X509 - Certificate verification failed"
2112
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2113run_test "Authentication: client SHA256, server required" \
2114 "$P_SRV auth_mode=required" \
2115 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2116 key_file=data_files/server6.key \
2117 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2118 0 \
2119 -c "Supported Signature Algorithm found: 4," \
2120 -c "Supported Signature Algorithm found: 5,"
2121
2122run_test "Authentication: client SHA384, server required" \
2123 "$P_SRV auth_mode=required" \
2124 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2125 key_file=data_files/server6.key \
2126 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2127 0 \
2128 -c "Supported Signature Algorithm found: 4," \
2129 -c "Supported Signature Algorithm found: 5,"
2130
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2131requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2132run_test "Authentication: client has no cert, server required (SSLv3)" \
2133 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2134 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2135 key_file=data_files/server5.key" \
2136 1 \
2137 -S "skip write certificate request" \
2138 -C "skip parse certificate request" \
2139 -c "got a certificate request" \
2140 -c "got no certificate to send" \
2141 -S "x509_verify_cert() returned" \
2142 -s "client has no certificate" \
2143 -s "! mbedtls_ssl_handshake returned" \
2144 -c "! mbedtls_ssl_handshake returned" \
2145 -s "No client certification received from the client, but required by the authentication mode"
2146
2147run_test "Authentication: client has no cert, server required (TLS)" \
2148 "$P_SRV debug_level=3 auth_mode=required" \
2149 "$P_CLI debug_level=3 crt_file=none \
2150 key_file=data_files/server5.key" \
2151 1 \
2152 -S "skip write certificate request" \
2153 -C "skip parse certificate request" \
2154 -c "got a certificate request" \
2155 -c "= write certificate$" \
2156 -C "skip write certificate$" \
2157 -S "x509_verify_cert() returned" \
2158 -s "client has no certificate" \
2159 -s "! mbedtls_ssl_handshake returned" \
2160 -c "! mbedtls_ssl_handshake returned" \
2161 -s "No client certification received from the client, but required by the authentication mode"
2162
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2163run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2164 "$P_SRV debug_level=3 auth_mode=required" \
2165 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2166 key_file=data_files/server5.key" \
2167 1 \
2168 -S "skip write certificate request" \
2169 -C "skip parse certificate request" \
2170 -c "got a certificate request" \
2171 -C "skip write certificate" \
2172 -C "skip write certificate verify" \
2173 -S "skip parse certificate verify" \
2174 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2175 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2176 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2177 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2178 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2179 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2180# We don't check that the client receives the alert because it might
2181# detect that its write end of the connection is closed and abort
2182# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2183
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2184run_test "Authentication: client cert not trusted, server required" \
2185 "$P_SRV debug_level=3 auth_mode=required" \
2186 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2187 key_file=data_files/server5.key" \
2188 1 \
2189 -S "skip write certificate request" \
2190 -C "skip parse certificate request" \
2191 -c "got a certificate request" \
2192 -C "skip write certificate" \
2193 -C "skip write certificate verify" \
2194 -S "skip parse certificate verify" \
2195 -s "x509_verify_cert() returned" \
2196 -s "! The certificate is not correctly signed by the trusted CA" \
2197 -s "! mbedtls_ssl_handshake returned" \
2198 -c "! mbedtls_ssl_handshake returned" \
2199 -s "X509 - Certificate verification failed"
2200
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2201run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2202 "$P_SRV debug_level=3 auth_mode=optional" \
2203 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2204 key_file=data_files/server5.key" \
2205 0 \
2206 -S "skip write certificate request" \
2207 -C "skip parse certificate request" \
2208 -c "got a certificate request" \
2209 -C "skip write certificate" \
2210 -C "skip write certificate verify" \
2211 -S "skip parse certificate verify" \
2212 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2213 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2214 -S "! mbedtls_ssl_handshake returned" \
2215 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2216 -S "X509 - Certificate verification failed"
2217
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2218run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2219 "$P_SRV debug_level=3 auth_mode=none" \
2220 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2221 key_file=data_files/server5.key" \
2222 0 \
2223 -s "skip write certificate request" \
2224 -C "skip parse certificate request" \
2225 -c "got no certificate request" \
2226 -c "skip write certificate" \
2227 -c "skip write certificate verify" \
2228 -s "skip parse certificate verify" \
2229 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2230 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2231 -S "! mbedtls_ssl_handshake returned" \
2232 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2233 -S "X509 - Certificate verification failed"
2234
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2235run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2236 "$P_SRV debug_level=3 auth_mode=optional" \
2237 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2238 0 \
2239 -S "skip write certificate request" \
2240 -C "skip parse certificate request" \
2241 -c "got a certificate request" \
2242 -C "skip write certificate$" \
2243 -C "got no certificate to send" \
2244 -S "SSLv3 client has no certificate" \
2245 -c "skip write certificate verify" \
2246 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2247 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2248 -S "! mbedtls_ssl_handshake returned" \
2249 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2250 -S "X509 - Certificate verification failed"
2251
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2252run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2253 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2254 "$O_CLI" \
2255 0 \
2256 -S "skip write certificate request" \
2257 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2258 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2259 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2260 -S "X509 - Certificate verification failed"
2261
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2262run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2263 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2264 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2265 0 \
2266 -C "skip parse certificate request" \
2267 -c "got a certificate request" \
2268 -C "skip write certificate$" \
2269 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2270 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2271
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2272run_test "Authentication: client no cert, openssl server required" \
2273 "$O_SRV -Verify 10" \
2274 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2275 1 \
2276 -C "skip parse certificate request" \
2277 -c "got a certificate request" \
2278 -C "skip write certificate$" \
2279 -c "skip write certificate verify" \
2280 -c "! mbedtls_ssl_handshake returned"
2281
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2282requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2283run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2284 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2285 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2286 0 \
2287 -S "skip write certificate request" \
2288 -C "skip parse certificate request" \
2289 -c "got a certificate request" \
2290 -C "skip write certificate$" \
2291 -c "skip write certificate verify" \
2292 -c "got no certificate to send" \
2293 -s "SSLv3 client has no certificate" \
2294 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2295 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2296 -S "! mbedtls_ssl_handshake returned" \
2297 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2298 -S "X509 - Certificate verification failed"
2299
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2300# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2301# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2302
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2303MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2304MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2305
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2306if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2307 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2308 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2309 printf "test value of ${MAX_IM_CA}. \n"
2310 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2311 printf "The tests assume this value and if it changes, the tests in this\n"
2312 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2313 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2314
2315 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2316fi
2317
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2318run_test "Authentication: server max_int chain, client default" \
2319 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2320 key_file=data_files/dir-maxpath/09.key" \
2321 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2322 0 \
2323 -C "X509 - A fatal error occured"
2324
2325run_test "Authentication: server max_int+1 chain, client default" \
2326 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2327 key_file=data_files/dir-maxpath/10.key" \
2328 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2329 1 \
2330 -c "X509 - A fatal error occured"
2331
2332run_test "Authentication: server max_int+1 chain, client optional" \
2333 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2334 key_file=data_files/dir-maxpath/10.key" \
2335 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2336 auth_mode=optional" \
2337 1 \
2338 -c "X509 - A fatal error occured"
2339
2340run_test "Authentication: server max_int+1 chain, client none" \
2341 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2342 key_file=data_files/dir-maxpath/10.key" \
2343 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2344 auth_mode=none" \
2345 0 \
2346 -C "X509 - A fatal error occured"
2347
2348run_test "Authentication: client max_int+1 chain, server default" \
2349 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2350 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2351 key_file=data_files/dir-maxpath/10.key" \
2352 0 \
2353 -S "X509 - A fatal error occured"
2354
2355run_test "Authentication: client max_int+1 chain, server optional" \
2356 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2357 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2358 key_file=data_files/dir-maxpath/10.key" \
2359 1 \
2360 -s "X509 - A fatal error occured"
2361
2362run_test "Authentication: client max_int+1 chain, server required" \
2363 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2364 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2365 key_file=data_files/dir-maxpath/10.key" \
2366 1 \
2367 -s "X509 - A fatal error occured"
2368
2369run_test "Authentication: client max_int chain, server required" \
2370 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2371 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2372 key_file=data_files/dir-maxpath/09.key" \
2373 0 \
2374 -S "X509 - A fatal error occured"
2375
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2376# Tests for CA list in CertificateRequest messages
2377
2378run_test "Authentication: send CA list in CertificateRequest (default)" \
2379 "$P_SRV debug_level=3 auth_mode=required" \
2380 "$P_CLI crt_file=data_files/server6.crt \
2381 key_file=data_files/server6.key" \
2382 0 \
2383 -s "requested DN"
2384
2385run_test "Authentication: do not send CA list in CertificateRequest" \
2386 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2387 "$P_CLI crt_file=data_files/server6.crt \
2388 key_file=data_files/server6.key" \
2389 0 \
2390 -S "requested DN"
2391
2392run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2393 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2394 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2395 key_file=data_files/server5.key" \
2396 1 \
2397 -S "requested DN" \
2398 -s "x509_verify_cert() returned" \
2399 -s "! The certificate is not correctly signed by the trusted CA" \
2400 -s "! mbedtls_ssl_handshake returned" \
2401 -c "! mbedtls_ssl_handshake returned" \
2402 -s "X509 - Certificate verification failed"
2403
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2404# Tests for certificate selection based on SHA verson
2405
2406run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2407 "$P_SRV crt_file=data_files/server5.crt \
2408 key_file=data_files/server5.key \
2409 crt_file2=data_files/server5-sha1.crt \
2410 key_file2=data_files/server5.key" \
2411 "$P_CLI force_version=tls1_2" \
2412 0 \
2413 -c "signed using.*ECDSA with SHA256" \
2414 -C "signed using.*ECDSA with SHA1"
2415
2416run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2417 "$P_SRV crt_file=data_files/server5.crt \
2418 key_file=data_files/server5.key \
2419 crt_file2=data_files/server5-sha1.crt \
2420 key_file2=data_files/server5.key" \
2421 "$P_CLI force_version=tls1_1" \
2422 0 \
2423 -C "signed using.*ECDSA with SHA256" \
2424 -c "signed using.*ECDSA with SHA1"
2425
2426run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2427 "$P_SRV crt_file=data_files/server5.crt \
2428 key_file=data_files/server5.key \
2429 crt_file2=data_files/server5-sha1.crt \
2430 key_file2=data_files/server5.key" \
2431 "$P_CLI force_version=tls1" \
2432 0 \
2433 -C "signed using.*ECDSA with SHA256" \
2434 -c "signed using.*ECDSA with SHA1"
2435
2436run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2437 "$P_SRV crt_file=data_files/server5.crt \
2438 key_file=data_files/server5.key \
2439 crt_file2=data_files/server6.crt \
2440 key_file2=data_files/server6.key" \
2441 "$P_CLI force_version=tls1_1" \
2442 0 \
2443 -c "serial number.*09" \
2444 -c "signed using.*ECDSA with SHA256" \
2445 -C "signed using.*ECDSA with SHA1"
2446
2447run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2448 "$P_SRV crt_file=data_files/server6.crt \
2449 key_file=data_files/server6.key \
2450 crt_file2=data_files/server5.crt \
2451 key_file2=data_files/server5.key" \
2452 "$P_CLI force_version=tls1_1" \
2453 0 \
2454 -c "serial number.*0A" \
2455 -c "signed using.*ECDSA with SHA256" \
2456 -C "signed using.*ECDSA with SHA1"
2457
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2458# tests for SNI
2459
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2460run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2461 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2462 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2463 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2464 0 \
2465 -S "parse ServerName extension" \
2466 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2467 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2468
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2469run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2470 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2471 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2472 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2473 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2474 0 \
2475 -s "parse ServerName extension" \
2476 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2477 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2478
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2479run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2480 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2481 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2482 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2483 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2484 0 \
2485 -s "parse ServerName extension" \
2486 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2487 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2488
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2489run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2490 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2491 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2492 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2493 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2494 1 \
2495 -s "parse ServerName extension" \
2496 -s "ssl_sni_wrapper() returned" \
2497 -s "mbedtls_ssl_handshake returned" \
2498 -c "mbedtls_ssl_handshake returned" \
2499 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2500
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2501run_test "SNI: client auth no override: optional" \
2502 "$P_SRV debug_level=3 auth_mode=optional \
2503 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2504 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2505 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2506 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2507 -S "skip write certificate request" \
2508 -C "skip parse certificate request" \
2509 -c "got a certificate request" \
2510 -C "skip write certificate" \
2511 -C "skip write certificate verify" \
2512 -S "skip parse certificate verify"
2513
2514run_test "SNI: client auth override: none -> optional" \
2515 "$P_SRV debug_level=3 auth_mode=none \
2516 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2517 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2518 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2519 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2520 -S "skip write certificate request" \
2521 -C "skip parse certificate request" \
2522 -c "got a certificate request" \
2523 -C "skip write certificate" \
2524 -C "skip write certificate verify" \
2525 -S "skip parse certificate verify"
2526
2527run_test "SNI: client auth override: optional -> none" \
2528 "$P_SRV debug_level=3 auth_mode=optional \
2529 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2530 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2531 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2532 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2533 -s "skip write certificate request" \
2534 -C "skip parse certificate request" \
2535 -c "got no certificate request" \
2536 -c "skip write certificate" \
2537 -c "skip write certificate verify" \
2538 -s "skip parse certificate verify"
2539
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2540run_test "SNI: CA no override" \
2541 "$P_SRV debug_level=3 auth_mode=optional \
2542 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2543 ca_file=data_files/test-ca.crt \
2544 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2545 "$P_CLI debug_level=3 server_name=localhost \
2546 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2547 1 \
2548 -S "skip write certificate request" \
2549 -C "skip parse certificate request" \
2550 -c "got a certificate request" \
2551 -C "skip write certificate" \
2552 -C "skip write certificate verify" \
2553 -S "skip parse certificate verify" \
2554 -s "x509_verify_cert() returned" \
2555 -s "! The certificate is not correctly signed by the trusted CA" \
2556 -S "The certificate has been revoked (is on a CRL)"
2557
2558run_test "SNI: CA override" \
2559 "$P_SRV debug_level=3 auth_mode=optional \
2560 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2561 ca_file=data_files/test-ca.crt \
2562 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2563 "$P_CLI debug_level=3 server_name=localhost \
2564 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2565 0 \
2566 -S "skip write certificate request" \
2567 -C "skip parse certificate request" \
2568 -c "got a certificate request" \
2569 -C "skip write certificate" \
2570 -C "skip write certificate verify" \
2571 -S "skip parse certificate verify" \
2572 -S "x509_verify_cert() returned" \
2573 -S "! The certificate is not correctly signed by the trusted CA" \
2574 -S "The certificate has been revoked (is on a CRL)"
2575
2576run_test "SNI: CA override with CRL" \
2577 "$P_SRV debug_level=3 auth_mode=optional \
2578 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2579 ca_file=data_files/test-ca.crt \
2580 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2581 "$P_CLI debug_level=3 server_name=localhost \
2582 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2583 1 \
2584 -S "skip write certificate request" \
2585 -C "skip parse certificate request" \
2586 -c "got a certificate request" \
2587 -C "skip write certificate" \
2588 -C "skip write certificate verify" \
2589 -S "skip parse certificate verify" \
2590 -s "x509_verify_cert() returned" \
2591 -S "! The certificate is not correctly signed by the trusted CA" \
2592 -s "The certificate has been revoked (is on a CRL)"
2593
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2594# Tests for non-blocking I/O: exercise a variety of handshake flows
2595
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2596run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2597 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2598 "$P_CLI nbio=2 tickets=0" \
2599 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2600 -S "mbedtls_ssl_handshake returned" \
2601 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2602 -c "Read from server: .* bytes read"
2603
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2604run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2605 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2606 "$P_CLI nbio=2 tickets=0" \
2607 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2608 -S "mbedtls_ssl_handshake returned" \
2609 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2610 -c "Read from server: .* bytes read"
2611
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2612run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2613 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2614 "$P_CLI nbio=2 tickets=1" \
2615 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2616 -S "mbedtls_ssl_handshake returned" \
2617 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2618 -c "Read from server: .* bytes read"
2619
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2620run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2621 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2622 "$P_CLI nbio=2 tickets=1" \
2623 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2624 -S "mbedtls_ssl_handshake returned" \
2625 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2626 -c "Read from server: .* bytes read"
2627
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2628run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2629 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2630 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2631 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2632 -S "mbedtls_ssl_handshake returned" \
2633 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2634 -c "Read from server: .* bytes read"
2635
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2636run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2637 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2638 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2639 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2640 -S "mbedtls_ssl_handshake returned" \
2641 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2642 -c "Read from server: .* bytes read"
2643
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2644run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2645 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2646 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2647 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2648 -S "mbedtls_ssl_handshake returned" \
2649 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2650 -c "Read from server: .* bytes read"
2651
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2652# Tests for version negotiation
2653
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2654run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2655 "$P_SRV" \
2656 "$P_CLI" \
2657 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2658 -S "mbedtls_ssl_handshake returned" \
2659 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2660 -s "Protocol is TLSv1.2" \
2661 -c "Protocol is TLSv1.2"
2662
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2663run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2664 "$P_SRV" \
2665 "$P_CLI max_version=tls1_1" \
2666 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2667 -S "mbedtls_ssl_handshake returned" \
2668 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2669 -s "Protocol is TLSv1.1" \
2670 -c "Protocol is TLSv1.1"
2671
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2672run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2673 "$P_SRV max_version=tls1_1" \
2674 "$P_CLI" \
2675 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2676 -S "mbedtls_ssl_handshake returned" \
2677 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2678 -s "Protocol is TLSv1.1" \
2679 -c "Protocol is TLSv1.1"
2680
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2681run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2682 "$P_SRV max_version=tls1_1" \
2683 "$P_CLI max_version=tls1_1" \
2684 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2685 -S "mbedtls_ssl_handshake returned" \
2686 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2687 -s "Protocol is TLSv1.1" \
2688 -c "Protocol is TLSv1.1"
2689
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2690run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2691 "$P_SRV min_version=tls1_1" \
2692 "$P_CLI max_version=tls1_1" \
2693 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2694 -S "mbedtls_ssl_handshake returned" \
2695 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2696 -s "Protocol is TLSv1.1" \
2697 -c "Protocol is TLSv1.1"
2698
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2699run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2700 "$P_SRV max_version=tls1_1" \
2701 "$P_CLI min_version=tls1_1" \
2702 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2703 -S "mbedtls_ssl_handshake returned" \
2704 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2705 -s "Protocol is TLSv1.1" \
2706 -c "Protocol is TLSv1.1"
2707
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2708run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2709 "$P_SRV max_version=tls1_1" \
2710 "$P_CLI min_version=tls1_2" \
2711 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2712 -s "mbedtls_ssl_handshake returned" \
2713 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2714 -c "SSL - Handshake protocol not within min/max boundaries"
2715
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2716run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2717 "$P_SRV min_version=tls1_2" \
2718 "$P_CLI max_version=tls1_1" \
2719 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2720 -s "mbedtls_ssl_handshake returned" \
2721 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2722 -s "SSL - Handshake protocol not within min/max boundaries"
2723
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2724# Tests for ALPN extension
2725
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2726run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2727 "$P_SRV debug_level=3" \
2728 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2729 0 \
2730 -C "client hello, adding alpn extension" \
2731 -S "found alpn extension" \
2732 -C "got an alert message, type: \\[2:120]" \
2733 -S "server hello, adding alpn extension" \
2734 -C "found alpn extension " \
2735 -C "Application Layer Protocol is" \
2736 -S "Application Layer Protocol is"
2737
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2738run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2739 "$P_SRV debug_level=3" \
2740 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2741 0 \
2742 -c "client hello, adding alpn extension" \
2743 -s "found alpn extension" \
2744 -C "got an alert message, type: \\[2:120]" \
2745 -S "server hello, adding alpn extension" \
2746 -C "found alpn extension " \
2747 -c "Application Layer Protocol is (none)" \
2748 -S "Application Layer Protocol is"
2749
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2750run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2751 "$P_SRV debug_level=3 alpn=abc,1234" \
2752 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2753 0 \
2754 -C "client hello, adding alpn extension" \
2755 -S "found alpn extension" \
2756 -C "got an alert message, type: \\[2:120]" \
2757 -S "server hello, adding alpn extension" \
2758 -C "found alpn extension " \
2759 -C "Application Layer Protocol is" \
2760 -s "Application Layer Protocol is (none)"
2761
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2762run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2763 "$P_SRV debug_level=3 alpn=abc,1234" \
2764 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2765 0 \
2766 -c "client hello, adding alpn extension" \
2767 -s "found alpn extension" \
2768 -C "got an alert message, type: \\[2:120]" \
2769 -s "server hello, adding alpn extension" \
2770 -c "found alpn extension" \
2771 -c "Application Layer Protocol is abc" \
2772 -s "Application Layer Protocol is abc"
2773
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2774run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2775 "$P_SRV debug_level=3 alpn=abc,1234" \
2776 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2777 0 \
2778 -c "client hello, adding alpn extension" \
2779 -s "found alpn extension" \
2780 -C "got an alert message, type: \\[2:120]" \
2781 -s "server hello, adding alpn extension" \
2782 -c "found alpn extension" \
2783 -c "Application Layer Protocol is abc" \
2784 -s "Application Layer Protocol is abc"
2785
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2786run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2787 "$P_SRV debug_level=3 alpn=abc,1234" \
2788 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2789 0 \
2790 -c "client hello, adding alpn extension" \
2791 -s "found alpn extension" \
2792 -C "got an alert message, type: \\[2:120]" \
2793 -s "server hello, adding alpn extension" \
2794 -c "found alpn extension" \
2795 -c "Application Layer Protocol is 1234" \
2796 -s "Application Layer Protocol is 1234"
2797
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2798run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2799 "$P_SRV debug_level=3 alpn=abc,123" \
2800 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2801 1 \
2802 -c "client hello, adding alpn extension" \
2803 -s "found alpn extension" \
2804 -c "got an alert message, type: \\[2:120]" \
2805 -S "server hello, adding alpn extension" \
2806 -C "found alpn extension" \
2807 -C "Application Layer Protocol is 1234" \
2808 -S "Application Layer Protocol is 1234"
2809
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2810
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2811# Tests for keyUsage in leaf certificates, part 1:
2812# server-side certificate/suite selection
2813
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2814run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2815 "$P_SRV key_file=data_files/server2.key \
2816 crt_file=data_files/server2.ku-ds.crt" \
2817 "$P_CLI" \
2818 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2819 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2820
2821
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2822run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2823 "$P_SRV key_file=data_files/server2.key \
2824 crt_file=data_files/server2.ku-ke.crt" \
2825 "$P_CLI" \
2826 0 \
2827 -c "Ciphersuite is TLS-RSA-WITH-"
2828
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2829run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2830 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2831 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2832 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2833 1 \
2834 -C "Ciphersuite is "
2835
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2836run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2837 "$P_SRV key_file=data_files/server5.key \
2838 crt_file=data_files/server5.ku-ds.crt" \
2839 "$P_CLI" \
2840 0 \
2841 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2842
2843
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2844run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2845 "$P_SRV key_file=data_files/server5.key \
2846 crt_file=data_files/server5.ku-ka.crt" \
2847 "$P_CLI" \
2848 0 \
2849 -c "Ciphersuite is TLS-ECDH-"
2850
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2851run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2852 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2853 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2854 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2855 1 \
2856 -C "Ciphersuite is "
2857
2858# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2859# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2860
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2861run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2862 "$O_SRV -key data_files/server2.key \
2863 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2864 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2865 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2866 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2867 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2868 -C "Processing of the Certificate handshake message failed" \
2869 -c "Ciphersuite is TLS-"
2870
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2871run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2872 "$O_SRV -key data_files/server2.key \
2873 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2874 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2875 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2876 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2877 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2878 -C "Processing of the Certificate handshake message failed" \
2879 -c "Ciphersuite is TLS-"
2880
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2881run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2882 "$O_SRV -key data_files/server2.key \
2883 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2884 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2885 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2886 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2887 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2888 -C "Processing of the Certificate handshake message failed" \
2889 -c "Ciphersuite is TLS-"
2890
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2891run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2892 "$O_SRV -key data_files/server2.key \
2893 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2894 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2895 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2896 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2897 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2898 -c "Processing of the Certificate handshake message failed" \
2899 -C "Ciphersuite is TLS-"
2900
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2901run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2902 "$O_SRV -key data_files/server2.key \
2903 -cert data_files/server2.ku-ke.crt" \
2904 "$P_CLI debug_level=1 auth_mode=optional \
2905 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2906 0 \
2907 -c "bad certificate (usage extensions)" \
2908 -C "Processing of the Certificate handshake message failed" \
2909 -c "Ciphersuite is TLS-" \
2910 -c "! Usage does not match the keyUsage extension"
2911
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2912run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2913 "$O_SRV -key data_files/server2.key \
2914 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2915 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2916 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2917 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2918 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2919 -C "Processing of the Certificate handshake message failed" \
2920 -c "Ciphersuite is TLS-"
2921
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2922run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2923 "$O_SRV -key data_files/server2.key \
2924 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2925 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2926 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2927 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2928 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2929 -c "Processing of the Certificate handshake message failed" \
2930 -C "Ciphersuite is TLS-"
2931
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2932run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2933 "$O_SRV -key data_files/server2.key \
2934 -cert data_files/server2.ku-ds.crt" \
2935 "$P_CLI debug_level=1 auth_mode=optional \
2936 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2937 0 \
2938 -c "bad certificate (usage extensions)" \
2939 -C "Processing of the Certificate handshake message failed" \
2940 -c "Ciphersuite is TLS-" \
2941 -c "! Usage does not match the keyUsage extension"
2942
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2943# Tests for keyUsage in leaf certificates, part 3:
2944# server-side checking of client cert
2945
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2946run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2947 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2948 "$O_CLI -key data_files/server2.key \
2949 -cert data_files/server2.ku-ds.crt" \
2950 0 \
2951 -S "bad certificate (usage extensions)" \
2952 -S "Processing of the Certificate handshake message failed"
2953
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2954run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2955 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2956 "$O_CLI -key data_files/server2.key \
2957 -cert data_files/server2.ku-ke.crt" \
2958 0 \
2959 -s "bad certificate (usage extensions)" \
2960 -S "Processing of the Certificate handshake message failed"
2961
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2962run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2963 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2964 "$O_CLI -key data_files/server2.key \
2965 -cert data_files/server2.ku-ke.crt" \
2966 1 \
2967 -s "bad certificate (usage extensions)" \
2968 -s "Processing of the Certificate handshake message failed"
2969
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2970run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2971 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2972 "$O_CLI -key data_files/server5.key \
2973 -cert data_files/server5.ku-ds.crt" \
2974 0 \
2975 -S "bad certificate (usage extensions)" \
2976 -S "Processing of the Certificate handshake message failed"
2977
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2978run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2979 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2980 "$O_CLI -key data_files/server5.key \
2981 -cert data_files/server5.ku-ka.crt" \
2982 0 \
2983 -s "bad certificate (usage extensions)" \
2984 -S "Processing of the Certificate handshake message failed"
2985
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2986# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2987
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2988run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2989 "$P_SRV key_file=data_files/server5.key \
2990 crt_file=data_files/server5.eku-srv.crt" \
2991 "$P_CLI" \
2992 0
2993
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2994run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2995 "$P_SRV key_file=data_files/server5.key \
2996 crt_file=data_files/server5.eku-srv.crt" \
2997 "$P_CLI" \
2998 0
2999
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3000run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3001 "$P_SRV key_file=data_files/server5.key \
3002 crt_file=data_files/server5.eku-cs_any.crt" \
3003 "$P_CLI" \
3004 0
3005
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3006run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3007 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3008 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3009 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3010 1
3011
3012# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3013
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3014run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3015 "$O_SRV -key data_files/server5.key \
3016 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3017 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3018 0 \
3019 -C "bad certificate (usage extensions)" \
3020 -C "Processing of the Certificate handshake message failed" \
3021 -c "Ciphersuite is TLS-"
3022
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3023run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3024 "$O_SRV -key data_files/server5.key \
3025 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3026 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3027 0 \
3028 -C "bad certificate (usage extensions)" \
3029 -C "Processing of the Certificate handshake message failed" \
3030 -c "Ciphersuite is TLS-"
3031
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3032run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3033 "$O_SRV -key data_files/server5.key \
3034 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3035 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3036 0 \
3037 -C "bad certificate (usage extensions)" \
3038 -C "Processing of the Certificate handshake message failed" \
3039 -c "Ciphersuite is TLS-"
3040
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3041run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3042 "$O_SRV -key data_files/server5.key \
3043 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3044 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3045 1 \
3046 -c "bad certificate (usage extensions)" \
3047 -c "Processing of the Certificate handshake message failed" \
3048 -C "Ciphersuite is TLS-"
3049
3050# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3051
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3052run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3053 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3054 "$O_CLI -key data_files/server5.key \
3055 -cert data_files/server5.eku-cli.crt" \
3056 0 \
3057 -S "bad certificate (usage extensions)" \
3058 -S "Processing of the Certificate handshake message failed"
3059
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3060run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3061 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3062 "$O_CLI -key data_files/server5.key \
3063 -cert data_files/server5.eku-srv_cli.crt" \
3064 0 \
3065 -S "bad certificate (usage extensions)" \
3066 -S "Processing of the Certificate handshake message failed"
3067
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3068run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3069 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3070 "$O_CLI -key data_files/server5.key \
3071 -cert data_files/server5.eku-cs_any.crt" \
3072 0 \
3073 -S "bad certificate (usage extensions)" \
3074 -S "Processing of the Certificate handshake message failed"
3075
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3076run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3077 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3078 "$O_CLI -key data_files/server5.key \
3079 -cert data_files/server5.eku-cs.crt" \
3080 0 \
3081 -s "bad certificate (usage extensions)" \
3082 -S "Processing of the Certificate handshake message failed"
3083
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3084run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3085 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3086 "$O_CLI -key data_files/server5.key \
3087 -cert data_files/server5.eku-cs.crt" \
3088 1 \
3089 -s "bad certificate (usage extensions)" \
3090 -s "Processing of the Certificate handshake message failed"
3091
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3092# Tests for DHM parameters loading
3093
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3094run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3095 "$P_SRV" \
3096 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3097 debug_level=3" \
3098 0 \
3099 -c "value of 'DHM: P ' (2048 bits)" \
3100 -c "value of 'DHM: G ' (2048 bits)"
3101
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3102run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3103 "$P_SRV dhm_file=data_files/dhparams.pem" \
3104 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3105 debug_level=3" \
3106 0 \
3107 -c "value of 'DHM: P ' (1024 bits)" \
3108 -c "value of 'DHM: G ' (2 bits)"
3109
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3110# Tests for DHM client-side size checking
3111
3112run_test "DHM size: server default, client default, OK" \
3113 "$P_SRV" \
3114 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3115 debug_level=1" \
3116 0 \
3117 -C "DHM prime too short:"
3118
3119run_test "DHM size: server default, client 2048, OK" \
3120 "$P_SRV" \
3121 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3122 debug_level=1 dhmlen=2048" \
3123 0 \
3124 -C "DHM prime too short:"
3125
3126run_test "DHM size: server 1024, client default, OK" \
3127 "$P_SRV dhm_file=data_files/dhparams.pem" \
3128 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3129 debug_level=1" \
3130 0 \
3131 -C "DHM prime too short:"
3132
3133run_test "DHM size: server 1000, client default, rejected" \
3134 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3135 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3136 debug_level=1" \
3137 1 \
3138 -c "DHM prime too short:"
3139
3140run_test "DHM size: server default, client 2049, rejected" \
3141 "$P_SRV" \
3142 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3143 debug_level=1 dhmlen=2049" \
3144 1 \
3145 -c "DHM prime too short:"
3146
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3147# Tests for PSK callback
3148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3149run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3150 "$P_SRV psk=abc123 psk_identity=foo" \
3151 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3152 psk_identity=foo psk=abc123" \
3153 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3154 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3155 -S "SSL - Unknown identity received" \
3156 -S "SSL - Verification of the message MAC failed"
3157
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3158run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3159 "$P_SRV" \
3160 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3161 psk_identity=foo psk=abc123" \
3162 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3163 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3164 -S "SSL - Unknown identity received" \
3165 -S "SSL - Verification of the message MAC failed"
3166
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3167run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3168 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3169 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3170 psk_identity=foo psk=abc123" \
3171 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3172 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3173 -s "SSL - Unknown identity received" \
3174 -S "SSL - Verification of the message MAC failed"
3175
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3176run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3177 "$P_SRV psk_list=abc,dead,def,beef" \
3178 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3179 psk_identity=abc psk=dead" \
3180 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3181 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3182 -S "SSL - Unknown identity received" \
3183 -S "SSL - Verification of the message MAC failed"
3184
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3185run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3186 "$P_SRV psk_list=abc,dead,def,beef" \
3187 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3188 psk_identity=def psk=beef" \
3189 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3190 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3191 -S "SSL - Unknown identity received" \
3192 -S "SSL - Verification of the message MAC failed"
3193
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3194run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3195 "$P_SRV psk_list=abc,dead,def,beef" \
3196 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3197 psk_identity=ghi psk=beef" \
3198 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3199 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3200 -s "SSL - Unknown identity received" \
3201 -S "SSL - Verification of the message MAC failed"
3202
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3203run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3204 "$P_SRV psk_list=abc,dead,def,beef" \
3205 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3206 psk_identity=abc psk=beef" \
3207 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3208 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3209 -S "SSL - Unknown identity received" \
3210 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3211
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3212# Tests for EC J-PAKE
3213
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3214requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3215run_test "ECJPAKE: client not configured" \
3216 "$P_SRV debug_level=3" \
3217 "$P_CLI debug_level=3" \
3218 0 \
3219 -C "add ciphersuite: c0ff" \
3220 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3221 -S "found ecjpake kkpp extension" \
3222 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3223 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3224 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3225 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3226 -S "None of the common ciphersuites is usable"
3227
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3228requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3229run_test "ECJPAKE: server not configured" \
3230 "$P_SRV debug_level=3" \
3231 "$P_CLI debug_level=3 ecjpake_pw=bla \
3232 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3233 1 \
3234 -c "add ciphersuite: c0ff" \
3235 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3236 -s "found ecjpake kkpp extension" \
3237 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3238 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3239 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3240 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3241 -s "None of the common ciphersuites is usable"
3242
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3243requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3244run_test "ECJPAKE: working, TLS" \
3245 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3246 "$P_CLI debug_level=3 ecjpake_pw=bla \
3247 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3248 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3249 -c "add ciphersuite: c0ff" \
3250 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3251 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3252 -s "found ecjpake kkpp extension" \
3253 -S "skip ecjpake kkpp extension" \
3254 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3255 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3256 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3257 -S "None of the common ciphersuites is usable" \
3258 -S "SSL - Verification of the message MAC failed"
3259
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3260server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3261requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3262run_test "ECJPAKE: password mismatch, TLS" \
3263 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3264 "$P_CLI debug_level=3 ecjpake_pw=bad \
3265 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3266 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3267 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3268 -s "SSL - Verification of the message MAC failed"
3269
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3270requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3271run_test "ECJPAKE: working, DTLS" \
3272 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3273 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3274 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3275 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3276 -c "re-using cached ecjpake parameters" \
3277 -S "SSL - Verification of the message MAC failed"
3278
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3279requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3280run_test "ECJPAKE: working, DTLS, no cookie" \
3281 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3282 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3283 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3284 0 \
3285 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3286 -S "SSL - Verification of the message MAC failed"
3287
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3288server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3289requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3290run_test "ECJPAKE: password mismatch, DTLS" \
3291 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3292 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3293 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3294 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3295 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3296 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3297
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3298# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3299requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3300run_test "ECJPAKE: working, DTLS, nolog" \
3301 "$P_SRV dtls=1 ecjpake_pw=bla" \
3302 "$P_CLI dtls=1 ecjpake_pw=bla \
3303 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3304 0
3305
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3306# Tests for ciphersuites per version
3307
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3308requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3309run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3310 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3311 "$P_CLI force_version=ssl3" \
3312 0 \
3313 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3314
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3315run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3316 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3317 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3318 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3319 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3320
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3321run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3322 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3323 "$P_CLI force_version=tls1_1" \
3324 0 \
3325 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3326
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3327run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3328 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3329 "$P_CLI force_version=tls1_2" \
3330 0 \
3331 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3332
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3333# Test for ClientHello without extensions
3334
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3335requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3336run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3337 "$P_SRV debug_level=3" \
3338 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3339 0 \
3340 -s "dumping 'client hello extensions' (0 bytes)"
3341
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3342requires_gnutls
3343run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3344 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3345 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3346 0 \
3347 -s "dumping 'client hello extensions' (0 bytes)"
3348
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3349# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3350
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3351run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3352 "$P_SRV" \
3353 "$P_CLI request_size=100" \
3354 0 \
3355 -s "Read from client: 100 bytes read$"
3356
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3357run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3358 "$P_SRV" \
3359 "$P_CLI request_size=500" \
3360 0 \
3361 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3362
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3363# Tests for small packets
3364
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3365requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3366run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3367 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3368 "$P_CLI request_size=1 force_version=ssl3 \
3369 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3370 0 \
3371 -s "Read from client: 1 bytes read"
3372
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3373requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3374run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3375 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3376 "$P_CLI request_size=1 force_version=ssl3 \
3377 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3378 0 \
3379 -s "Read from client: 1 bytes read"
3380
3381run_test "Small packet TLS 1.0 BlockCipher" \
3382 "$P_SRV" \
3383 "$P_CLI request_size=1 force_version=tls1 \
3384 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3385 0 \
3386 -s "Read from client: 1 bytes read"
3387
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3388run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3389 "$P_SRV" \
3390 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3391 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3392 0 \
3393 -s "Read from client: 1 bytes read"
3394
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3395run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3396 "$P_SRV" \
3397 "$P_CLI request_size=1 force_version=tls1 \
3398 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3399 trunc_hmac=1" \
3400 0 \
3401 -s "Read from client: 1 bytes read"
3402
3403run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3404 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3405 "$P_CLI request_size=1 force_version=tls1 \
3406 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3407 trunc_hmac=1" \
3408 0 \
3409 -s "Read from client: 1 bytes read"
3410
3411run_test "Small packet TLS 1.1 BlockCipher" \
3412 "$P_SRV" \
3413 "$P_CLI request_size=1 force_version=tls1_1 \
3414 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3415 0 \
3416 -s "Read from client: 1 bytes read"
3417
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3418run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3419 "$P_SRV" \
3420 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3421 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3422 0 \
3423 -s "Read from client: 1 bytes read"
3424
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3425run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3426 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3427 "$P_CLI request_size=1 force_version=tls1_1 \
3428 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3429 0 \
3430 -s "Read from client: 1 bytes read"
3431
3432run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3433 "$P_SRV" \
3434 "$P_CLI request_size=1 force_version=tls1_1 \
3435 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3436 trunc_hmac=1" \
3437 0 \
3438 -s "Read from client: 1 bytes read"
3439
3440run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3441 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3442 "$P_CLI request_size=1 force_version=tls1_1 \
3443 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3444 trunc_hmac=1" \
3445 0 \
3446 -s "Read from client: 1 bytes read"
3447
3448run_test "Small packet TLS 1.2 BlockCipher" \
3449 "$P_SRV" \
3450 "$P_CLI request_size=1 force_version=tls1_2 \
3451 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3452 0 \
3453 -s "Read from client: 1 bytes read"
3454
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3455run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3456 "$P_SRV" \
3457 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3458 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3459 0 \
3460 -s "Read from client: 1 bytes read"
3461
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3462run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3463 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3464 "$P_CLI request_size=1 force_version=tls1_2 \
3465 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3466 0 \
3467 -s "Read from client: 1 bytes read"
3468
3469run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3470 "$P_SRV" \
3471 "$P_CLI request_size=1 force_version=tls1_2 \
3472 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3473 trunc_hmac=1" \
3474 0 \
3475 -s "Read from client: 1 bytes read"
3476
3477run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3478 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3479 "$P_CLI request_size=1 force_version=tls1_2 \
3480 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3481 0 \
3482 -s "Read from client: 1 bytes read"
3483
3484run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3485 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3486 "$P_CLI request_size=1 force_version=tls1_2 \
3487 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3488 trunc_hmac=1" \
3489 0 \
3490 -s "Read from client: 1 bytes read"
3491
3492run_test "Small packet TLS 1.2 AEAD" \
3493 "$P_SRV" \
3494 "$P_CLI request_size=1 force_version=tls1_2 \
3495 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3496 0 \
3497 -s "Read from client: 1 bytes read"
3498
3499run_test "Small packet TLS 1.2 AEAD shorter tag" \
3500 "$P_SRV" \
3501 "$P_CLI request_size=1 force_version=tls1_2 \
3502 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3503 0 \
3504 -s "Read from client: 1 bytes read"
3505
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]3506# A test for extensions in SSLv3
3507
3508requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3509run_test "SSLv3 with extensions, server side" \
3510 "$P_SRV min_version=ssl3 debug_level=3" \
3511 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3512 0 \
3513 -S "dumping 'client hello extensions'" \
3514 -S "server hello, total extension length:"
3515
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3516# Test for large packets
3517
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3518requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3519run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3520 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3521 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3522 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3523 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3524 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3525 -s "Read from client: 16384 bytes read"
3526
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3527requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3528run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3529 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3530 "$P_CLI request_size=16384 force_version=ssl3 \
3531 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3532 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3533 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3534 -s "Read from client: 16384 bytes read"
3535
3536run_test "Large packet TLS 1.0 BlockCipher" \
3537 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3538 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3539 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3540 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3541 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3542 -s "Read from client: 16384 bytes read"
3543
3544run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3545 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3546 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3547 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3548 trunc_hmac=1" \
3549 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3550 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3551 -s "Read from client: 16384 bytes read"
3552
3553run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3554 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3555 "$P_CLI request_size=16384 force_version=tls1 \
3556 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3557 trunc_hmac=1" \
3558 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3559 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3560 -s "Read from client: 16384 bytes read"
3561
3562run_test "Large packet TLS 1.1 BlockCipher" \
3563 "$P_SRV" \
3564 "$P_CLI request_size=16384 force_version=tls1_1 \
3565 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3566 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3567 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3568 -s "Read from client: 16384 bytes read"
3569
3570run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3571 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3572 "$P_CLI request_size=16384 force_version=tls1_1 \
3573 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3574 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3575 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3576 -s "Read from client: 16384 bytes read"
3577
3578run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3579 "$P_SRV" \
3580 "$P_CLI request_size=16384 force_version=tls1_1 \
3581 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3582 trunc_hmac=1" \
3583 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3584 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3585 -s "Read from client: 16384 bytes read"
3586
3587run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3588 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3589 "$P_CLI request_size=16384 force_version=tls1_1 \
3590 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3591 trunc_hmac=1" \
3592 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3593 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3594 -s "Read from client: 16384 bytes read"
3595
3596run_test "Large packet TLS 1.2 BlockCipher" \
3597 "$P_SRV" \
3598 "$P_CLI request_size=16384 force_version=tls1_2 \
3599 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3600 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3601 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3602 -s "Read from client: 16384 bytes read"
3603
3604run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3605 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3606 "$P_CLI request_size=16384 force_version=tls1_2 \
3607 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3608 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3609 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3610 -s "Read from client: 16384 bytes read"
3611
3612run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3613 "$P_SRV" \
3614 "$P_CLI request_size=16384 force_version=tls1_2 \
3615 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3616 trunc_hmac=1" \
3617 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3618 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3619 -s "Read from client: 16384 bytes read"
3620
3621run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3622 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3623 "$P_CLI request_size=16384 force_version=tls1_2 \
3624 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3625 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3626 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3627 -s "Read from client: 16384 bytes read"
3628
3629run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3630 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3631 "$P_CLI request_size=16384 force_version=tls1_2 \
3632 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3633 trunc_hmac=1" \
3634 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3635 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3636 -s "Read from client: 16384 bytes read"
3637
3638run_test "Large packet TLS 1.2 AEAD" \
3639 "$P_SRV" \
3640 "$P_CLI request_size=16384 force_version=tls1_2 \
3641 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3642 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3643 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3644 -s "Read from client: 16384 bytes read"
3645
3646run_test "Large packet TLS 1.2 AEAD shorter tag" \
3647 "$P_SRV" \
3648 "$P_CLI request_size=16384 force_version=tls1_2 \
3649 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3650 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3651 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3652 -s "Read from client: 16384 bytes read"
3653
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3654# Tests for DTLS HelloVerifyRequest
3655
3656run_test "DTLS cookie: enabled" \
3657 "$P_SRV dtls=1 debug_level=2" \
3658 "$P_CLI dtls=1 debug_level=2" \
3659 0 \
3660 -s "cookie verification failed" \
3661 -s "cookie verification passed" \
3662 -S "cookie verification skipped" \
3663 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3664 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3665 -S "SSL - The requested feature is not available"
3666
3667run_test "DTLS cookie: disabled" \
3668 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3669 "$P_CLI dtls=1 debug_level=2" \
3670 0 \
3671 -S "cookie verification failed" \
3672 -S "cookie verification passed" \
3673 -s "cookie verification skipped" \
3674 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3675 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3676 -S "SSL - The requested feature is not available"
3677
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3678run_test "DTLS cookie: default (failing)" \
3679 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3680 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3681 1 \
3682 -s "cookie verification failed" \
3683 -S "cookie verification passed" \
3684 -S "cookie verification skipped" \
3685 -C "received hello verify request" \
3686 -S "hello verification requested" \
3687 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3688
3689requires_ipv6
3690run_test "DTLS cookie: enabled, IPv6" \
3691 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3692 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3693 0 \
3694 -s "cookie verification failed" \
3695 -s "cookie verification passed" \
3696 -S "cookie verification skipped" \
3697 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3698 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3699 -S "SSL - The requested feature is not available"
3700
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3701run_test "DTLS cookie: enabled, nbio" \
3702 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3703 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3704 0 \
3705 -s "cookie verification failed" \
3706 -s "cookie verification passed" \
3707 -S "cookie verification skipped" \
3708 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3709 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3710 -S "SSL - The requested feature is not available"
3711
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3712# Tests for client reconnecting from the same port with DTLS
3713
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3714not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3715run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3716 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3717 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3718 0 \
3719 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3720 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3721 -S "Client initiated reconnection from same port"
3722
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3723not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3724run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3725 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3726 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3727 0 \
3728 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3729 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3730 -s "Client initiated reconnection from same port"
3731
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3732not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3733run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3734 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3735 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3736 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3737 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3738 -s "Client initiated reconnection from same port"
3739
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3740only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3741run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3742 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3743 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3744 0 \
3745 -S "The operation timed out" \
3746 -s "Client initiated reconnection from same port"
3747
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3748run_test "DTLS client reconnect from same port: no cookies" \
3749 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3750 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3751 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3752 -s "The operation timed out" \
3753 -S "Client initiated reconnection from same port"
3754
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3755# Tests for various cases of client authentication with DTLS
3756# (focused on handshake flows and message parsing)
3757
3758run_test "DTLS client auth: required" \
3759 "$P_SRV dtls=1 auth_mode=required" \
3760 "$P_CLI dtls=1" \
3761 0 \
3762 -s "Verifying peer X.509 certificate... ok"
3763
3764run_test "DTLS client auth: optional, client has no cert" \
3765 "$P_SRV dtls=1 auth_mode=optional" \
3766 "$P_CLI dtls=1 crt_file=none key_file=none" \
3767 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3768 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3769
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3770run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3771 "$P_SRV dtls=1 auth_mode=none" \
3772 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3773 0 \
3774 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3775 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3776
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3777run_test "DTLS wrong PSK: badmac alert" \
3778 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3779 "$P_CLI dtls=1 psk=abc124" \
3780 1 \
3781 -s "SSL - Verification of the message MAC failed" \
3782 -c "SSL - A fatal alert message was received from our peer"
3783
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3784# Tests for receiving fragmented handshake messages with DTLS
3785
3786requires_gnutls
3787run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3788 "$G_SRV -u --mtu 2048 -a" \
3789 "$P_CLI dtls=1 debug_level=2" \
3790 0 \
3791 -C "found fragmented DTLS handshake message" \
3792 -C "error"
3793
3794requires_gnutls
3795run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3796 "$G_SRV -u --mtu 512" \
3797 "$P_CLI dtls=1 debug_level=2" \
3798 0 \
3799 -c "found fragmented DTLS handshake message" \
3800 -C "error"
3801
3802requires_gnutls
3803run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3804 "$G_SRV -u --mtu 128" \
3805 "$P_CLI dtls=1 debug_level=2" \
3806 0 \
3807 -c "found fragmented DTLS handshake message" \
3808 -C "error"
3809
3810requires_gnutls
3811run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3812 "$G_SRV -u --mtu 128" \
3813 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3814 0 \
3815 -c "found fragmented DTLS handshake message" \
3816 -C "error"
3817
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3818requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3819requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3820run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3821 "$G_SRV -u --mtu 256" \
3822 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3823 0 \
3824 -c "found fragmented DTLS handshake message" \
3825 -c "client hello, adding renegotiation extension" \
3826 -c "found renegotiation extension" \
3827 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3828 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3829 -C "error" \
3830 -s "Extra-header:"
3831
3832requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3833requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3834run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3835 "$G_SRV -u --mtu 256" \
3836 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3837 0 \
3838 -c "found fragmented DTLS handshake message" \
3839 -c "client hello, adding renegotiation extension" \
3840 -c "found renegotiation extension" \
3841 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3842 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3843 -C "error" \
3844 -s "Extra-header:"
3845
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3846run_test "DTLS reassembly: no fragmentation (openssl server)" \
3847 "$O_SRV -dtls1 -mtu 2048" \
3848 "$P_CLI dtls=1 debug_level=2" \
3849 0 \
3850 -C "found fragmented DTLS handshake message" \
3851 -C "error"
3852
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3853run_test "DTLS reassembly: some fragmentation (openssl server)" \
3854 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3855 "$P_CLI dtls=1 debug_level=2" \
3856 0 \
3857 -c "found fragmented DTLS handshake message" \
3858 -C "error"
3859
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3860run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3861 "$O_SRV -dtls1 -mtu 256" \
3862 "$P_CLI dtls=1 debug_level=2" \
3863 0 \
3864 -c "found fragmented DTLS handshake message" \
3865 -C "error"
3866
3867run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3868 "$O_SRV -dtls1 -mtu 256" \
3869 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3870 0 \
3871 -c "found fragmented DTLS handshake message" \
3872 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3873
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3874# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3875
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3876not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3877run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3878 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3879 "$P_SRV dtls=1 debug_level=2" \
3880 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3881 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3882 -C "replayed record" \
3883 -S "replayed record" \
3884 -C "record from another epoch" \
3885 -S "record from another epoch" \
3886 -C "discarding invalid record" \
3887 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3888 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3889 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3890 -c "HTTP/1.0 200 OK"
3891
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3892not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3893run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3894 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3895 "$P_SRV dtls=1 debug_level=2" \
3896 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3897 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3898 -c "replayed record" \
3899 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3900 -c "discarding invalid record" \
3901 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3902 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3903 -s "Extra-header:" \
3904 -c "HTTP/1.0 200 OK"
3905
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3906run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3907 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3908 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3909 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3910 0 \
3911 -c "replayed record" \
3912 -S "replayed record" \
3913 -c "discarding invalid record" \
3914 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3915 -c "resend" \
3916 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3917 -s "Extra-header:" \
3918 -c "HTTP/1.0 200 OK"
3919
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3920run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3921 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3922 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3923 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3924 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3925 -c "discarding invalid record (mac)" \
3926 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3927 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3928 -c "HTTP/1.0 200 OK" \
3929 -S "too many records with bad MAC" \
3930 -S "Verification of the message MAC failed"
3931
3932run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3933 -p "$P_PXY bad_ad=1" \
3934 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3935 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3936 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3937 -C "discarding invalid record (mac)" \
3938 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3939 -S "Extra-header:" \
3940 -C "HTTP/1.0 200 OK" \
3941 -s "too many records with bad MAC" \
3942 -s "Verification of the message MAC failed"
3943
3944run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3945 -p "$P_PXY bad_ad=1" \
3946 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3947 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3948 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3949 -c "discarding invalid record (mac)" \
3950 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3951 -s "Extra-header:" \
3952 -c "HTTP/1.0 200 OK" \
3953 -S "too many records with bad MAC" \
3954 -S "Verification of the message MAC failed"
3955
3956run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3957 -p "$P_PXY bad_ad=1" \
3958 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3959 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3960 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3961 -c "discarding invalid record (mac)" \
3962 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3963 -s "Extra-header:" \
3964 -c "HTTP/1.0 200 OK" \
3965 -s "too many records with bad MAC" \
3966 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3967
3968run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3969 -p "$P_PXY delay_ccs=1" \
3970 "$P_SRV dtls=1 debug_level=1" \
3971 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3972 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3973 -c "record from another epoch" \
3974 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3975 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3976 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3977 -s "Extra-header:" \
3978 -c "HTTP/1.0 200 OK"
3979
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3980# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3981
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3982client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3983run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3984 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3985 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3986 psk=abc123" \
3987 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3988 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3989 0 \
3990 -s "Extra-header:" \
3991 -c "HTTP/1.0 200 OK"
3992
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3993client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3994run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3995 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3996 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3997 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3998 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3999 0 \
4000 -s "Extra-header:" \
4001 -c "HTTP/1.0 200 OK"
4002
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4003client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4004run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
4005 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4006 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
4007 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4008 0 \
4009 -s "Extra-header:" \
4010 -c "HTTP/1.0 200 OK"
4011
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4012client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4013run_test "DTLS proxy: 3d, FS, client auth" \
4014 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4015 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
4016 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4017 0 \
4018 -s "Extra-header:" \
4019 -c "HTTP/1.0 200 OK"
4020
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4021client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4022run_test "DTLS proxy: 3d, FS, ticket" \
4023 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4024 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
4025 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4026 0 \
4027 -s "Extra-header:" \
4028 -c "HTTP/1.0 200 OK"
4029
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4030client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4031run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
4032 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4033 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
4034 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4035 0 \
4036 -s "Extra-header:" \
4037 -c "HTTP/1.0 200 OK"
4038
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4039client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4040run_test "DTLS proxy: 3d, max handshake, nbio" \
4041 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4042 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
4043 auth_mode=required" \
4044 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4045 0 \
4046 -s "Extra-header:" \
4047 -c "HTTP/1.0 200 OK"
4048
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4049client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]4050run_test "DTLS proxy: 3d, min handshake, resumption" \
4051 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4052 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4053 psk=abc123 debug_level=3" \
4054 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4055 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4056 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4057 0 \
4058 -s "a session has been resumed" \
4059 -c "a session has been resumed" \
4060 -s "Extra-header:" \
4061 -c "HTTP/1.0 200 OK"
4062
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4063client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]4064run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
4065 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4066 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4067 psk=abc123 debug_level=3 nbio=2" \
4068 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4069 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4070 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
4071 0 \
4072 -s "a session has been resumed" \
4073 -c "a session has been resumed" \
4074 -s "Extra-header:" \
4075 -c "HTTP/1.0 200 OK"
4076
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4077client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4078requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4079run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4080 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4081 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4082 psk=abc123 renegotiation=1 debug_level=2" \
4083 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4084 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4085 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4086 0 \
4087 -c "=> renegotiate" \
4088 -s "=> renegotiate" \
4089 -s "Extra-header:" \
4090 -c "HTTP/1.0 200 OK"
4091
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4092client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4093requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4094run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
4095 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4096 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4097 psk=abc123 renegotiation=1 debug_level=2" \
4098 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4099 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4100 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4101 0 \
4102 -c "=> renegotiate" \
4103 -s "=> renegotiate" \
4104 -s "Extra-header:" \
4105 -c "HTTP/1.0 200 OK"
4106
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4107client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4108requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4109run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4110 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4111 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4112 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4113 debug_level=2" \
4114 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4115 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4116 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4117 0 \
4118 -c "=> renegotiate" \
4119 -s "=> renegotiate" \
4120 -s "Extra-header:" \
4121 -c "HTTP/1.0 200 OK"
4122
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4123client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4124requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4125run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4126 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4127 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4128 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4129 debug_level=2 nbio=2" \
4130 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4131 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4132 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4133 0 \
4134 -c "=> renegotiate" \
4135 -s "=> renegotiate" \
4136 -s "Extra-header:" \
4137 -c "HTTP/1.0 200 OK"
4138
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4139client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4140not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4141run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4142 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4143 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4144 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4145 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4146 -c "HTTP/1.0 200 OK"
4147
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4148client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4149not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4150run_test "DTLS proxy: 3d, openssl server, fragmentation" \
4151 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4152 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4153 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4154 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4155 -c "HTTP/1.0 200 OK"
4156
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4157client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4158not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4159run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
4160 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4161 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4162 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4163 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4164 -c "HTTP/1.0 200 OK"
4165
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4166requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4167client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4168not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4169run_test "DTLS proxy: 3d, gnutls server" \
4170 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4171 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4172 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4173 0 \
4174 -s "Extra-header:" \
4175 -c "Extra-header:"
4176
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4177requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4178client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4179not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4180run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
4181 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4182 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4183 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4184 0 \
4185 -s "Extra-header:" \
4186 -c "Extra-header:"
4187
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4188requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4189client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4190not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4191run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
4192 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4193 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4194 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4195 0 \
4196 -s "Extra-header:" \
4197 -c "Extra-header:"
4198
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4199# Final report
4200
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4201echo "------------------------------------------------------------------------"
4202
4203if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4204 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4205else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4206 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4207fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]4208PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]4209echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4210
4211exit $FAILS