TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e5201e479a12348d0985ea7dccabfc1aadc8f27c / . / tests / ssl-opt.sh
blob: 8046eb71c4c81af9f3853d557bcc445bea138bcd [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# Copyright (c) 2016, ARM Limited, All Rights Reserved
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7#
8# This file is provided under the Apache License 2.0, or the
9# GNU General Public License v2.0 or later.
10#
11# **********
12# Apache License 2.0:
Bence Szépkúti09b4f192020-05-26 01:54:15 +0200[diff] [blame]13#
14# Licensed under the Apache License, Version 2.0 (the "License"); you may
15# not use this file except in compliance with the License.
16# You may obtain a copy of the License at
17#
18# http://www.apache.org/licenses/LICENSE-2.0
19#
20# Unless required by applicable law or agreed to in writing, software
21# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23# See the License for the specific language governing permissions and
24# limitations under the License.
25#
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]26# **********
27#
28# **********
29# GNU General Public License v2.0 or later:
30#
31# This program is free software; you can redistribute it and/or modify
32# it under the terms of the GNU General Public License as published by
33# the Free Software Foundation; either version 2 of the License, or
34# (at your option) any later version.
35#
36# This program is distributed in the hope that it will be useful,
37# but WITHOUT ANY WARRANTY; without even the implied warranty of
38# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
39# GNU General Public License for more details.
40#
41# You should have received a copy of the GNU General Public License along
42# with this program; if not, write to the Free Software Foundation, Inc.,
43# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44#
45# **********
46#
Bence Szépkúti09b4f192020-05-26 01:54:15 +0200[diff] [blame]47# This file is part of Mbed TLS (https://tls.mbed.org)
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]48#
49# Purpose
50#
51# Executes tests to prove various TLS/SSL options and extensions.
52#
53# The goal is not to cover every ciphersuite/version, but instead to cover
54# specific options (max fragment length, truncated hmac, etc) or procedures
55# (session resumption from cache or ticket, renego, etc).
56#
57# The tests assume a build with default options, with exceptions expressed
58# with a dependency. The tests focus on functionality and do not consider
59# performance.
60#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]61
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]62set -u
63
Jaeden Amero34730912019-07-03 13:51:04 +0100[diff] [blame]64# Limit the size of each log to 10 GiB, in case of failures with this script
65# where it may output seemingly unlimited length error logs.
66ulimit -f 20971520
67
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]68# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]69: ${P_SRV:=../programs/ssl/ssl_server2}
70: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]71: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]72: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]73: ${GNUTLS_CLI:=gnutls-cli}
74: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]75: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]76
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]77O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]78O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]79G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard179c2272020-02-03 15:37:47 +0100[diff] [blame]80G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12u.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]81TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]82
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]83TESTS=0
84FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]85SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]86
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]87CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]88
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]89MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]90FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]91EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]92
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]93SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]94RUN_TEST_NUMBER=''
95
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]96PRESERVE_LOGS=0
97
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]98# Pick a "unique" server port in the range 10000-19999, and a proxy
99# port which is this plus 10000. Each port number may be independently
100# overridden by a command line option.
101SRV_PORT=$(($$ % 10000 + 10000))
102PXY_PORT=$((SRV_PORT + 10000))
103
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104print_usage() {
105 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]106 printf " -h|--help\tPrint this help.\n"
107 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]108 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
109 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]110 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]111 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]112 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]113 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
114 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]115 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]116}
117
118get_options() {
119 while [ $# -gt 0 ]; do
120 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]121 -f|--filter)
122 shift; FILTER=$1
123 ;;
124 -e|--exclude)
125 shift; EXCLUDE=$1
126 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]127 -m|--memcheck)
128 MEMCHECK=1
129 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]130 -n|--number)
131 shift; RUN_TEST_NUMBER=$1
132 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]133 -s|--show-numbers)
134 SHOW_TEST_NUMBER=1
135 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]136 -p|--preserve-logs)
137 PRESERVE_LOGS=1
138 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]139 --port)
140 shift; SRV_PORT=$1
141 ;;
142 --proxy-port)
143 shift; PXY_PORT=$1
144 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]145 --seed)
146 shift; SEED="$1"
147 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]148 -h|--help)
149 print_usage
150 exit 0
151 ;;
152 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]153 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]154 print_usage
155 exit 1
156 ;;
157 esac
158 shift
159 done
160}
161
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]162# skip next test if the flag is not enabled in config.h
163requires_config_enabled() {
164 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
165 SKIP_NEXT="YES"
166 fi
167}
168
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]169# skip next test if the flag is enabled in config.h
170requires_config_disabled() {
171 if grep "^#define $1" $CONFIG_H > /dev/null; then
172 SKIP_NEXT="YES"
173 fi
174}
175
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]176# skip next test if OpenSSL doesn't support FALLBACK_SCSV
177requires_openssl_with_fallback_scsv() {
178 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
179 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
180 then
181 OPENSSL_HAS_FBSCSV="YES"
182 else
183 OPENSSL_HAS_FBSCSV="NO"
184 fi
185 fi
186 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
187 SKIP_NEXT="YES"
188 fi
189}
190
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]191# skip next test if GnuTLS isn't available
192requires_gnutls() {
193 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]194 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]195 GNUTLS_AVAILABLE="YES"
196 else
197 GNUTLS_AVAILABLE="NO"
198 fi
199 fi
200 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
201 SKIP_NEXT="YES"
202 fi
203}
204
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]205# skip next test if IPv6 isn't available on this host
206requires_ipv6() {
207 if [ -z "${HAS_IPV6:-}" ]; then
208 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
209 SRV_PID=$!
210 sleep 1
211 kill $SRV_PID >/dev/null 2>&1
212 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
213 HAS_IPV6="NO"
214 else
215 HAS_IPV6="YES"
216 fi
217 rm -r $SRV_OUT
218 fi
219
220 if [ "$HAS_IPV6" = "NO" ]; then
221 SKIP_NEXT="YES"
222 fi
223}
224
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]225# skip the next test if valgrind is in use
226not_with_valgrind() {
227 if [ "$MEMCHECK" -gt 0 ]; then
228 SKIP_NEXT="YES"
229 fi
230}
231
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]232# skip the next test if valgrind is NOT in use
233only_with_valgrind() {
234 if [ "$MEMCHECK" -eq 0 ]; then
235 SKIP_NEXT="YES"
236 fi
237}
238
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]239# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]240client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]241 CLI_DELAY_FACTOR=$1
242}
243
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]244# wait for the given seconds after the client finished in the next test
245server_needs_more_time() {
246 SRV_DELAY_SECONDS=$1
247}
248
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249# print_name <name>
250print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]251 TESTS=$(( $TESTS + 1 ))
252 LINE=""
253
254 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
255 LINE="$TESTS "
256 fi
257
258 LINE="$LINE$1"
259 printf "$LINE "
260 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]261 for i in `seq 1 $LEN`; do printf '.'; done
262 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]263
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]264}
265
266# fail <message>
267fail() {
268 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]269 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]270
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]271 mv $SRV_OUT o-srv-${TESTS}.log
272 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]273 if [ -n "$PXY_CMD" ]; then
274 mv $PXY_OUT o-pxy-${TESTS}.log
275 fi
276 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]277
Manuel Pégourié-Gonnardbc079e22020-06-08 11:49:05 +0200[diff] [blame]278 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]279 echo " ! server output:"
280 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]281 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]282 echo " ! client output:"
283 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]284 if [ -n "$PXY_CMD" ]; then
285 echo " ! ========================================================"
286 echo " ! proxy output:"
287 cat o-pxy-${TESTS}.log
288 fi
289 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]290 fi
291
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]292 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]293}
294
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]295# is_polar <cmd_line>
296is_polar() {
297 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
298}
299
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]300# openssl s_server doesn't have -www with DTLS
301check_osrv_dtls() {
302 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
303 NEEDS_INPUT=1
304 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
305 else
306 NEEDS_INPUT=0
307 fi
308}
309
310# provide input to commands that need it
311provide_input() {
312 if [ $NEEDS_INPUT -eq 0 ]; then
313 return
314 fi
315
316 while true; do
317 echo "HTTP/1.0 200 OK"
318 sleep 1
319 done
320}
321
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]322# has_mem_err <log_file_name>
323has_mem_err() {
324 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
325 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
326 then
327 return 1 # false: does not have errors
328 else
329 return 0 # true: has errors
330 fi
331}
332
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]333# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]334if type lsof >/dev/null 2>/dev/null; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]335 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]336 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]337 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]338 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]339 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]340 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]341 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]342 # Make a tight loop, server normally takes less than 1s to start.
343 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
344 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]345 echo "$3 START TIMEOUT"
346 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]347 break
348 fi
349 # Linux and *BSD support decimal arguments to sleep. On other
350 # OSes this may be a tight loop.
351 sleep 0.1 2>/dev/null || true
352 done
353 }
354else
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]355 echo "Warning: lsof not available, wait_app_start = sleep"
356 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]357 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]358 }
359fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]360
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]361# Wait for server process $2 to be listening on port $1.
362wait_server_start() {
363 wait_app_start $1 $2 "SERVER" $SRV_OUT
364}
365
366# Wait for proxy process $2 to be listening on port $1.
367wait_proxy_start() {
368 wait_app_start $1 $2 "PROXY" $PXY_OUT
369}
370
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]371# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]372# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]373# acceptable bounds
374check_server_hello_time() {
375 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]376 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]377 # Get the Unix timestamp for now
378 CUR_TIME=$(date +'%s')
379 THRESHOLD_IN_SECS=300
380
381 # Check if the ServerHello time was printed
382 if [ -z "$SERVER_HELLO_TIME" ]; then
383 return 1
384 fi
385
386 # Check the time in ServerHello is within acceptable bounds
387 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
388 # The time in ServerHello is at least 5 minutes before now
389 return 1
390 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]391 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]392 return 1
393 else
394 return 0
395 fi
396}
397
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]398# wait for client to terminate and set CLI_EXIT
399# must be called right after starting the client
400wait_client_done() {
401 CLI_PID=$!
402
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]403 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
404 CLI_DELAY_FACTOR=1
405
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]406 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]407 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]408
409 wait $CLI_PID
410 CLI_EXIT=$?
411
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]412 kill $DOG_PID >/dev/null 2>&1
413 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]414
415 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]416
417 sleep $SRV_DELAY_SECONDS
418 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]419}
420
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]421# check if the given command uses dtls and sets global variable DTLS
422detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]423 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]424 DTLS=1
425 else
426 DTLS=0
427 fi
428}
429
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]430# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]431# Options: -s pattern pattern that must be present in server output
432# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]433# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]434# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]435# -S pattern pattern that must be absent in server output
436# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]437# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]438# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]439run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]440 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]441 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]442
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]443 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
444 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]445 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]446 return
447 fi
448
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]449 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]450
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]451 # Do we only run numbered tests?
452 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
453 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
454 else
455 SKIP_NEXT="YES"
456 fi
457
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]458 # should we skip?
459 if [ "X$SKIP_NEXT" = "XYES" ]; then
460 SKIP_NEXT="NO"
461 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]462 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]463 return
464 fi
465
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]466 # does this test use a proxy?
467 if [ "X$1" = "X-p" ]; then
468 PXY_CMD="$2"
469 shift 2
470 else
471 PXY_CMD=""
472 fi
473
474 # get commands and client output
475 SRV_CMD="$1"
476 CLI_CMD="$2"
477 CLI_EXPECT="$3"
478 shift 3
479
480 # fix client port
481 if [ -n "$PXY_CMD" ]; then
482 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
483 else
484 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
485 fi
486
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]487 # update DTLS variable
488 detect_dtls "$SRV_CMD"
489
Manuel Pégourié-Gonnard1fcb1a12020-06-08 11:40:06 +0200[diff] [blame]490 # if the test uses DTLS but no custom proxy, add a simple proxy
491 # as it provides timing info that's useful to debug failures
492 if [ "X$PXY_CMD" = "X" -a "$DTLS" -eq 1 ]; then
493 PXY_CMD="$P_PXY"
494 fi
495
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]496 # prepend valgrind to our commands if active
497 if [ "$MEMCHECK" -gt 0 ]; then
498 if is_polar "$SRV_CMD"; then
499 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
500 fi
501 if is_polar "$CLI_CMD"; then
502 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
503 fi
504 fi
505
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]506 TIMES_LEFT=2
507 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]508 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]509
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]510 # run the commands
511 if [ -n "$PXY_CMD" ]; then
Manuel Pégourié-Gonnarde5201e42020-06-08 12:06:21 +0200[diff] [blame^]512 printf "# $NAME\n$PXY_CMD\n" > $PXY_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]513 $PXY_CMD >> $PXY_OUT 2>&1 &
514 PXY_PID=$!
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]515 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]516 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]517
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]518 check_osrv_dtls
Manuel Pégourié-Gonnarde5201e42020-06-08 12:06:21 +0200[diff] [blame^]519 printf "# $NAME\n$SRV_CMD\n" > $SRV_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]520 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
521 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]522 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]523
Manuel Pégourié-Gonnarde5201e42020-06-08 12:06:21 +0200[diff] [blame^]524 printf "# $NAME\n$CLI_CMD\n" > $CLI_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]525 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
526 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]527
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]528 # terminate the server (and the proxy)
529 kill $SRV_PID
530 wait $SRV_PID
531 if [ -n "$PXY_CMD" ]; then
532 kill $PXY_PID >/dev/null 2>&1
533 wait $PXY_PID
534 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]535
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]536 # retry only on timeouts
537 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
538 printf "RETRY "
539 else
540 TIMES_LEFT=0
541 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]542 done
543
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]544 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]545 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]546 # expected client exit to incorrectly succeed in case of catastrophic
547 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]548 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]549 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]550 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]551 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]552 return
553 fi
554 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]555 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]556 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]557 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]558 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]559 return
560 fi
561 fi
562
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]563 # check server exit code
564 if [ $? != 0 ]; then
565 fail "server fail"
566 return
567 fi
568
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]569 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]570 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
571 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]572 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]573 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]574 return
575 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]576
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]577 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]578 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]579 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]580 while [ $# -gt 0 ]
581 do
582 case $1 in
583 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]584 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]585 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]586 return
587 fi
588 ;;
589
590 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]591 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]592 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]593 return
594 fi
595 ;;
596
597 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]598 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]599 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]600 return
601 fi
602 ;;
603
604 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]605 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]606 fail "pattern '$2' MUST NOT be present in the Client output"
607 return
608 fi
609 ;;
610
611 # The filtering in the following two options (-u and -U) do the following
612 # - ignore valgrind output
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]613 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]614 # - keep one of each non-unique line
615 # - count how many lines remain
616 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
617 # if there were no duplicates.
618 "-U")
619 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
620 fail "lines following pattern '$2' must be unique in Server output"
621 return
622 fi
623 ;;
624
625 "-u")
626 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
627 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]628 return
629 fi
630 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]631 "-F")
632 if ! $2 "$SRV_OUT"; then
633 fail "function call to '$2' failed on Server output"
634 return
635 fi
636 ;;
637 "-f")
638 if ! $2 "$CLI_OUT"; then
639 fail "function call to '$2' failed on Client output"
640 return
641 fi
642 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]643
644 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]645 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]646 exit 1
647 esac
648 shift 2
649 done
650
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]651 # check valgrind's results
652 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]653 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]654 fail "Server has memory errors"
655 return
656 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]657 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]658 fail "Client has memory errors"
659 return
660 fi
661 fi
662
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]663 # if we're here, everything is ok
664 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]665 if [ "$PRESERVE_LOGS" -gt 0 ]; then
666 mv $SRV_OUT o-srv-${TESTS}.log
667 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Beckerdc6c0e42018-08-20 12:21:35 +0100[diff] [blame]668 if [ -n "$PXY_CMD" ]; then
669 mv $PXY_OUT o-pxy-${TESTS}.log
670 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]671 fi
672
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]673 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]674}
675
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]676cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]677 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]678 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
679 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
680 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
681 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]682 exit 1
683}
684
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]685#
686# MAIN
687#
688
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]689if cd $( dirname $0 ); then :; else
690 echo "cd $( dirname $0 ) failed" >&2
691 exit 1
692fi
693
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]694get_options "$@"
695
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]696# sanity checks, avoid an avalanche of errors
697if [ ! -x "$P_SRV" ]; then
698 echo "Command '$P_SRV' is not an executable file"
699 exit 1
700fi
701if [ ! -x "$P_CLI" ]; then
702 echo "Command '$P_CLI' is not an executable file"
703 exit 1
704fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]705if [ ! -x "$P_PXY" ]; then
706 echo "Command '$P_PXY' is not an executable file"
707 exit 1
708fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]709if [ "$MEMCHECK" -gt 0 ]; then
710 if which valgrind >/dev/null 2>&1; then :; else
711 echo "Memcheck not possible. Valgrind not found"
712 exit 1
713 fi
714fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]715if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
716 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]717 exit 1
718fi
719
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]720# used by watchdog
721MAIN_PID="$$"
722
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]723# We use somewhat arbitrary delays for tests:
724# - how long do we wait for the server to start (when lsof not available)?
725# - how long do we allow for the client to finish?
726# (not to check performance, just to avoid waiting indefinitely)
727# Things are slower with valgrind, so give extra time here.
728#
729# Note: without lsof, there is a trade-off between the running time of this
730# script and the risk of spurious errors because we didn't wait long enough.
731# The watchdog delay on the other hand doesn't affect normal running time of
732# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]733if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]734 START_DELAY=6
735 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]736else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]737 START_DELAY=2
738 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]739fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]740
741# some particular tests need more time:
742# - for the client, we multiply the usual watchdog limit by a factor
743# - for the server, we sleep for a number of seconds after the client exits
744# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]745CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]746SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]747
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]748# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]749# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]750P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
751P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]752P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]753O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]754O_CLI="$O_CLI -connect localhost:+SRV_PORT"
755G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]756G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]757
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]758# Allow SHA-1, because many of our test certificates use it
759P_SRV="$P_SRV allow_sha1=1"
760P_CLI="$P_CLI allow_sha1=1"
761
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]762# Also pick a unique name for intermediate files
763SRV_OUT="srv_out.$$"
764CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]765PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]766SESSION="session.$$"
767
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]768SKIP_NEXT="NO"
769
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]770trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]771
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]772# Basic test
773
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]774# Checks that:
775# - things work with all ciphersuites active (used with config-full in all.sh)
776# - the expected (highest security) parameters are selected
777# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]778run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]779 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]780 "$P_CLI" \
781 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]782 -s "Protocol is TLSv1.2" \
783 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
784 -s "client hello v3, signature_algorithm ext: 6" \
785 -s "ECDHE curve: secp521r1" \
786 -S "error" \
787 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]788
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]789run_test "Default, DTLS" \
790 "$P_SRV dtls=1" \
791 "$P_CLI dtls=1" \
792 0 \
793 -s "Protocol is DTLSv1.2" \
794 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
795
Manuel Pégourié-Gonnard45575512020-01-02 11:58:00 +0100[diff] [blame]796requires_config_enabled MBEDTLS_ZLIB_SUPPORT
797run_test "Default (compression enabled)" \
798 "$P_SRV debug_level=3" \
799 "$P_CLI debug_level=3" \
800 0 \
801 -s "Allocating compression buffer" \
802 -c "Allocating compression buffer" \
803 -s "Record expansion is unknown (compression)" \
804 -c "Record expansion is unknown (compression)" \
805 -S "error" \
806 -C "error"
807
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]808# Test current time in ServerHello
809requires_config_enabled MBEDTLS_HAVE_TIME
810run_test "Default, ServerHello contains gmt_unix_time" \
811 "$P_SRV debug_level=3" \
812 "$P_CLI debug_level=3" \
813 0 \
814 -s "Protocol is TLSv1.2" \
815 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
816 -s "client hello v3, signature_algorithm ext: 6" \
817 -s "ECDHE curve: secp521r1" \
818 -S "error" \
819 -C "error" \
820 -f "check_server_hello_time" \
821 -F "check_server_hello_time"
822
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]823# Test for uniqueness of IVs in AEAD ciphersuites
824run_test "Unique IV in GCM" \
825 "$P_SRV exchanges=20 debug_level=4" \
826 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
827 0 \
828 -u "IV used" \
829 -U "IV used"
830
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]831# Tests for rc4 option
832
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]833requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]834run_test "RC4: server disabled, client enabled" \
835 "$P_SRV" \
836 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
837 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]838 -s "SSL - The server has no ciphersuites in common"
839
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]840requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]841run_test "RC4: server half, client enabled" \
842 "$P_SRV arc4=1" \
843 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
844 1 \
845 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]846
847run_test "RC4: server enabled, client disabled" \
848 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
849 "$P_CLI" \
850 1 \
851 -s "SSL - The server has no ciphersuites in common"
852
853run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]854 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]855 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
856 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]857 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]858 -S "SSL - The server has no ciphersuites in common"
859
Hanno Becker3a333a52018-08-17 09:54:10 +0100[diff] [blame]860# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
861
862requires_gnutls
863requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
864run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
865 "$G_SRV"\
866 "$P_CLI force_version=tls1_1" \
867 0
868
869requires_gnutls
870requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
871run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
872 "$G_SRV"\
873 "$P_CLI force_version=tls1" \
874 0
875
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]876# Tests for SHA-1 support
877
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]878requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]879run_test "SHA-1 forbidden by default in server certificate" \
880 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
881 "$P_CLI debug_level=2 allow_sha1=0" \
882 1 \
883 -c "The certificate is signed with an unacceptable hash"
884
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]885requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
886run_test "SHA-1 forbidden by default in server certificate" \
887 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
888 "$P_CLI debug_level=2 allow_sha1=0" \
889 0
890
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]891run_test "SHA-1 explicitly allowed in server certificate" \
892 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
893 "$P_CLI allow_sha1=1" \
894 0
895
896run_test "SHA-256 allowed by default in server certificate" \
897 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
898 "$P_CLI allow_sha1=0" \
899 0
900
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]901requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]902run_test "SHA-1 forbidden by default in client certificate" \
903 "$P_SRV auth_mode=required allow_sha1=0" \
904 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
905 1 \
906 -s "The certificate is signed with an unacceptable hash"
907
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]908requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
909run_test "SHA-1 forbidden by default in client certificate" \
910 "$P_SRV auth_mode=required allow_sha1=0" \
911 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
912 0
913
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]914run_test "SHA-1 explicitly allowed in client certificate" \
915 "$P_SRV auth_mode=required allow_sha1=1" \
916 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
917 0
918
919run_test "SHA-256 allowed by default in client certificate" \
920 "$P_SRV auth_mode=required allow_sha1=0" \
921 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
922 0
923
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]924# Tests for Truncated HMAC extension
925
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]926run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]927 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]928 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]929 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]930 -s "dumping 'expected mac' (20 bytes)" \
931 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]932
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]933requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]934run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]935 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]936 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]937 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]938 -s "dumping 'expected mac' (20 bytes)" \
939 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]940
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]941requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]942run_test "Truncated HMAC: client enabled, server default" \
943 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]944 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]945 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]946 -s "dumping 'expected mac' (20 bytes)" \
947 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]948
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]949requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]950run_test "Truncated HMAC: client enabled, server disabled" \
951 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]952 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]953 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]954 -s "dumping 'expected mac' (20 bytes)" \
955 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]956
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]957requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]958run_test "Truncated HMAC: client disabled, server enabled" \
959 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]960 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]961 0 \
962 -s "dumping 'expected mac' (20 bytes)" \
963 -S "dumping 'expected mac' (10 bytes)"
964
965requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]966run_test "Truncated HMAC: client enabled, server enabled" \
967 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]968 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]969 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]970 -S "dumping 'expected mac' (20 bytes)" \
971 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]972
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]973run_test "Truncated HMAC, DTLS: client default, server default" \
974 "$P_SRV dtls=1 debug_level=4" \
975 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
976 0 \
977 -s "dumping 'expected mac' (20 bytes)" \
978 -S "dumping 'expected mac' (10 bytes)"
979
980requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
981run_test "Truncated HMAC, DTLS: client disabled, server default" \
982 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]983 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]984 0 \
985 -s "dumping 'expected mac' (20 bytes)" \
986 -S "dumping 'expected mac' (10 bytes)"
987
988requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
989run_test "Truncated HMAC, DTLS: client enabled, server default" \
990 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]991 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]992 0 \
993 -s "dumping 'expected mac' (20 bytes)" \
994 -S "dumping 'expected mac' (10 bytes)"
995
996requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
997run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
998 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]999 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1000 0 \
1001 -s "dumping 'expected mac' (20 bytes)" \
1002 -S "dumping 'expected mac' (10 bytes)"
1003
1004requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1005run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1006 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1007 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1008 0 \
1009 -s "dumping 'expected mac' (20 bytes)" \
1010 -S "dumping 'expected mac' (10 bytes)"
1011
1012requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1013run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1014 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1015 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1016 0 \
1017 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1018 -s "dumping 'expected mac' (10 bytes)"
1019
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1020# Tests for Encrypt-then-MAC extension
1021
1022run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1023 "$P_SRV debug_level=3 \
1024 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1025 "$P_CLI debug_level=3" \
1026 0 \
1027 -c "client hello, adding encrypt_then_mac extension" \
1028 -s "found encrypt then mac extension" \
1029 -s "server hello, adding encrypt then mac extension" \
1030 -c "found encrypt_then_mac extension" \
1031 -c "using encrypt then mac" \
1032 -s "using encrypt then mac"
1033
1034run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1035 "$P_SRV debug_level=3 etm=0 \
1036 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1037 "$P_CLI debug_level=3 etm=1" \
1038 0 \
1039 -c "client hello, adding encrypt_then_mac extension" \
1040 -s "found encrypt then mac extension" \
1041 -S "server hello, adding encrypt then mac extension" \
1042 -C "found encrypt_then_mac extension" \
1043 -C "using encrypt then mac" \
1044 -S "using encrypt then mac"
1045
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1046run_test "Encrypt then MAC: client enabled, aead cipher" \
1047 "$P_SRV debug_level=3 etm=1 \
1048 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
1049 "$P_CLI debug_level=3 etm=1" \
1050 0 \
1051 -c "client hello, adding encrypt_then_mac extension" \
1052 -s "found encrypt then mac extension" \
1053 -S "server hello, adding encrypt then mac extension" \
1054 -C "found encrypt_then_mac extension" \
1055 -C "using encrypt then mac" \
1056 -S "using encrypt then mac"
1057
1058run_test "Encrypt then MAC: client enabled, stream cipher" \
1059 "$P_SRV debug_level=3 etm=1 \
1060 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1061 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1062 0 \
1063 -c "client hello, adding encrypt_then_mac extension" \
1064 -s "found encrypt then mac extension" \
1065 -S "server hello, adding encrypt then mac extension" \
1066 -C "found encrypt_then_mac extension" \
1067 -C "using encrypt then mac" \
1068 -S "using encrypt then mac"
1069
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1070run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1071 "$P_SRV debug_level=3 etm=1 \
1072 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1073 "$P_CLI debug_level=3 etm=0" \
1074 0 \
1075 -C "client hello, adding encrypt_then_mac extension" \
1076 -S "found encrypt then mac extension" \
1077 -S "server hello, adding encrypt then mac extension" \
1078 -C "found encrypt_then_mac extension" \
1079 -C "using encrypt then mac" \
1080 -S "using encrypt then mac"
1081
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1082requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1083run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1084 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1085 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1086 "$P_CLI debug_level=3 force_version=ssl3" \
1087 0 \
1088 -C "client hello, adding encrypt_then_mac extension" \
1089 -S "found encrypt then mac extension" \
1090 -S "server hello, adding encrypt then mac extension" \
1091 -C "found encrypt_then_mac extension" \
1092 -C "using encrypt then mac" \
1093 -S "using encrypt then mac"
1094
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1095requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1096run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1097 "$P_SRV debug_level=3 force_version=ssl3 \
1098 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1099 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1100 0 \
1101 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1102 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1103 -S "server hello, adding encrypt then mac extension" \
1104 -C "found encrypt_then_mac extension" \
1105 -C "using encrypt then mac" \
1106 -S "using encrypt then mac"
1107
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1108# Tests for Extended Master Secret extension
1109
1110run_test "Extended Master Secret: default" \
1111 "$P_SRV debug_level=3" \
1112 "$P_CLI debug_level=3" \
1113 0 \
1114 -c "client hello, adding extended_master_secret extension" \
1115 -s "found extended master secret extension" \
1116 -s "server hello, adding extended master secret extension" \
1117 -c "found extended_master_secret extension" \
1118 -c "using extended master secret" \
1119 -s "using extended master secret"
1120
1121run_test "Extended Master Secret: client enabled, server disabled" \
1122 "$P_SRV debug_level=3 extended_ms=0" \
1123 "$P_CLI debug_level=3 extended_ms=1" \
1124 0 \
1125 -c "client hello, adding extended_master_secret extension" \
1126 -s "found extended master secret extension" \
1127 -S "server hello, adding extended master secret extension" \
1128 -C "found extended_master_secret extension" \
1129 -C "using extended master secret" \
1130 -S "using extended master secret"
1131
1132run_test "Extended Master Secret: client disabled, server enabled" \
1133 "$P_SRV debug_level=3 extended_ms=1" \
1134 "$P_CLI debug_level=3 extended_ms=0" \
1135 0 \
1136 -C "client hello, adding extended_master_secret extension" \
1137 -S "found extended master secret extension" \
1138 -S "server hello, adding extended master secret extension" \
1139 -C "found extended_master_secret extension" \
1140 -C "using extended master secret" \
1141 -S "using extended master secret"
1142
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1143requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1144run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1145 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1146 "$P_CLI debug_level=3 force_version=ssl3" \
1147 0 \
1148 -C "client hello, adding extended_master_secret extension" \
1149 -S "found extended master secret extension" \
1150 -S "server hello, adding extended master secret extension" \
1151 -C "found extended_master_secret extension" \
1152 -C "using extended master secret" \
1153 -S "using extended master secret"
1154
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1155requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1156run_test "Extended Master Secret: client enabled, server SSLv3" \
1157 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1158 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1159 0 \
1160 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1161 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1162 -S "server hello, adding extended master secret extension" \
1163 -C "found extended_master_secret extension" \
1164 -C "using extended master secret" \
1165 -S "using extended master secret"
1166
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1167# Tests for FALLBACK_SCSV
1168
1169run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1170 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1171 "$P_CLI debug_level=3 force_version=tls1_1" \
1172 0 \
1173 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1174 -S "received FALLBACK_SCSV" \
1175 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1176 -C "is a fatal alert message (msg 86)"
1177
1178run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1179 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1180 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1181 0 \
1182 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1183 -S "received FALLBACK_SCSV" \
1184 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1185 -C "is a fatal alert message (msg 86)"
1186
1187run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1188 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1189 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1190 1 \
1191 -c "adding FALLBACK_SCSV" \
1192 -s "received FALLBACK_SCSV" \
1193 -s "inapropriate fallback" \
1194 -c "is a fatal alert message (msg 86)"
1195
1196run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1197 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1198 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1199 0 \
1200 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1201 -s "received FALLBACK_SCSV" \
1202 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1203 -C "is a fatal alert message (msg 86)"
1204
1205requires_openssl_with_fallback_scsv
1206run_test "Fallback SCSV: default, openssl server" \
1207 "$O_SRV" \
1208 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1209 0 \
1210 -C "adding FALLBACK_SCSV" \
1211 -C "is a fatal alert message (msg 86)"
1212
1213requires_openssl_with_fallback_scsv
1214run_test "Fallback SCSV: enabled, openssl server" \
1215 "$O_SRV" \
1216 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1217 1 \
1218 -c "adding FALLBACK_SCSV" \
1219 -c "is a fatal alert message (msg 86)"
1220
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1221requires_openssl_with_fallback_scsv
1222run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1223 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1224 "$O_CLI -tls1_1" \
1225 0 \
1226 -S "received FALLBACK_SCSV" \
1227 -S "inapropriate fallback"
1228
1229requires_openssl_with_fallback_scsv
1230run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1231 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1232 "$O_CLI -tls1_1 -fallback_scsv" \
1233 1 \
1234 -s "received FALLBACK_SCSV" \
1235 -s "inapropriate fallback"
1236
1237requires_openssl_with_fallback_scsv
1238run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1239 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1240 "$O_CLI -fallback_scsv" \
1241 0 \
1242 -s "received FALLBACK_SCSV" \
1243 -S "inapropriate fallback"
1244
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1245# Test sending and receiving empty application data records
1246
1247run_test "Encrypt then MAC: empty application data record" \
1248 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1249 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1250 0 \
1251 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1252 -s "dumping 'input payload after decrypt' (0 bytes)" \
1253 -c "0 bytes written in 1 fragments"
1254
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1255run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1256 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1257 "$P_CLI auth_mode=none etm=0 request_size=0" \
1258 0 \
1259 -s "dumping 'input payload after decrypt' (0 bytes)" \
1260 -c "0 bytes written in 1 fragments"
1261
1262run_test "Encrypt then MAC, DTLS: empty application data record" \
1263 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1264 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1265 0 \
1266 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1267 -s "dumping 'input payload after decrypt' (0 bytes)" \
1268 -c "0 bytes written in 1 fragments"
1269
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1270run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1271 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1272 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1273 0 \
1274 -s "dumping 'input payload after decrypt' (0 bytes)" \
1275 -c "0 bytes written in 1 fragments"
1276
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1277## ClientHello generated with
1278## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1279## then manually twiddling the ciphersuite list.
1280## The ClientHello content is spelled out below as a hex string as
1281## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1282## The expected response is an inappropriate_fallback alert.
1283requires_openssl_with_fallback_scsv
1284run_test "Fallback SCSV: beginning of list" \
1285 "$P_SRV debug_level=2" \
1286 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1287 0 \
1288 -s "received FALLBACK_SCSV" \
1289 -s "inapropriate fallback"
1290
1291requires_openssl_with_fallback_scsv
1292run_test "Fallback SCSV: end of list" \
1293 "$P_SRV debug_level=2" \
1294 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1295 0 \
1296 -s "received FALLBACK_SCSV" \
1297 -s "inapropriate fallback"
1298
1299## Here the expected response is a valid ServerHello prefix, up to the random.
1300requires_openssl_with_fallback_scsv
1301run_test "Fallback SCSV: not in list" \
1302 "$P_SRV debug_level=2" \
1303 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1304 0 \
1305 -S "received FALLBACK_SCSV" \
1306 -S "inapropriate fallback"
1307
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1308# Tests for CBC 1/n-1 record splitting
1309
1310run_test "CBC Record splitting: TLS 1.2, no splitting" \
1311 "$P_SRV" \
1312 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1313 request_size=123 force_version=tls1_2" \
1314 0 \
1315 -s "Read from client: 123 bytes read" \
1316 -S "Read from client: 1 bytes read" \
1317 -S "122 bytes read"
1318
1319run_test "CBC Record splitting: TLS 1.1, no splitting" \
1320 "$P_SRV" \
1321 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1322 request_size=123 force_version=tls1_1" \
1323 0 \
1324 -s "Read from client: 123 bytes read" \
1325 -S "Read from client: 1 bytes read" \
1326 -S "122 bytes read"
1327
1328run_test "CBC Record splitting: TLS 1.0, splitting" \
1329 "$P_SRV" \
1330 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1331 request_size=123 force_version=tls1" \
1332 0 \
1333 -S "Read from client: 123 bytes read" \
1334 -s "Read from client: 1 bytes read" \
1335 -s "122 bytes read"
1336
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1337requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1338run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1339 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1340 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1341 request_size=123 force_version=ssl3" \
1342 0 \
1343 -S "Read from client: 123 bytes read" \
1344 -s "Read from client: 1 bytes read" \
1345 -s "122 bytes read"
1346
1347run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1348 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1349 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1350 request_size=123 force_version=tls1" \
1351 0 \
1352 -s "Read from client: 123 bytes read" \
1353 -S "Read from client: 1 bytes read" \
1354 -S "122 bytes read"
1355
1356run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1357 "$P_SRV" \
1358 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1359 request_size=123 force_version=tls1 recsplit=0" \
1360 0 \
1361 -s "Read from client: 123 bytes read" \
1362 -S "Read from client: 1 bytes read" \
1363 -S "122 bytes read"
1364
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1365run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1366 "$P_SRV nbio=2" \
1367 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1368 request_size=123 force_version=tls1" \
1369 0 \
1370 -S "Read from client: 123 bytes read" \
1371 -s "Read from client: 1 bytes read" \
1372 -s "122 bytes read"
1373
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1374# Tests for Session Tickets
1375
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1376run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1377 "$P_SRV debug_level=3 tickets=1" \
1378 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1379 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1380 -c "client hello, adding session ticket extension" \
1381 -s "found session ticket extension" \
1382 -s "server hello, adding session ticket extension" \
1383 -c "found session_ticket extension" \
1384 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1385 -S "session successfully restored from cache" \
1386 -s "session successfully restored from ticket" \
1387 -s "a session has been resumed" \
1388 -c "a session has been resumed"
1389
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1390run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1391 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1392 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1393 0 \
1394 -c "client hello, adding session ticket extension" \
1395 -s "found session ticket extension" \
1396 -s "server hello, adding session ticket extension" \
1397 -c "found session_ticket extension" \
1398 -c "parse new session ticket" \
1399 -S "session successfully restored from cache" \
1400 -s "session successfully restored from ticket" \
1401 -s "a session has been resumed" \
1402 -c "a session has been resumed"
1403
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1404run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1405 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1406 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1407 0 \
1408 -c "client hello, adding session ticket extension" \
1409 -s "found session ticket extension" \
1410 -s "server hello, adding session ticket extension" \
1411 -c "found session_ticket extension" \
1412 -c "parse new session ticket" \
1413 -S "session successfully restored from cache" \
1414 -S "session successfully restored from ticket" \
1415 -S "a session has been resumed" \
1416 -C "a session has been resumed"
1417
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1418run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1419 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1420 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1421 0 \
1422 -c "client hello, adding session ticket extension" \
1423 -c "found session_ticket extension" \
1424 -c "parse new session ticket" \
1425 -c "a session has been resumed"
1426
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1427run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1428 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1429 "( $O_CLI -sess_out $SESSION; \
1430 $O_CLI -sess_in $SESSION; \
1431 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1432 0 \
1433 -s "found session ticket extension" \
1434 -s "server hello, adding session ticket extension" \
1435 -S "session successfully restored from cache" \
1436 -s "session successfully restored from ticket" \
1437 -s "a session has been resumed"
1438
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1439# Tests for Session Tickets with DTLS
1440
1441run_test "Session resume using tickets, DTLS: basic" \
1442 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1443 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1444 0 \
1445 -c "client hello, adding session ticket extension" \
1446 -s "found session ticket extension" \
1447 -s "server hello, adding session ticket extension" \
1448 -c "found session_ticket extension" \
1449 -c "parse new session ticket" \
1450 -S "session successfully restored from cache" \
1451 -s "session successfully restored from ticket" \
1452 -s "a session has been resumed" \
1453 -c "a session has been resumed"
1454
1455run_test "Session resume using tickets, DTLS: cache disabled" \
1456 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1457 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1458 0 \
1459 -c "client hello, adding session ticket extension" \
1460 -s "found session ticket extension" \
1461 -s "server hello, adding session ticket extension" \
1462 -c "found session_ticket extension" \
1463 -c "parse new session ticket" \
1464 -S "session successfully restored from cache" \
1465 -s "session successfully restored from ticket" \
1466 -s "a session has been resumed" \
1467 -c "a session has been resumed"
1468
1469run_test "Session resume using tickets, DTLS: timeout" \
1470 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1471 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1472 0 \
1473 -c "client hello, adding session ticket extension" \
1474 -s "found session ticket extension" \
1475 -s "server hello, adding session ticket extension" \
1476 -c "found session_ticket extension" \
1477 -c "parse new session ticket" \
1478 -S "session successfully restored from cache" \
1479 -S "session successfully restored from ticket" \
1480 -S "a session has been resumed" \
1481 -C "a session has been resumed"
1482
1483run_test "Session resume using tickets, DTLS: openssl server" \
1484 "$O_SRV -dtls1" \
1485 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1486 0 \
1487 -c "client hello, adding session ticket extension" \
1488 -c "found session_ticket extension" \
1489 -c "parse new session ticket" \
1490 -c "a session has been resumed"
1491
1492run_test "Session resume using tickets, DTLS: openssl client" \
1493 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1494 "( $O_CLI -dtls1 -sess_out $SESSION; \
1495 $O_CLI -dtls1 -sess_in $SESSION; \
1496 rm -f $SESSION )" \
1497 0 \
1498 -s "found session ticket extension" \
1499 -s "server hello, adding session ticket extension" \
1500 -S "session successfully restored from cache" \
1501 -s "session successfully restored from ticket" \
1502 -s "a session has been resumed"
1503
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1504# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1505
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1506run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1507 "$P_SRV debug_level=3 tickets=0" \
1508 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1509 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1510 -c "client hello, adding session ticket extension" \
1511 -s "found session ticket extension" \
1512 -S "server hello, adding session ticket extension" \
1513 -C "found session_ticket extension" \
1514 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1515 -s "session successfully restored from cache" \
1516 -S "session successfully restored from ticket" \
1517 -s "a session has been resumed" \
1518 -c "a session has been resumed"
1519
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1520run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1521 "$P_SRV debug_level=3 tickets=1" \
1522 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1523 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1524 -C "client hello, adding session ticket extension" \
1525 -S "found session ticket extension" \
1526 -S "server hello, adding session ticket extension" \
1527 -C "found session_ticket extension" \
1528 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1529 -s "session successfully restored from cache" \
1530 -S "session successfully restored from ticket" \
1531 -s "a session has been resumed" \
1532 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1533
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1534run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1535 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1536 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1537 0 \
1538 -S "session successfully restored from cache" \
1539 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1540 -S "a session has been resumed" \
1541 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1542
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1543run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1544 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1545 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1546 0 \
1547 -s "session successfully restored from cache" \
1548 -S "session successfully restored from ticket" \
1549 -s "a session has been resumed" \
1550 -c "a session has been resumed"
1551
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1552run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1553 "$P_SRV debug_level=3 tickets=0" \
1554 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1555 0 \
1556 -s "session successfully restored from cache" \
1557 -S "session successfully restored from ticket" \
1558 -s "a session has been resumed" \
1559 -c "a session has been resumed"
1560
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1561run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1562 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1563 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1564 0 \
1565 -S "session successfully restored from cache" \
1566 -S "session successfully restored from ticket" \
1567 -S "a session has been resumed" \
1568 -C "a session has been resumed"
1569
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1570run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1571 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1572 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1573 0 \
1574 -s "session successfully restored from cache" \
1575 -S "session successfully restored from ticket" \
1576 -s "a session has been resumed" \
1577 -c "a session has been resumed"
1578
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1579run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1580 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1581 "( $O_CLI -sess_out $SESSION; \
1582 $O_CLI -sess_in $SESSION; \
1583 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1584 0 \
1585 -s "found session ticket extension" \
1586 -S "server hello, adding session ticket extension" \
1587 -s "session successfully restored from cache" \
1588 -S "session successfully restored from ticket" \
1589 -s "a session has been resumed"
1590
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1591run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1592 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1593 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1594 0 \
1595 -C "found session_ticket extension" \
1596 -C "parse new session ticket" \
1597 -c "a session has been resumed"
1598
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1599# Tests for Session Resume based on session-ID and cache, DTLS
1600
1601run_test "Session resume using cache, DTLS: tickets enabled on client" \
1602 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1603 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1604 0 \
1605 -c "client hello, adding session ticket extension" \
1606 -s "found session ticket extension" \
1607 -S "server hello, adding session ticket extension" \
1608 -C "found session_ticket extension" \
1609 -C "parse new session ticket" \
1610 -s "session successfully restored from cache" \
1611 -S "session successfully restored from ticket" \
1612 -s "a session has been resumed" \
1613 -c "a session has been resumed"
1614
1615run_test "Session resume using cache, DTLS: tickets enabled on server" \
1616 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1617 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1618 0 \
1619 -C "client hello, adding session ticket extension" \
1620 -S "found session ticket extension" \
1621 -S "server hello, adding session ticket extension" \
1622 -C "found session_ticket extension" \
1623 -C "parse new session ticket" \
1624 -s "session successfully restored from cache" \
1625 -S "session successfully restored from ticket" \
1626 -s "a session has been resumed" \
1627 -c "a session has been resumed"
1628
1629run_test "Session resume using cache, DTLS: cache_max=0" \
1630 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1631 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1632 0 \
1633 -S "session successfully restored from cache" \
1634 -S "session successfully restored from ticket" \
1635 -S "a session has been resumed" \
1636 -C "a session has been resumed"
1637
1638run_test "Session resume using cache, DTLS: cache_max=1" \
1639 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1640 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1641 0 \
1642 -s "session successfully restored from cache" \
1643 -S "session successfully restored from ticket" \
1644 -s "a session has been resumed" \
1645 -c "a session has been resumed"
1646
1647run_test "Session resume using cache, DTLS: timeout > delay" \
1648 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1649 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1650 0 \
1651 -s "session successfully restored from cache" \
1652 -S "session successfully restored from ticket" \
1653 -s "a session has been resumed" \
1654 -c "a session has been resumed"
1655
1656run_test "Session resume using cache, DTLS: timeout < delay" \
1657 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1658 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1659 0 \
1660 -S "session successfully restored from cache" \
1661 -S "session successfully restored from ticket" \
1662 -S "a session has been resumed" \
1663 -C "a session has been resumed"
1664
1665run_test "Session resume using cache, DTLS: no timeout" \
1666 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1667 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1668 0 \
1669 -s "session successfully restored from cache" \
1670 -S "session successfully restored from ticket" \
1671 -s "a session has been resumed" \
1672 -c "a session has been resumed"
1673
1674run_test "Session resume using cache, DTLS: openssl client" \
1675 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1676 "( $O_CLI -dtls1 -sess_out $SESSION; \
1677 $O_CLI -dtls1 -sess_in $SESSION; \
1678 rm -f $SESSION )" \
1679 0 \
1680 -s "found session ticket extension" \
1681 -S "server hello, adding session ticket extension" \
1682 -s "session successfully restored from cache" \
1683 -S "session successfully restored from ticket" \
1684 -s "a session has been resumed"
1685
1686run_test "Session resume using cache, DTLS: openssl server" \
1687 "$O_SRV -dtls1" \
1688 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1689 0 \
1690 -C "found session_ticket extension" \
1691 -C "parse new session ticket" \
1692 -c "a session has been resumed"
1693
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1694# Tests for Max Fragment Length extension
1695
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1696MAX_CONTENT_LEN_EXPECT='16384'
1697MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1698
1699if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1700 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1701 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1702 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1703 printf "\n"
1704 printf "The tests assume this value and if it changes, the tests in this\n"
1705 printf "script should also be adjusted.\n"
1706 printf "\n"
1707
1708 exit 1
1709fi
1710
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1711requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1712run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1713 "$P_SRV debug_level=3" \
1714 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1715 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1716 -c "Maximum fragment length is 16384" \
1717 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1718 -C "client hello, adding max_fragment_length extension" \
1719 -S "found max fragment length extension" \
1720 -S "server hello, max_fragment_length extension" \
1721 -C "found max_fragment_length extension"
1722
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1723requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1724run_test "Max fragment length: enabled, default, larger message" \
1725 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1726 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1727 0 \
1728 -c "Maximum fragment length is 16384" \
1729 -s "Maximum fragment length is 16384" \
1730 -C "client hello, adding max_fragment_length extension" \
1731 -S "found max fragment length extension" \
1732 -S "server hello, max_fragment_length extension" \
1733 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1734 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1735 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1736 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1737
1738requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1739run_test "Max fragment length, DTLS: enabled, default, larger message" \
1740 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1741 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1742 1 \
1743 -c "Maximum fragment length is 16384" \
1744 -s "Maximum fragment length is 16384" \
1745 -C "client hello, adding max_fragment_length extension" \
1746 -S "found max fragment length extension" \
1747 -S "server hello, max_fragment_length extension" \
1748 -C "found max_fragment_length extension" \
1749 -c "fragment larger than.*maximum "
1750
1751requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1752run_test "Max fragment length: disabled, larger message" \
1753 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1754 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1755 0 \
1756 -C "Maximum fragment length is 16384" \
1757 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1758 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1759 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1760 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1761
1762requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1763run_test "Max fragment length DTLS: disabled, larger message" \
1764 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1765 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1766 1 \
1767 -C "Maximum fragment length is 16384" \
1768 -S "Maximum fragment length is 16384" \
1769 -c "fragment larger than.*maximum "
1770
1771requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1772run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1773 "$P_SRV debug_level=3" \
1774 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1775 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1776 -c "Maximum fragment length is 4096" \
1777 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1778 -c "client hello, adding max_fragment_length extension" \
1779 -s "found max fragment length extension" \
1780 -s "server hello, max_fragment_length extension" \
1781 -c "found max_fragment_length extension"
1782
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1783requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1784run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1785 "$P_SRV debug_level=3 max_frag_len=4096" \
1786 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1787 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1788 -c "Maximum fragment length is 16384" \
1789 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1790 -C "client hello, adding max_fragment_length extension" \
1791 -S "found max fragment length extension" \
1792 -S "server hello, max_fragment_length extension" \
1793 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1794
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1795requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1796requires_gnutls
1797run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1798 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1799 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1800 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1801 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1802 -c "client hello, adding max_fragment_length extension" \
1803 -c "found max_fragment_length extension"
1804
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1805requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1806run_test "Max fragment length: client, message just fits" \
1807 "$P_SRV debug_level=3" \
1808 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1809 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1810 -c "Maximum fragment length is 2048" \
1811 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1812 -c "client hello, adding max_fragment_length extension" \
1813 -s "found max fragment length extension" \
1814 -s "server hello, max_fragment_length extension" \
1815 -c "found max_fragment_length extension" \
1816 -c "2048 bytes written in 1 fragments" \
1817 -s "2048 bytes read"
1818
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1819requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1820run_test "Max fragment length: client, larger message" \
1821 "$P_SRV debug_level=3" \
1822 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1823 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1824 -c "Maximum fragment length is 2048" \
1825 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1826 -c "client hello, adding max_fragment_length extension" \
1827 -s "found max fragment length extension" \
1828 -s "server hello, max_fragment_length extension" \
1829 -c "found max_fragment_length extension" \
1830 -c "2345 bytes written in 2 fragments" \
1831 -s "2048 bytes read" \
1832 -s "297 bytes read"
1833
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1834requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1835run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1836 "$P_SRV debug_level=3 dtls=1" \
1837 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1838 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1839 -c "Maximum fragment length is 2048" \
1840 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1841 -c "client hello, adding max_fragment_length extension" \
1842 -s "found max fragment length extension" \
1843 -s "server hello, max_fragment_length extension" \
1844 -c "found max_fragment_length extension" \
1845 -c "fragment larger than.*maximum"
1846
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1847# Tests for renegotiation
1848
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1849# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1850run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1851 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1852 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1853 0 \
1854 -C "client hello, adding renegotiation extension" \
1855 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1856 -S "found renegotiation extension" \
1857 -s "server hello, secure renegotiation extension" \
1858 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1859 -C "=> renegotiate" \
1860 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1861 -S "write hello request"
1862
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1863requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1864run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1865 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1866 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1867 0 \
1868 -c "client hello, adding renegotiation extension" \
1869 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1870 -s "found renegotiation extension" \
1871 -s "server hello, secure renegotiation extension" \
1872 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1873 -c "=> renegotiate" \
1874 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1875 -S "write hello request"
1876
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1877requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1878run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1879 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1880 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1881 0 \
1882 -c "client hello, adding renegotiation extension" \
1883 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1884 -s "found renegotiation extension" \
1885 -s "server hello, secure renegotiation extension" \
1886 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1887 -c "=> renegotiate" \
1888 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1889 -s "write hello request"
1890
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1891# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1892# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1893# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1894requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1895run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1896 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1897 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1898 0 \
1899 -c "client hello, adding renegotiation extension" \
1900 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1901 -s "found renegotiation extension" \
1902 -s "server hello, secure renegotiation extension" \
1903 -c "found renegotiation extension" \
1904 -c "=> renegotiate" \
1905 -s "=> renegotiate" \
1906 -S "write hello request" \
1907 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1908
1909# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1910# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1911# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1912requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1913run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1914 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1915 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1916 0 \
1917 -c "client hello, adding renegotiation extension" \
1918 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1919 -s "found renegotiation extension" \
1920 -s "server hello, secure renegotiation extension" \
1921 -c "found renegotiation extension" \
1922 -c "=> renegotiate" \
1923 -s "=> renegotiate" \
1924 -s "write hello request" \
1925 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1926
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1927requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1928run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1929 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1930 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1931 0 \
1932 -c "client hello, adding renegotiation extension" \
1933 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1934 -s "found renegotiation extension" \
1935 -s "server hello, secure renegotiation extension" \
1936 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1937 -c "=> renegotiate" \
1938 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1939 -s "write hello request"
1940
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1941requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1942run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1943 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1944 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1945 1 \
1946 -c "client hello, adding renegotiation extension" \
1947 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1948 -S "found renegotiation extension" \
1949 -s "server hello, secure renegotiation extension" \
1950 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1951 -c "=> renegotiate" \
1952 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1953 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1954 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1955 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1956
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1957requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1958run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1959 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1960 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1961 0 \
1962 -C "client hello, adding renegotiation extension" \
1963 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1964 -S "found renegotiation extension" \
1965 -s "server hello, secure renegotiation extension" \
1966 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1967 -C "=> renegotiate" \
1968 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1969 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1970 -S "SSL - An unexpected message was received from our peer" \
1971 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1972
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1973requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1974run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1975 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1976 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1977 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1978 0 \
1979 -C "client hello, adding renegotiation extension" \
1980 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1981 -S "found renegotiation extension" \
1982 -s "server hello, secure renegotiation extension" \
1983 -c "found renegotiation extension" \
1984 -C "=> renegotiate" \
1985 -S "=> renegotiate" \
1986 -s "write hello request" \
1987 -S "SSL - An unexpected message was received from our peer" \
1988 -S "failed"
1989
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1990# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1991requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1992run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1993 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1994 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1995 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1996 0 \
1997 -C "client hello, adding renegotiation extension" \
1998 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1999 -S "found renegotiation extension" \
2000 -s "server hello, secure renegotiation extension" \
2001 -c "found renegotiation extension" \
2002 -C "=> renegotiate" \
2003 -S "=> renegotiate" \
2004 -s "write hello request" \
2005 -S "SSL - An unexpected message was received from our peer" \
2006 -S "failed"
2007
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2008requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2009run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2010 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2011 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2012 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2013 0 \
2014 -C "client hello, adding renegotiation extension" \
2015 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2016 -S "found renegotiation extension" \
2017 -s "server hello, secure renegotiation extension" \
2018 -c "found renegotiation extension" \
2019 -C "=> renegotiate" \
2020 -S "=> renegotiate" \
2021 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]2022 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2023
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2024requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2025run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2026 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2027 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2028 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2029 0 \
2030 -c "client hello, adding renegotiation extension" \
2031 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2032 -s "found renegotiation extension" \
2033 -s "server hello, secure renegotiation extension" \
2034 -c "found renegotiation extension" \
2035 -c "=> renegotiate" \
2036 -s "=> renegotiate" \
2037 -s "write hello request" \
2038 -S "SSL - An unexpected message was received from our peer" \
2039 -S "failed"
2040
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2041requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2042run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2043 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2044 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2045 0 \
2046 -C "client hello, adding renegotiation extension" \
2047 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2048 -S "found renegotiation extension" \
2049 -s "server hello, secure renegotiation extension" \
2050 -c "found renegotiation extension" \
2051 -S "record counter limit reached: renegotiate" \
2052 -C "=> renegotiate" \
2053 -S "=> renegotiate" \
2054 -S "write hello request" \
2055 -S "SSL - An unexpected message was received from our peer" \
2056 -S "failed"
2057
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2058# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2059requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2060run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2061 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2062 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2063 0 \
2064 -c "client hello, adding renegotiation extension" \
2065 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2066 -s "found renegotiation extension" \
2067 -s "server hello, secure renegotiation extension" \
2068 -c "found renegotiation extension" \
2069 -s "record counter limit reached: renegotiate" \
2070 -c "=> renegotiate" \
2071 -s "=> renegotiate" \
2072 -s "write hello request" \
2073 -S "SSL - An unexpected message was received from our peer" \
2074 -S "failed"
2075
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2076requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2077run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2078 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2079 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2080 0 \
2081 -c "client hello, adding renegotiation extension" \
2082 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2083 -s "found renegotiation extension" \
2084 -s "server hello, secure renegotiation extension" \
2085 -c "found renegotiation extension" \
2086 -s "record counter limit reached: renegotiate" \
2087 -c "=> renegotiate" \
2088 -s "=> renegotiate" \
2089 -s "write hello request" \
2090 -S "SSL - An unexpected message was received from our peer" \
2091 -S "failed"
2092
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2093requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2094run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2095 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2096 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2097 0 \
2098 -C "client hello, adding renegotiation extension" \
2099 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2100 -S "found renegotiation extension" \
2101 -s "server hello, secure renegotiation extension" \
2102 -c "found renegotiation extension" \
2103 -S "record counter limit reached: renegotiate" \
2104 -C "=> renegotiate" \
2105 -S "=> renegotiate" \
2106 -S "write hello request" \
2107 -S "SSL - An unexpected message was received from our peer" \
2108 -S "failed"
2109
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2110requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2111run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2112 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2113 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2114 0 \
2115 -c "client hello, adding renegotiation extension" \
2116 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2117 -s "found renegotiation extension" \
2118 -s "server hello, secure renegotiation extension" \
2119 -c "found renegotiation extension" \
2120 -c "=> renegotiate" \
2121 -s "=> renegotiate" \
2122 -S "write hello request"
2123
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2124requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2125run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2126 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2127 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2128 0 \
2129 -c "client hello, adding renegotiation extension" \
2130 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2131 -s "found renegotiation extension" \
2132 -s "server hello, secure renegotiation extension" \
2133 -c "found renegotiation extension" \
2134 -c "=> renegotiate" \
2135 -s "=> renegotiate" \
2136 -s "write hello request"
2137
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2138requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2139run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2140 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2141 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2142 0 \
2143 -c "client hello, adding renegotiation extension" \
2144 -c "found renegotiation extension" \
2145 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2146 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2147 -C "error" \
2148 -c "HTTP/1.0 200 [Oo][Kk]"
2149
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2150requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2151requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2152run_test "Renegotiation: gnutls server strict, client-initiated" \
2153 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2154 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2155 0 \
2156 -c "client hello, adding renegotiation extension" \
2157 -c "found renegotiation extension" \
2158 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2159 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2160 -C "error" \
2161 -c "HTTP/1.0 200 [Oo][Kk]"
2162
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2163requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2164requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2165run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2166 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2167 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2168 1 \
2169 -c "client hello, adding renegotiation extension" \
2170 -C "found renegotiation extension" \
2171 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2172 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2173 -c "error" \
2174 -C "HTTP/1.0 200 [Oo][Kk]"
2175
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2176requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2177requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2178run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2179 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2180 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2181 allow_legacy=0" \
2182 1 \
2183 -c "client hello, adding renegotiation extension" \
2184 -C "found renegotiation extension" \
2185 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2186 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2187 -c "error" \
2188 -C "HTTP/1.0 200 [Oo][Kk]"
2189
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2190requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2191requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2192run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2193 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2194 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2195 allow_legacy=1" \
2196 0 \
2197 -c "client hello, adding renegotiation extension" \
2198 -C "found renegotiation extension" \
2199 -c "=> renegotiate" \
2200 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2201 -C "error" \
2202 -c "HTTP/1.0 200 [Oo][Kk]"
2203
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2204requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]2205run_test "Renegotiation: DTLS, client-initiated" \
2206 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
2207 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
2208 0 \
2209 -c "client hello, adding renegotiation extension" \
2210 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2211 -s "found renegotiation extension" \
2212 -s "server hello, secure renegotiation extension" \
2213 -c "found renegotiation extension" \
2214 -c "=> renegotiate" \
2215 -s "=> renegotiate" \
2216 -S "write hello request"
2217
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2218requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2219run_test "Renegotiation: DTLS, server-initiated" \
2220 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2221 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2222 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2223 0 \
2224 -c "client hello, adding renegotiation extension" \
2225 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2226 -s "found renegotiation extension" \
2227 -s "server hello, secure renegotiation extension" \
2228 -c "found renegotiation extension" \
2229 -c "=> renegotiate" \
2230 -s "=> renegotiate" \
2231 -s "write hello request"
2232
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2233requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2234run_test "Renegotiation: DTLS, renego_period overflow" \
2235 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2236 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2237 0 \
2238 -c "client hello, adding renegotiation extension" \
2239 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2240 -s "found renegotiation extension" \
2241 -s "server hello, secure renegotiation extension" \
2242 -s "record counter limit reached: renegotiate" \
2243 -c "=> renegotiate" \
2244 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2245 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2246
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2247requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2248requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2249run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2250 "$G_SRV -u --mtu 4096" \
2251 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2252 0 \
2253 -c "client hello, adding renegotiation extension" \
2254 -c "found renegotiation extension" \
2255 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2256 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2257 -C "error" \
2258 -s "Extra-header:"
2259
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2260# Test for the "secure renegotation" extension only (no actual renegotiation)
2261
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2262requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2263run_test "Renego ext: gnutls server strict, client default" \
2264 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2265 "$P_CLI debug_level=3" \
2266 0 \
2267 -c "found renegotiation extension" \
2268 -C "error" \
2269 -c "HTTP/1.0 200 [Oo][Kk]"
2270
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2271requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2272run_test "Renego ext: gnutls server unsafe, client default" \
2273 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2274 "$P_CLI debug_level=3" \
2275 0 \
2276 -C "found renegotiation extension" \
2277 -C "error" \
2278 -c "HTTP/1.0 200 [Oo][Kk]"
2279
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2280requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2281run_test "Renego ext: gnutls server unsafe, client break legacy" \
2282 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2283 "$P_CLI debug_level=3 allow_legacy=-1" \
2284 1 \
2285 -C "found renegotiation extension" \
2286 -c "error" \
2287 -C "HTTP/1.0 200 [Oo][Kk]"
2288
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2289requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2290run_test "Renego ext: gnutls client strict, server default" \
2291 "$P_SRV debug_level=3" \
2292 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2293 0 \
2294 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2295 -s "server hello, secure renegotiation extension"
2296
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2297requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2298run_test "Renego ext: gnutls client unsafe, server default" \
2299 "$P_SRV debug_level=3" \
2300 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2301 0 \
2302 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2303 -S "server hello, secure renegotiation extension"
2304
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2305requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2306run_test "Renego ext: gnutls client unsafe, server break legacy" \
2307 "$P_SRV debug_level=3 allow_legacy=-1" \
2308 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2309 1 \
2310 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2311 -S "server hello, secure renegotiation extension"
2312
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2313# Tests for silently dropping trailing extra bytes in .der certificates
2314
2315requires_gnutls
2316run_test "DER format: no trailing bytes" \
2317 "$P_SRV crt_file=data_files/server5-der0.crt \
2318 key_file=data_files/server5.key" \
2319 "$G_CLI " \
2320 0 \
2321 -c "Handshake was completed" \
2322
2323requires_gnutls
2324run_test "DER format: with a trailing zero byte" \
2325 "$P_SRV crt_file=data_files/server5-der1a.crt \
2326 key_file=data_files/server5.key" \
2327 "$G_CLI " \
2328 0 \
2329 -c "Handshake was completed" \
2330
2331requires_gnutls
2332run_test "DER format: with a trailing random byte" \
2333 "$P_SRV crt_file=data_files/server5-der1b.crt \
2334 key_file=data_files/server5.key" \
2335 "$G_CLI " \
2336 0 \
2337 -c "Handshake was completed" \
2338
2339requires_gnutls
2340run_test "DER format: with 2 trailing random bytes" \
2341 "$P_SRV crt_file=data_files/server5-der2.crt \
2342 key_file=data_files/server5.key" \
2343 "$G_CLI " \
2344 0 \
2345 -c "Handshake was completed" \
2346
2347requires_gnutls
2348run_test "DER format: with 4 trailing random bytes" \
2349 "$P_SRV crt_file=data_files/server5-der4.crt \
2350 key_file=data_files/server5.key" \
2351 "$G_CLI " \
2352 0 \
2353 -c "Handshake was completed" \
2354
2355requires_gnutls
2356run_test "DER format: with 8 trailing random bytes" \
2357 "$P_SRV crt_file=data_files/server5-der8.crt \
2358 key_file=data_files/server5.key" \
2359 "$G_CLI " \
2360 0 \
2361 -c "Handshake was completed" \
2362
2363requires_gnutls
2364run_test "DER format: with 9 trailing random bytes" \
2365 "$P_SRV crt_file=data_files/server5-der9.crt \
2366 key_file=data_files/server5.key" \
2367 "$G_CLI " \
2368 0 \
2369 -c "Handshake was completed" \
2370
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2371# Tests for auth_mode
2372
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2373run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2374 "$P_SRV crt_file=data_files/server5-badsign.crt \
2375 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2376 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2377 1 \
2378 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2379 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2380 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2381 -c "X509 - Certificate verification failed"
2382
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2383run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2384 "$P_SRV crt_file=data_files/server5-badsign.crt \
2385 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2386 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2387 0 \
2388 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2389 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2390 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2391 -C "X509 - Certificate verification failed"
2392
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2393run_test "Authentication: server goodcert, client optional, no trusted CA" \
2394 "$P_SRV" \
2395 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2396 0 \
2397 -c "x509_verify_cert() returned" \
2398 -c "! The certificate is not correctly signed by the trusted CA" \
2399 -c "! Certificate verification flags"\
2400 -C "! mbedtls_ssl_handshake returned" \
2401 -C "X509 - Certificate verification failed" \
2402 -C "SSL - No CA Chain is set, but required to operate"
2403
2404run_test "Authentication: server goodcert, client required, no trusted CA" \
2405 "$P_SRV" \
2406 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2407 1 \
2408 -c "x509_verify_cert() returned" \
2409 -c "! The certificate is not correctly signed by the trusted CA" \
2410 -c "! Certificate verification flags"\
2411 -c "! mbedtls_ssl_handshake returned" \
2412 -c "SSL - No CA Chain is set, but required to operate"
2413
2414# The purpose of the next two tests is to test the client's behaviour when receiving a server
2415# certificate with an unsupported elliptic curve. This should usually not happen because
2416# the client informs the server about the supported curves - it does, though, in the
2417# corner case of a static ECDH suite, because the server doesn't check the curve on that
2418# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2419# different means to have the server ignoring the client's supported curve list.
2420
2421requires_config_enabled MBEDTLS_ECP_C
2422run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2423 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2424 crt_file=data_files/server5.ku-ka.crt" \
2425 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2426 1 \
2427 -c "bad certificate (EC key curve)"\
2428 -c "! Certificate verification flags"\
2429 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2430
2431requires_config_enabled MBEDTLS_ECP_C
2432run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2433 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2434 crt_file=data_files/server5.ku-ka.crt" \
2435 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2436 1 \
2437 -c "bad certificate (EC key curve)"\
2438 -c "! Certificate verification flags"\
2439 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2440
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2441run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2442 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2443 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2444 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2445 0 \
2446 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2447 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2448 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2449 -C "X509 - Certificate verification failed"
2450
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2451run_test "Authentication: client SHA256, server required" \
2452 "$P_SRV auth_mode=required" \
2453 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2454 key_file=data_files/server6.key \
2455 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2456 0 \
2457 -c "Supported Signature Algorithm found: 4," \
2458 -c "Supported Signature Algorithm found: 5,"
2459
2460run_test "Authentication: client SHA384, server required" \
2461 "$P_SRV auth_mode=required" \
2462 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2463 key_file=data_files/server6.key \
2464 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2465 0 \
2466 -c "Supported Signature Algorithm found: 4," \
2467 -c "Supported Signature Algorithm found: 5,"
2468
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2469requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2470run_test "Authentication: client has no cert, server required (SSLv3)" \
2471 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2472 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2473 key_file=data_files/server5.key" \
2474 1 \
2475 -S "skip write certificate request" \
2476 -C "skip parse certificate request" \
2477 -c "got a certificate request" \
2478 -c "got no certificate to send" \
2479 -S "x509_verify_cert() returned" \
2480 -s "client has no certificate" \
2481 -s "! mbedtls_ssl_handshake returned" \
2482 -c "! mbedtls_ssl_handshake returned" \
2483 -s "No client certification received from the client, but required by the authentication mode"
2484
2485run_test "Authentication: client has no cert, server required (TLS)" \
2486 "$P_SRV debug_level=3 auth_mode=required" \
2487 "$P_CLI debug_level=3 crt_file=none \
2488 key_file=data_files/server5.key" \
2489 1 \
2490 -S "skip write certificate request" \
2491 -C "skip parse certificate request" \
2492 -c "got a certificate request" \
2493 -c "= write certificate$" \
2494 -C "skip write certificate$" \
2495 -S "x509_verify_cert() returned" \
2496 -s "client has no certificate" \
2497 -s "! mbedtls_ssl_handshake returned" \
2498 -c "! mbedtls_ssl_handshake returned" \
2499 -s "No client certification received from the client, but required by the authentication mode"
2500
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2501run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2502 "$P_SRV debug_level=3 auth_mode=required" \
2503 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2504 key_file=data_files/server5.key" \
2505 1 \
2506 -S "skip write certificate request" \
2507 -C "skip parse certificate request" \
2508 -c "got a certificate request" \
2509 -C "skip write certificate" \
2510 -C "skip write certificate verify" \
2511 -S "skip parse certificate verify" \
2512 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2513 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2514 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2515 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2516 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2517 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2518# We don't check that the client receives the alert because it might
2519# detect that its write end of the connection is closed and abort
2520# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2521
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2522run_test "Authentication: client cert not trusted, server required" \
2523 "$P_SRV debug_level=3 auth_mode=required" \
2524 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2525 key_file=data_files/server5.key" \
2526 1 \
2527 -S "skip write certificate request" \
2528 -C "skip parse certificate request" \
2529 -c "got a certificate request" \
2530 -C "skip write certificate" \
2531 -C "skip write certificate verify" \
2532 -S "skip parse certificate verify" \
2533 -s "x509_verify_cert() returned" \
2534 -s "! The certificate is not correctly signed by the trusted CA" \
2535 -s "! mbedtls_ssl_handshake returned" \
2536 -c "! mbedtls_ssl_handshake returned" \
2537 -s "X509 - Certificate verification failed"
2538
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2539run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2540 "$P_SRV debug_level=3 auth_mode=optional" \
2541 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2542 key_file=data_files/server5.key" \
2543 0 \
2544 -S "skip write certificate request" \
2545 -C "skip parse certificate request" \
2546 -c "got a certificate request" \
2547 -C "skip write certificate" \
2548 -C "skip write certificate verify" \
2549 -S "skip parse certificate verify" \
2550 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2551 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2552 -S "! mbedtls_ssl_handshake returned" \
2553 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2554 -S "X509 - Certificate verification failed"
2555
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2556run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2557 "$P_SRV debug_level=3 auth_mode=none" \
2558 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2559 key_file=data_files/server5.key" \
2560 0 \
2561 -s "skip write certificate request" \
2562 -C "skip parse certificate request" \
2563 -c "got no certificate request" \
2564 -c "skip write certificate" \
2565 -c "skip write certificate verify" \
2566 -s "skip parse certificate verify" \
2567 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2568 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2569 -S "! mbedtls_ssl_handshake returned" \
2570 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2571 -S "X509 - Certificate verification failed"
2572
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2573run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2574 "$P_SRV debug_level=3 auth_mode=optional" \
2575 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2576 0 \
2577 -S "skip write certificate request" \
2578 -C "skip parse certificate request" \
2579 -c "got a certificate request" \
2580 -C "skip write certificate$" \
2581 -C "got no certificate to send" \
2582 -S "SSLv3 client has no certificate" \
2583 -c "skip write certificate verify" \
2584 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2585 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2586 -S "! mbedtls_ssl_handshake returned" \
2587 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2588 -S "X509 - Certificate verification failed"
2589
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2590run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2591 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2592 "$O_CLI" \
2593 0 \
2594 -S "skip write certificate request" \
2595 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2596 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2597 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2598 -S "X509 - Certificate verification failed"
2599
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2600run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2601 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2602 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2603 0 \
2604 -C "skip parse certificate request" \
2605 -c "got a certificate request" \
2606 -C "skip write certificate$" \
2607 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2608 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2609
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2610run_test "Authentication: client no cert, openssl server required" \
2611 "$O_SRV -Verify 10" \
2612 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2613 1 \
2614 -C "skip parse certificate request" \
2615 -c "got a certificate request" \
2616 -C "skip write certificate$" \
2617 -c "skip write certificate verify" \
2618 -c "! mbedtls_ssl_handshake returned"
2619
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2620requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2621run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2622 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2623 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2624 0 \
2625 -S "skip write certificate request" \
2626 -C "skip parse certificate request" \
2627 -c "got a certificate request" \
2628 -C "skip write certificate$" \
2629 -c "skip write certificate verify" \
2630 -c "got no certificate to send" \
2631 -s "SSLv3 client has no certificate" \
2632 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2633 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2634 -S "! mbedtls_ssl_handshake returned" \
2635 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2636 -S "X509 - Certificate verification failed"
2637
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2638# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2639# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2640
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2641MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2642MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2643
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2644if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2645 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2646 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2647 printf "test value of ${MAX_IM_CA}. \n"
2648 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2649 printf "The tests assume this value and if it changes, the tests in this\n"
2650 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2651 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2652
2653 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2654fi
2655
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2656run_test "Authentication: server max_int chain, client default" \
2657 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2658 key_file=data_files/dir-maxpath/09.key" \
2659 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2660 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2661 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2662
2663run_test "Authentication: server max_int+1 chain, client default" \
2664 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2665 key_file=data_files/dir-maxpath/10.key" \
2666 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2667 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2668 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2669
2670run_test "Authentication: server max_int+1 chain, client optional" \
2671 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2672 key_file=data_files/dir-maxpath/10.key" \
2673 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2674 auth_mode=optional" \
2675 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2676 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2677
2678run_test "Authentication: server max_int+1 chain, client none" \
2679 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2680 key_file=data_files/dir-maxpath/10.key" \
2681 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2682 auth_mode=none" \
2683 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2684 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2685
2686run_test "Authentication: client max_int+1 chain, server default" \
2687 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2688 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2689 key_file=data_files/dir-maxpath/10.key" \
2690 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2691 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2692
2693run_test "Authentication: client max_int+1 chain, server optional" \
2694 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2695 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2696 key_file=data_files/dir-maxpath/10.key" \
2697 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2698 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2699
2700run_test "Authentication: client max_int+1 chain, server required" \
2701 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2702 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2703 key_file=data_files/dir-maxpath/10.key" \
2704 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2705 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2706
2707run_test "Authentication: client max_int chain, server required" \
2708 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2709 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2710 key_file=data_files/dir-maxpath/09.key" \
2711 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2712 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2713
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2714# Tests for CA list in CertificateRequest messages
2715
2716run_test "Authentication: send CA list in CertificateRequest (default)" \
2717 "$P_SRV debug_level=3 auth_mode=required" \
2718 "$P_CLI crt_file=data_files/server6.crt \
2719 key_file=data_files/server6.key" \
2720 0 \
2721 -s "requested DN"
2722
2723run_test "Authentication: do not send CA list in CertificateRequest" \
2724 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2725 "$P_CLI crt_file=data_files/server6.crt \
2726 key_file=data_files/server6.key" \
2727 0 \
2728 -S "requested DN"
2729
2730run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2731 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2732 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2733 key_file=data_files/server5.key" \
2734 1 \
2735 -S "requested DN" \
2736 -s "x509_verify_cert() returned" \
2737 -s "! The certificate is not correctly signed by the trusted CA" \
2738 -s "! mbedtls_ssl_handshake returned" \
2739 -c "! mbedtls_ssl_handshake returned" \
2740 -s "X509 - Certificate verification failed"
2741
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2742# Tests for certificate selection based on SHA verson
2743
2744run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2745 "$P_SRV crt_file=data_files/server5.crt \
2746 key_file=data_files/server5.key \
2747 crt_file2=data_files/server5-sha1.crt \
2748 key_file2=data_files/server5.key" \
2749 "$P_CLI force_version=tls1_2" \
2750 0 \
2751 -c "signed using.*ECDSA with SHA256" \
2752 -C "signed using.*ECDSA with SHA1"
2753
2754run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2755 "$P_SRV crt_file=data_files/server5.crt \
2756 key_file=data_files/server5.key \
2757 crt_file2=data_files/server5-sha1.crt \
2758 key_file2=data_files/server5.key" \
2759 "$P_CLI force_version=tls1_1" \
2760 0 \
2761 -C "signed using.*ECDSA with SHA256" \
2762 -c "signed using.*ECDSA with SHA1"
2763
2764run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2765 "$P_SRV crt_file=data_files/server5.crt \
2766 key_file=data_files/server5.key \
2767 crt_file2=data_files/server5-sha1.crt \
2768 key_file2=data_files/server5.key" \
2769 "$P_CLI force_version=tls1" \
2770 0 \
2771 -C "signed using.*ECDSA with SHA256" \
2772 -c "signed using.*ECDSA with SHA1"
2773
2774run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2775 "$P_SRV crt_file=data_files/server5.crt \
2776 key_file=data_files/server5.key \
2777 crt_file2=data_files/server6.crt \
2778 key_file2=data_files/server6.key" \
2779 "$P_CLI force_version=tls1_1" \
2780 0 \
2781 -c "serial number.*09" \
2782 -c "signed using.*ECDSA with SHA256" \
2783 -C "signed using.*ECDSA with SHA1"
2784
2785run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2786 "$P_SRV crt_file=data_files/server6.crt \
2787 key_file=data_files/server6.key \
2788 crt_file2=data_files/server5.crt \
2789 key_file2=data_files/server5.key" \
2790 "$P_CLI force_version=tls1_1" \
2791 0 \
2792 -c "serial number.*0A" \
2793 -c "signed using.*ECDSA with SHA256" \
2794 -C "signed using.*ECDSA with SHA1"
2795
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2796# tests for SNI
2797
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2798run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2799 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2800 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2801 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2802 0 \
2803 -S "parse ServerName extension" \
2804 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2805 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2806
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2807run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2808 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2809 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2810 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2811 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2812 0 \
2813 -s "parse ServerName extension" \
2814 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2815 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2816
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2817run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2818 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2819 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2820 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2821 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2822 0 \
2823 -s "parse ServerName extension" \
2824 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2825 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2826
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2827run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2828 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2829 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2830 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2831 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2832 1 \
2833 -s "parse ServerName extension" \
2834 -s "ssl_sni_wrapper() returned" \
2835 -s "mbedtls_ssl_handshake returned" \
2836 -c "mbedtls_ssl_handshake returned" \
2837 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2838
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2839run_test "SNI: client auth no override: optional" \
2840 "$P_SRV debug_level=3 auth_mode=optional \
2841 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2842 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2843 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2844 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2845 -S "skip write certificate request" \
2846 -C "skip parse certificate request" \
2847 -c "got a certificate request" \
2848 -C "skip write certificate" \
2849 -C "skip write certificate verify" \
2850 -S "skip parse certificate verify"
2851
2852run_test "SNI: client auth override: none -> optional" \
2853 "$P_SRV debug_level=3 auth_mode=none \
2854 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2855 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2856 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2857 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2858 -S "skip write certificate request" \
2859 -C "skip parse certificate request" \
2860 -c "got a certificate request" \
2861 -C "skip write certificate" \
2862 -C "skip write certificate verify" \
2863 -S "skip parse certificate verify"
2864
2865run_test "SNI: client auth override: optional -> none" \
2866 "$P_SRV debug_level=3 auth_mode=optional \
2867 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2868 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2869 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2870 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2871 -s "skip write certificate request" \
2872 -C "skip parse certificate request" \
2873 -c "got no certificate request" \
2874 -c "skip write certificate" \
2875 -c "skip write certificate verify" \
2876 -s "skip parse certificate verify"
2877
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2878run_test "SNI: CA no override" \
2879 "$P_SRV debug_level=3 auth_mode=optional \
2880 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2881 ca_file=data_files/test-ca.crt \
2882 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2883 "$P_CLI debug_level=3 server_name=localhost \
2884 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2885 1 \
2886 -S "skip write certificate request" \
2887 -C "skip parse certificate request" \
2888 -c "got a certificate request" \
2889 -C "skip write certificate" \
2890 -C "skip write certificate verify" \
2891 -S "skip parse certificate verify" \
2892 -s "x509_verify_cert() returned" \
2893 -s "! The certificate is not correctly signed by the trusted CA" \
2894 -S "The certificate has been revoked (is on a CRL)"
2895
2896run_test "SNI: CA override" \
2897 "$P_SRV debug_level=3 auth_mode=optional \
2898 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2899 ca_file=data_files/test-ca.crt \
2900 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2901 "$P_CLI debug_level=3 server_name=localhost \
2902 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2903 0 \
2904 -S "skip write certificate request" \
2905 -C "skip parse certificate request" \
2906 -c "got a certificate request" \
2907 -C "skip write certificate" \
2908 -C "skip write certificate verify" \
2909 -S "skip parse certificate verify" \
2910 -S "x509_verify_cert() returned" \
2911 -S "! The certificate is not correctly signed by the trusted CA" \
2912 -S "The certificate has been revoked (is on a CRL)"
2913
2914run_test "SNI: CA override with CRL" \
2915 "$P_SRV debug_level=3 auth_mode=optional \
2916 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2917 ca_file=data_files/test-ca.crt \
2918 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2919 "$P_CLI debug_level=3 server_name=localhost \
2920 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2921 1 \
2922 -S "skip write certificate request" \
2923 -C "skip parse certificate request" \
2924 -c "got a certificate request" \
2925 -C "skip write certificate" \
2926 -C "skip write certificate verify" \
2927 -S "skip parse certificate verify" \
2928 -s "x509_verify_cert() returned" \
2929 -S "! The certificate is not correctly signed by the trusted CA" \
2930 -s "The certificate has been revoked (is on a CRL)"
2931
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2932# Tests for SNI and DTLS
2933
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2934run_test "SNI: DTLS, no SNI callback" \
2935 "$P_SRV debug_level=3 dtls=1 \
2936 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2937 "$P_CLI server_name=localhost dtls=1" \
2938 0 \
2939 -S "parse ServerName extension" \
2940 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2941 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2942
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2943run_test "SNI: DTLS, matching cert 1" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2944 "$P_SRV debug_level=3 dtls=1 \
2945 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2946 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2947 "$P_CLI server_name=localhost dtls=1" \
2948 0 \
2949 -s "parse ServerName extension" \
2950 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2951 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2952
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2953run_test "SNI: DTLS, matching cert 2" \
2954 "$P_SRV debug_level=3 dtls=1 \
2955 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2956 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2957 "$P_CLI server_name=polarssl.example dtls=1" \
2958 0 \
2959 -s "parse ServerName extension" \
2960 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2961 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2962
2963run_test "SNI: DTLS, no matching cert" \
2964 "$P_SRV debug_level=3 dtls=1 \
2965 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2966 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2967 "$P_CLI server_name=nonesuch.example dtls=1" \
2968 1 \
2969 -s "parse ServerName extension" \
2970 -s "ssl_sni_wrapper() returned" \
2971 -s "mbedtls_ssl_handshake returned" \
2972 -c "mbedtls_ssl_handshake returned" \
2973 -c "SSL - A fatal alert message was received from our peer"
2974
2975run_test "SNI: DTLS, client auth no override: optional" \
2976 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2977 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2978 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2979 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2980 0 \
2981 -S "skip write certificate request" \
2982 -C "skip parse certificate request" \
2983 -c "got a certificate request" \
2984 -C "skip write certificate" \
2985 -C "skip write certificate verify" \
2986 -S "skip parse certificate verify"
2987
2988run_test "SNI: DTLS, client auth override: none -> optional" \
2989 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2990 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2991 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2992 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2993 0 \
2994 -S "skip write certificate request" \
2995 -C "skip parse certificate request" \
2996 -c "got a certificate request" \
2997 -C "skip write certificate" \
2998 -C "skip write certificate verify" \
2999 -S "skip parse certificate verify"
3000
3001run_test "SNI: DTLS, client auth override: optional -> none" \
3002 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3003 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3004 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
3005 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
3006 0 \
3007 -s "skip write certificate request" \
3008 -C "skip parse certificate request" \
3009 -c "got no certificate request" \
3010 -c "skip write certificate" \
3011 -c "skip write certificate verify" \
3012 -s "skip parse certificate verify"
3013
3014run_test "SNI: DTLS, CA no override" \
3015 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3016 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3017 ca_file=data_files/test-ca.crt \
3018 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
3019 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3020 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3021 1 \
3022 -S "skip write certificate request" \
3023 -C "skip parse certificate request" \
3024 -c "got a certificate request" \
3025 -C "skip write certificate" \
3026 -C "skip write certificate verify" \
3027 -S "skip parse certificate verify" \
3028 -s "x509_verify_cert() returned" \
3029 -s "! The certificate is not correctly signed by the trusted CA" \
3030 -S "The certificate has been revoked (is on a CRL)"
3031
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3032run_test "SNI: DTLS, CA override" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3033 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3034 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3035 ca_file=data_files/test-ca.crt \
3036 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
3037 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3038 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3039 0 \
3040 -S "skip write certificate request" \
3041 -C "skip parse certificate request" \
3042 -c "got a certificate request" \
3043 -C "skip write certificate" \
3044 -C "skip write certificate verify" \
3045 -S "skip parse certificate verify" \
3046 -S "x509_verify_cert() returned" \
3047 -S "! The certificate is not correctly signed by the trusted CA" \
3048 -S "The certificate has been revoked (is on a CRL)"
3049
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3050run_test "SNI: DTLS, CA override with CRL" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3051 "$P_SRV debug_level=3 auth_mode=optional \
3052 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
3053 ca_file=data_files/test-ca.crt \
3054 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
3055 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3056 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3057 1 \
3058 -S "skip write certificate request" \
3059 -C "skip parse certificate request" \
3060 -c "got a certificate request" \
3061 -C "skip write certificate" \
3062 -C "skip write certificate verify" \
3063 -S "skip parse certificate verify" \
3064 -s "x509_verify_cert() returned" \
3065 -S "! The certificate is not correctly signed by the trusted CA" \
3066 -s "The certificate has been revoked (is on a CRL)"
3067
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3068# Tests for non-blocking I/O: exercise a variety of handshake flows
3069
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3070run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3071 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3072 "$P_CLI nbio=2 tickets=0" \
3073 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3074 -S "mbedtls_ssl_handshake returned" \
3075 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3076 -c "Read from server: .* bytes read"
3077
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3078run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3079 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
3080 "$P_CLI nbio=2 tickets=0" \
3081 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3082 -S "mbedtls_ssl_handshake returned" \
3083 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3084 -c "Read from server: .* bytes read"
3085
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3086run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3087 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3088 "$P_CLI nbio=2 tickets=1" \
3089 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3090 -S "mbedtls_ssl_handshake returned" \
3091 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3092 -c "Read from server: .* bytes read"
3093
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3094run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3095 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3096 "$P_CLI nbio=2 tickets=1" \
3097 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3098 -S "mbedtls_ssl_handshake returned" \
3099 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3100 -c "Read from server: .* bytes read"
3101
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3102run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3103 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3104 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3105 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3106 -S "mbedtls_ssl_handshake returned" \
3107 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3108 -c "Read from server: .* bytes read"
3109
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3110run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3111 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3112 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3113 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3114 -S "mbedtls_ssl_handshake returned" \
3115 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3116 -c "Read from server: .* bytes read"
3117
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3118run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3119 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3120 "$P_CLI nbio=2 tickets=0 reconnect=1" \
3121 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3122 -S "mbedtls_ssl_handshake returned" \
3123 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3124 -c "Read from server: .* bytes read"
3125
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3126# Tests for version negotiation
3127
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3128run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3129 "$P_SRV" \
3130 "$P_CLI" \
3131 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3132 -S "mbedtls_ssl_handshake returned" \
3133 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3134 -s "Protocol is TLSv1.2" \
3135 -c "Protocol is TLSv1.2"
3136
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3137run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3138 "$P_SRV" \
3139 "$P_CLI max_version=tls1_1" \
3140 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3141 -S "mbedtls_ssl_handshake returned" \
3142 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3143 -s "Protocol is TLSv1.1" \
3144 -c "Protocol is TLSv1.1"
3145
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3146run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3147 "$P_SRV max_version=tls1_1" \
3148 "$P_CLI" \
3149 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3150 -S "mbedtls_ssl_handshake returned" \
3151 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3152 -s "Protocol is TLSv1.1" \
3153 -c "Protocol is TLSv1.1"
3154
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3155run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3156 "$P_SRV max_version=tls1_1" \
3157 "$P_CLI max_version=tls1_1" \
3158 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3159 -S "mbedtls_ssl_handshake returned" \
3160 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3161 -s "Protocol is TLSv1.1" \
3162 -c "Protocol is TLSv1.1"
3163
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3164run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3165 "$P_SRV min_version=tls1_1" \
3166 "$P_CLI max_version=tls1_1" \
3167 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3168 -S "mbedtls_ssl_handshake returned" \
3169 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3170 -s "Protocol is TLSv1.1" \
3171 -c "Protocol is TLSv1.1"
3172
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3173run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3174 "$P_SRV max_version=tls1_1" \
3175 "$P_CLI min_version=tls1_1" \
3176 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3177 -S "mbedtls_ssl_handshake returned" \
3178 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3179 -s "Protocol is TLSv1.1" \
3180 -c "Protocol is TLSv1.1"
3181
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3182run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3183 "$P_SRV max_version=tls1_1" \
3184 "$P_CLI min_version=tls1_2" \
3185 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3186 -s "mbedtls_ssl_handshake returned" \
3187 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3188 -c "SSL - Handshake protocol not within min/max boundaries"
3189
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3190run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3191 "$P_SRV min_version=tls1_2" \
3192 "$P_CLI max_version=tls1_1" \
3193 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3194 -s "mbedtls_ssl_handshake returned" \
3195 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3196 -s "SSL - Handshake protocol not within min/max boundaries"
3197
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3198# Tests for ALPN extension
3199
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3200run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3201 "$P_SRV debug_level=3" \
3202 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3203 0 \
3204 -C "client hello, adding alpn extension" \
3205 -S "found alpn extension" \
3206 -C "got an alert message, type: \\[2:120]" \
3207 -S "server hello, adding alpn extension" \
3208 -C "found alpn extension " \
3209 -C "Application Layer Protocol is" \
3210 -S "Application Layer Protocol is"
3211
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3212run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3213 "$P_SRV debug_level=3" \
3214 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3215 0 \
3216 -c "client hello, adding alpn extension" \
3217 -s "found alpn extension" \
3218 -C "got an alert message, type: \\[2:120]" \
3219 -S "server hello, adding alpn extension" \
3220 -C "found alpn extension " \
3221 -c "Application Layer Protocol is (none)" \
3222 -S "Application Layer Protocol is"
3223
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3224run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3225 "$P_SRV debug_level=3 alpn=abc,1234" \
3226 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3227 0 \
3228 -C "client hello, adding alpn extension" \
3229 -S "found alpn extension" \
3230 -C "got an alert message, type: \\[2:120]" \
3231 -S "server hello, adding alpn extension" \
3232 -C "found alpn extension " \
3233 -C "Application Layer Protocol is" \
3234 -s "Application Layer Protocol is (none)"
3235
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3236run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3237 "$P_SRV debug_level=3 alpn=abc,1234" \
3238 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3239 0 \
3240 -c "client hello, adding alpn extension" \
3241 -s "found alpn extension" \
3242 -C "got an alert message, type: \\[2:120]" \
3243 -s "server hello, adding alpn extension" \
3244 -c "found alpn extension" \
3245 -c "Application Layer Protocol is abc" \
3246 -s "Application Layer Protocol is abc"
3247
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3248run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3249 "$P_SRV debug_level=3 alpn=abc,1234" \
3250 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3251 0 \
3252 -c "client hello, adding alpn extension" \
3253 -s "found alpn extension" \
3254 -C "got an alert message, type: \\[2:120]" \
3255 -s "server hello, adding alpn extension" \
3256 -c "found alpn extension" \
3257 -c "Application Layer Protocol is abc" \
3258 -s "Application Layer Protocol is abc"
3259
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3260run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3261 "$P_SRV debug_level=3 alpn=abc,1234" \
3262 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3263 0 \
3264 -c "client hello, adding alpn extension" \
3265 -s "found alpn extension" \
3266 -C "got an alert message, type: \\[2:120]" \
3267 -s "server hello, adding alpn extension" \
3268 -c "found alpn extension" \
3269 -c "Application Layer Protocol is 1234" \
3270 -s "Application Layer Protocol is 1234"
3271
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3272run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3273 "$P_SRV debug_level=3 alpn=abc,123" \
3274 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3275 1 \
3276 -c "client hello, adding alpn extension" \
3277 -s "found alpn extension" \
3278 -c "got an alert message, type: \\[2:120]" \
3279 -S "server hello, adding alpn extension" \
3280 -C "found alpn extension" \
3281 -C "Application Layer Protocol is 1234" \
3282 -S "Application Layer Protocol is 1234"
3283
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3284
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3285# Tests for keyUsage in leaf certificates, part 1:
3286# server-side certificate/suite selection
3287
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3288run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3289 "$P_SRV key_file=data_files/server2.key \
3290 crt_file=data_files/server2.ku-ds.crt" \
3291 "$P_CLI" \
3292 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3293 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3294
3295
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3296run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3297 "$P_SRV key_file=data_files/server2.key \
3298 crt_file=data_files/server2.ku-ke.crt" \
3299 "$P_CLI" \
3300 0 \
3301 -c "Ciphersuite is TLS-RSA-WITH-"
3302
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3303run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3304 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3305 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3306 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3307 1 \
3308 -C "Ciphersuite is "
3309
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3310run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3311 "$P_SRV key_file=data_files/server5.key \
3312 crt_file=data_files/server5.ku-ds.crt" \
3313 "$P_CLI" \
3314 0 \
3315 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3316
3317
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3318run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3319 "$P_SRV key_file=data_files/server5.key \
3320 crt_file=data_files/server5.ku-ka.crt" \
3321 "$P_CLI" \
3322 0 \
3323 -c "Ciphersuite is TLS-ECDH-"
3324
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3325run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3326 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3327 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3328 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3329 1 \
3330 -C "Ciphersuite is "
3331
3332# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3333# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3334
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3335run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3336 "$O_SRV -key data_files/server2.key \
3337 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3338 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3339 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3340 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3341 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3342 -C "Processing of the Certificate handshake message failed" \
3343 -c "Ciphersuite is TLS-"
3344
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3345run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3346 "$O_SRV -key data_files/server2.key \
3347 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3348 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3349 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3350 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3351 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3352 -C "Processing of the Certificate handshake message failed" \
3353 -c "Ciphersuite is TLS-"
3354
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3355run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3356 "$O_SRV -key data_files/server2.key \
3357 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3358 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3359 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3360 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3361 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3362 -C "Processing of the Certificate handshake message failed" \
3363 -c "Ciphersuite is TLS-"
3364
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3365run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3366 "$O_SRV -key data_files/server2.key \
3367 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3368 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3369 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3370 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3371 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3372 -c "Processing of the Certificate handshake message failed" \
3373 -C "Ciphersuite is TLS-"
3374
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3375run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3376 "$O_SRV -key data_files/server2.key \
3377 -cert data_files/server2.ku-ke.crt" \
3378 "$P_CLI debug_level=1 auth_mode=optional \
3379 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3380 0 \
3381 -c "bad certificate (usage extensions)" \
3382 -C "Processing of the Certificate handshake message failed" \
3383 -c "Ciphersuite is TLS-" \
3384 -c "! Usage does not match the keyUsage extension"
3385
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3386run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3387 "$O_SRV -key data_files/server2.key \
3388 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3389 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3390 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3391 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3392 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3393 -C "Processing of the Certificate handshake message failed" \
3394 -c "Ciphersuite is TLS-"
3395
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3396run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3397 "$O_SRV -key data_files/server2.key \
3398 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3399 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3400 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3401 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3402 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3403 -c "Processing of the Certificate handshake message failed" \
3404 -C "Ciphersuite is TLS-"
3405
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3406run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3407 "$O_SRV -key data_files/server2.key \
3408 -cert data_files/server2.ku-ds.crt" \
3409 "$P_CLI debug_level=1 auth_mode=optional \
3410 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3411 0 \
3412 -c "bad certificate (usage extensions)" \
3413 -C "Processing of the Certificate handshake message failed" \
3414 -c "Ciphersuite is TLS-" \
3415 -c "! Usage does not match the keyUsage extension"
3416
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3417# Tests for keyUsage in leaf certificates, part 3:
3418# server-side checking of client cert
3419
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3420run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3421 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3422 "$O_CLI -key data_files/server2.key \
3423 -cert data_files/server2.ku-ds.crt" \
3424 0 \
3425 -S "bad certificate (usage extensions)" \
3426 -S "Processing of the Certificate handshake message failed"
3427
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3428run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3429 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3430 "$O_CLI -key data_files/server2.key \
3431 -cert data_files/server2.ku-ke.crt" \
3432 0 \
3433 -s "bad certificate (usage extensions)" \
3434 -S "Processing of the Certificate handshake message failed"
3435
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3436run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3437 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3438 "$O_CLI -key data_files/server2.key \
3439 -cert data_files/server2.ku-ke.crt" \
3440 1 \
3441 -s "bad certificate (usage extensions)" \
3442 -s "Processing of the Certificate handshake message failed"
3443
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3444run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3445 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3446 "$O_CLI -key data_files/server5.key \
3447 -cert data_files/server5.ku-ds.crt" \
3448 0 \
3449 -S "bad certificate (usage extensions)" \
3450 -S "Processing of the Certificate handshake message failed"
3451
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3452run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3453 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3454 "$O_CLI -key data_files/server5.key \
3455 -cert data_files/server5.ku-ka.crt" \
3456 0 \
3457 -s "bad certificate (usage extensions)" \
3458 -S "Processing of the Certificate handshake message failed"
3459
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3460# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3461
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3462run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3463 "$P_SRV key_file=data_files/server5.key \
3464 crt_file=data_files/server5.eku-srv.crt" \
3465 "$P_CLI" \
3466 0
3467
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3468run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3469 "$P_SRV key_file=data_files/server5.key \
3470 crt_file=data_files/server5.eku-srv.crt" \
3471 "$P_CLI" \
3472 0
3473
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3474run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3475 "$P_SRV key_file=data_files/server5.key \
3476 crt_file=data_files/server5.eku-cs_any.crt" \
3477 "$P_CLI" \
3478 0
3479
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3480run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3481 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3482 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3483 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3484 1
3485
3486# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3488run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3489 "$O_SRV -key data_files/server5.key \
3490 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3491 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3492 0 \
3493 -C "bad certificate (usage extensions)" \
3494 -C "Processing of the Certificate handshake message failed" \
3495 -c "Ciphersuite is TLS-"
3496
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3497run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3498 "$O_SRV -key data_files/server5.key \
3499 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3500 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3501 0 \
3502 -C "bad certificate (usage extensions)" \
3503 -C "Processing of the Certificate handshake message failed" \
3504 -c "Ciphersuite is TLS-"
3505
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3506run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3507 "$O_SRV -key data_files/server5.key \
3508 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3509 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3510 0 \
3511 -C "bad certificate (usage extensions)" \
3512 -C "Processing of the Certificate handshake message failed" \
3513 -c "Ciphersuite is TLS-"
3514
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3515run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3516 "$O_SRV -key data_files/server5.key \
3517 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3518 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3519 1 \
3520 -c "bad certificate (usage extensions)" \
3521 -c "Processing of the Certificate handshake message failed" \
3522 -C "Ciphersuite is TLS-"
3523
3524# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3525
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3526run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3527 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3528 "$O_CLI -key data_files/server5.key \
3529 -cert data_files/server5.eku-cli.crt" \
3530 0 \
3531 -S "bad certificate (usage extensions)" \
3532 -S "Processing of the Certificate handshake message failed"
3533
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3534run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3535 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3536 "$O_CLI -key data_files/server5.key \
3537 -cert data_files/server5.eku-srv_cli.crt" \
3538 0 \
3539 -S "bad certificate (usage extensions)" \
3540 -S "Processing of the Certificate handshake message failed"
3541
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3542run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3543 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3544 "$O_CLI -key data_files/server5.key \
3545 -cert data_files/server5.eku-cs_any.crt" \
3546 0 \
3547 -S "bad certificate (usage extensions)" \
3548 -S "Processing of the Certificate handshake message failed"
3549
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3550run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3551 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3552 "$O_CLI -key data_files/server5.key \
3553 -cert data_files/server5.eku-cs.crt" \
3554 0 \
3555 -s "bad certificate (usage extensions)" \
3556 -S "Processing of the Certificate handshake message failed"
3557
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3558run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3559 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3560 "$O_CLI -key data_files/server5.key \
3561 -cert data_files/server5.eku-cs.crt" \
3562 1 \
3563 -s "bad certificate (usage extensions)" \
3564 -s "Processing of the Certificate handshake message failed"
3565
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3566# Tests for DHM parameters loading
3567
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3568run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3569 "$P_SRV" \
3570 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3571 debug_level=3" \
3572 0 \
3573 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3574 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3575
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3576run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3577 "$P_SRV dhm_file=data_files/dhparams.pem" \
3578 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3579 debug_level=3" \
3580 0 \
3581 -c "value of 'DHM: P ' (1024 bits)" \
3582 -c "value of 'DHM: G ' (2 bits)"
3583
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3584# Tests for DHM client-side size checking
3585
3586run_test "DHM size: server default, client default, OK" \
3587 "$P_SRV" \
3588 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3589 debug_level=1" \
3590 0 \
3591 -C "DHM prime too short:"
3592
3593run_test "DHM size: server default, client 2048, OK" \
3594 "$P_SRV" \
3595 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3596 debug_level=1 dhmlen=2048" \
3597 0 \
3598 -C "DHM prime too short:"
3599
3600run_test "DHM size: server 1024, client default, OK" \
3601 "$P_SRV dhm_file=data_files/dhparams.pem" \
3602 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3603 debug_level=1" \
3604 0 \
3605 -C "DHM prime too short:"
3606
3607run_test "DHM size: server 1000, client default, rejected" \
3608 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3609 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3610 debug_level=1" \
3611 1 \
3612 -c "DHM prime too short:"
3613
3614run_test "DHM size: server default, client 2049, rejected" \
3615 "$P_SRV" \
3616 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3617 debug_level=1 dhmlen=2049" \
3618 1 \
3619 -c "DHM prime too short:"
3620
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3621# Tests for PSK callback
3622
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3623run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3624 "$P_SRV psk=abc123 psk_identity=foo" \
3625 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3626 psk_identity=foo psk=abc123" \
3627 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3628 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3629 -S "SSL - Unknown identity received" \
3630 -S "SSL - Verification of the message MAC failed"
3631
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3632run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3633 "$P_SRV" \
3634 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3635 psk_identity=foo psk=abc123" \
3636 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3637 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3638 -S "SSL - Unknown identity received" \
3639 -S "SSL - Verification of the message MAC failed"
3640
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3641run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3642 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3643 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3644 psk_identity=foo psk=abc123" \
3645 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3646 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3647 -s "SSL - Unknown identity received" \
3648 -S "SSL - Verification of the message MAC failed"
3649
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3650run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3651 "$P_SRV psk_list=abc,dead,def,beef" \
3652 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3653 psk_identity=abc psk=dead" \
3654 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3655 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3656 -S "SSL - Unknown identity received" \
3657 -S "SSL - Verification of the message MAC failed"
3658
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3659run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3660 "$P_SRV psk_list=abc,dead,def,beef" \
3661 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3662 psk_identity=def psk=beef" \
3663 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3664 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3665 -S "SSL - Unknown identity received" \
3666 -S "SSL - Verification of the message MAC failed"
3667
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3668run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3669 "$P_SRV psk_list=abc,dead,def,beef" \
3670 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3671 psk_identity=ghi psk=beef" \
3672 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3673 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3674 -s "SSL - Unknown identity received" \
3675 -S "SSL - Verification of the message MAC failed"
3676
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3677run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3678 "$P_SRV psk_list=abc,dead,def,beef" \
3679 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3680 psk_identity=abc psk=beef" \
3681 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3682 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3683 -S "SSL - Unknown identity received" \
3684 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3685
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3686# Tests for EC J-PAKE
3687
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3688requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3689run_test "ECJPAKE: client not configured" \
3690 "$P_SRV debug_level=3" \
3691 "$P_CLI debug_level=3" \
3692 0 \
3693 -C "add ciphersuite: c0ff" \
3694 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3695 -S "found ecjpake kkpp extension" \
3696 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3697 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3698 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3699 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3700 -S "None of the common ciphersuites is usable"
3701
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3702requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3703run_test "ECJPAKE: server not configured" \
3704 "$P_SRV debug_level=3" \
3705 "$P_CLI debug_level=3 ecjpake_pw=bla \
3706 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3707 1 \
3708 -c "add ciphersuite: c0ff" \
3709 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3710 -s "found ecjpake kkpp extension" \
3711 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3712 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3713 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3714 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3715 -s "None of the common ciphersuites is usable"
3716
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3717requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3718run_test "ECJPAKE: working, TLS" \
3719 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3720 "$P_CLI debug_level=3 ecjpake_pw=bla \
3721 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3722 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3723 -c "add ciphersuite: c0ff" \
3724 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3725 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3726 -s "found ecjpake kkpp extension" \
3727 -S "skip ecjpake kkpp extension" \
3728 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3729 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3730 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3731 -S "None of the common ciphersuites is usable" \
3732 -S "SSL - Verification of the message MAC failed"
3733
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3734server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3735requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3736run_test "ECJPAKE: password mismatch, TLS" \
3737 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3738 "$P_CLI debug_level=3 ecjpake_pw=bad \
3739 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3740 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3741 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3742 -s "SSL - Verification of the message MAC failed"
3743
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3744requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3745run_test "ECJPAKE: working, DTLS" \
3746 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3747 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3748 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3749 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3750 -c "re-using cached ecjpake parameters" \
3751 -S "SSL - Verification of the message MAC failed"
3752
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3753requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3754run_test "ECJPAKE: working, DTLS, no cookie" \
3755 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3756 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3757 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3758 0 \
3759 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3760 -S "SSL - Verification of the message MAC failed"
3761
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3762server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3763requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3764run_test "ECJPAKE: password mismatch, DTLS" \
3765 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3766 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3767 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3768 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3769 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3770 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3771
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3772# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3773requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3774run_test "ECJPAKE: working, DTLS, nolog" \
3775 "$P_SRV dtls=1 ecjpake_pw=bla" \
3776 "$P_CLI dtls=1 ecjpake_pw=bla \
3777 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3778 0
3779
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3780# Tests for ciphersuites per version
3781
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3782requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3783requires_config_enabled MBEDTLS_CAMELLIA_C
3784requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3785run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3786 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3787 "$P_CLI force_version=ssl3" \
3788 0 \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3789 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3790
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3791requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
3792requires_config_enabled MBEDTLS_CAMELLIA_C
3793requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3794run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3795 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3796 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3797 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3798 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3799
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3800requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
3801requires_config_enabled MBEDTLS_CAMELLIA_C
3802requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3803run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3804 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3805 "$P_CLI force_version=tls1_1" \
3806 0 \
3807 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3808
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3809requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
3810requires_config_enabled MBEDTLS_CAMELLIA_C
3811requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3812run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3813 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3814 "$P_CLI force_version=tls1_2" \
3815 0 \
3816 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3817
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3818# Test for ClientHello without extensions
3819
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3820requires_gnutls
Manuel Pégourié-Gonnard37abf122020-01-30 12:45:14 +0100[diff] [blame]3821run_test "ClientHello without extensions" \
Manuel Pégourié-Gonnarda92990a2020-01-30 11:19:45 +0100[diff] [blame]3822 "$P_SRV debug_level=3" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3823 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3824 0 \
3825 -s "dumping 'client hello extensions' (0 bytes)"
3826
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3827# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3828
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3829run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3830 "$P_SRV" \
3831 "$P_CLI request_size=100" \
3832 0 \
3833 -s "Read from client: 100 bytes read$"
3834
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3835run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3836 "$P_SRV" \
3837 "$P_CLI request_size=500" \
3838 0 \
3839 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3840
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3841# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3842
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3843requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3844run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3845 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3846 "$P_CLI request_size=1 force_version=ssl3 \
3847 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3848 0 \
3849 -s "Read from client: 1 bytes read"
3850
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3851requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3852run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3853 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3854 "$P_CLI request_size=1 force_version=ssl3 \
3855 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3856 0 \
3857 -s "Read from client: 1 bytes read"
3858
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3859run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3860 "$P_SRV" \
3861 "$P_CLI request_size=1 force_version=tls1 \
3862 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3863 0 \
3864 -s "Read from client: 1 bytes read"
3865
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3866run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3867 "$P_SRV" \
3868 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3869 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3870 0 \
3871 -s "Read from client: 1 bytes read"
3872
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3873requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3874run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3875 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3876 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3877 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3878 0 \
3879 -s "Read from client: 1 bytes read"
3880
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3881requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3882run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3883 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3884 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3885 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3886 0 \
3887 -s "Read from client: 1 bytes read"
3888
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3889run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3890 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3891 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3892 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3893 0 \
3894 -s "Read from client: 1 bytes read"
3895
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3896run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3897 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3898 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3899 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3900 0 \
3901 -s "Read from client: 1 bytes read"
3902
3903requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3904run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3905 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3906 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3907 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3908 0 \
3909 -s "Read from client: 1 bytes read"
3910
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3911requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3912run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3913 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3914 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3915 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3916 0 \
3917 -s "Read from client: 1 bytes read"
3918
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3919run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3920 "$P_SRV" \
3921 "$P_CLI request_size=1 force_version=tls1_1 \
3922 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3923 0 \
3924 -s "Read from client: 1 bytes read"
3925
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3926run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3927 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3928 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3929 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3930 0 \
3931 -s "Read from client: 1 bytes read"
3932
3933requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3934run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3935 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3936 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3937 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3938 0 \
3939 -s "Read from client: 1 bytes read"
3940
3941requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3942run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3943 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3944 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3945 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3946 0 \
3947 -s "Read from client: 1 bytes read"
3948
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3949run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3950 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3951 "$P_CLI request_size=1 force_version=tls1_1 \
3952 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3953 0 \
3954 -s "Read from client: 1 bytes read"
3955
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3956run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3957 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3958 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3959 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3960 0 \
3961 -s "Read from client: 1 bytes read"
3962
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3963requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3964run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3965 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3966 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3967 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3968 0 \
3969 -s "Read from client: 1 bytes read"
3970
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3971requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3972run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3973 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3974 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3975 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3976 0 \
3977 -s "Read from client: 1 bytes read"
3978
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3979run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3980 "$P_SRV" \
3981 "$P_CLI request_size=1 force_version=tls1_2 \
3982 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3983 0 \
3984 -s "Read from client: 1 bytes read"
3985
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3986run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3987 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3988 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3989 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3990 0 \
3991 -s "Read from client: 1 bytes read"
3992
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3993run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3994 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3995 "$P_CLI request_size=1 force_version=tls1_2 \
3996 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3997 0 \
3998 -s "Read from client: 1 bytes read"
3999
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4000requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4001run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4002 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4003 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4004 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4005 0 \
4006 -s "Read from client: 1 bytes read"
4007
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4008requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4009run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4010 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4011 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4012 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4013 0 \
4014 -s "Read from client: 1 bytes read"
4015
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4016run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4017 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4018 "$P_CLI request_size=1 force_version=tls1_2 \
4019 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4020 0 \
4021 -s "Read from client: 1 bytes read"
4022
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4023run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4024 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4025 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4026 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4027 0 \
4028 -s "Read from client: 1 bytes read"
4029
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4030requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4031run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4032 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4033 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4034 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4035 0 \
4036 -s "Read from client: 1 bytes read"
4037
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4038requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4039run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4040 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4041 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4042 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4043 0 \
4044 -s "Read from client: 1 bytes read"
4045
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4046run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4047 "$P_SRV" \
4048 "$P_CLI request_size=1 force_version=tls1_2 \
4049 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4050 0 \
4051 -s "Read from client: 1 bytes read"
4052
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4053run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4054 "$P_SRV" \
4055 "$P_CLI request_size=1 force_version=tls1_2 \
4056 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4057 0 \
4058 -s "Read from client: 1 bytes read"
4059
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4060# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4061
4062requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4063run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4064 "$P_SRV dtls=1 force_version=dtls1" \
4065 "$P_CLI dtls=1 request_size=1 \
4066 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4067 0 \
4068 -s "Read from client: 1 bytes read"
4069
4070requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4071run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4072 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
4073 "$P_CLI dtls=1 request_size=1 \
4074 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4075 0 \
4076 -s "Read from client: 1 bytes read"
4077
4078requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4079requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4080run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4081 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
4082 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4083 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4084 0 \
4085 -s "Read from client: 1 bytes read"
4086
4087requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4088requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4089run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4090 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4091 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4092 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4093 0 \
4094 -s "Read from client: 1 bytes read"
4095
4096requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4097run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4098 "$P_SRV dtls=1 force_version=dtls1_2" \
4099 "$P_CLI dtls=1 request_size=1 \
4100 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4101 0 \
4102 -s "Read from client: 1 bytes read"
4103
4104requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4105run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4106 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4107 "$P_CLI dtls=1 request_size=1 \
4108 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4109 0 \
4110 -s "Read from client: 1 bytes read"
4111
4112requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4113requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4114run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4115 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4116 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4117 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4118 0 \
4119 -s "Read from client: 1 bytes read"
4120
4121requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4122requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4123run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4124 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4125 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4126 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4127 0 \
4128 -s "Read from client: 1 bytes read"
4129
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4130# Tests for small server packets
4131
4132requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4133run_test "Small server packet SSLv3 BlockCipher" \
4134 "$P_SRV response_size=1 min_version=ssl3" \
4135 "$P_CLI force_version=ssl3 \
4136 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4137 0 \
4138 -c "Read from server: 1 bytes read"
4139
4140requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4141run_test "Small server packet SSLv3 StreamCipher" \
4142 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4143 "$P_CLI force_version=ssl3 \
4144 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4145 0 \
4146 -c "Read from server: 1 bytes read"
4147
4148run_test "Small server packet TLS 1.0 BlockCipher" \
4149 "$P_SRV response_size=1" \
4150 "$P_CLI force_version=tls1 \
4151 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4152 0 \
4153 -c "Read from server: 1 bytes read"
4154
4155run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
4156 "$P_SRV response_size=1" \
4157 "$P_CLI force_version=tls1 etm=0 \
4158 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4159 0 \
4160 -c "Read from server: 1 bytes read"
4161
4162requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4163run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
4164 "$P_SRV response_size=1 trunc_hmac=1" \
4165 "$P_CLI force_version=tls1 \
4166 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4167 0 \
4168 -c "Read from server: 1 bytes read"
4169
4170requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4171run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
4172 "$P_SRV response_size=1 trunc_hmac=1" \
4173 "$P_CLI force_version=tls1 \
4174 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4175 0 \
4176 -c "Read from server: 1 bytes read"
4177
4178run_test "Small server packet TLS 1.0 StreamCipher" \
4179 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4180 "$P_CLI force_version=tls1 \
4181 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4182 0 \
4183 -c "Read from server: 1 bytes read"
4184
4185run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
4186 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4187 "$P_CLI force_version=tls1 \
4188 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4189 0 \
4190 -c "Read from server: 1 bytes read"
4191
4192requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4193run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
4194 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4195 "$P_CLI force_version=tls1 \
4196 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4197 0 \
4198 -c "Read from server: 1 bytes read"
4199
4200requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4201run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4202 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4203 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4204 trunc_hmac=1 etm=0" \
4205 0 \
4206 -c "Read from server: 1 bytes read"
4207
4208run_test "Small server packet TLS 1.1 BlockCipher" \
4209 "$P_SRV response_size=1" \
4210 "$P_CLI force_version=tls1_1 \
4211 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4212 0 \
4213 -c "Read from server: 1 bytes read"
4214
4215run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
4216 "$P_SRV response_size=1" \
4217 "$P_CLI force_version=tls1_1 \
4218 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4219 0 \
4220 -c "Read from server: 1 bytes read"
4221
4222requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4223run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
4224 "$P_SRV response_size=1 trunc_hmac=1" \
4225 "$P_CLI force_version=tls1_1 \
4226 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4227 0 \
4228 -c "Read from server: 1 bytes read"
4229
4230requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4231run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4232 "$P_SRV response_size=1 trunc_hmac=1" \
4233 "$P_CLI force_version=tls1_1 \
4234 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4235 0 \
4236 -c "Read from server: 1 bytes read"
4237
4238run_test "Small server packet TLS 1.1 StreamCipher" \
4239 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4240 "$P_CLI force_version=tls1_1 \
4241 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4242 0 \
4243 -c "Read from server: 1 bytes read"
4244
4245run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
4246 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4247 "$P_CLI force_version=tls1_1 \
4248 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4249 0 \
4250 -c "Read from server: 1 bytes read"
4251
4252requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4253run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
4254 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4255 "$P_CLI force_version=tls1_1 \
4256 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4257 0 \
4258 -c "Read from server: 1 bytes read"
4259
4260requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4261run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4262 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4263 "$P_CLI force_version=tls1_1 \
4264 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4265 0 \
4266 -c "Read from server: 1 bytes read"
4267
4268run_test "Small server packet TLS 1.2 BlockCipher" \
4269 "$P_SRV response_size=1" \
4270 "$P_CLI force_version=tls1_2 \
4271 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4272 0 \
4273 -c "Read from server: 1 bytes read"
4274
4275run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
4276 "$P_SRV response_size=1" \
4277 "$P_CLI force_version=tls1_2 \
4278 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4279 0 \
4280 -c "Read from server: 1 bytes read"
4281
4282run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
4283 "$P_SRV response_size=1" \
4284 "$P_CLI force_version=tls1_2 \
4285 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4286 0 \
4287 -c "Read from server: 1 bytes read"
4288
4289requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4290run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
4291 "$P_SRV response_size=1 trunc_hmac=1" \
4292 "$P_CLI force_version=tls1_2 \
4293 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4294 0 \
4295 -c "Read from server: 1 bytes read"
4296
4297requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4298run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4299 "$P_SRV response_size=1 trunc_hmac=1" \
4300 "$P_CLI force_version=tls1_2 \
4301 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4302 0 \
4303 -c "Read from server: 1 bytes read"
4304
4305run_test "Small server packet TLS 1.2 StreamCipher" \
4306 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4307 "$P_CLI force_version=tls1_2 \
4308 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4309 0 \
4310 -c "Read from server: 1 bytes read"
4311
4312run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
4313 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4314 "$P_CLI force_version=tls1_2 \
4315 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4316 0 \
4317 -c "Read from server: 1 bytes read"
4318
4319requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4320run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
4321 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4322 "$P_CLI force_version=tls1_2 \
4323 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4324 0 \
4325 -c "Read from server: 1 bytes read"
4326
4327requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4328run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4329 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4330 "$P_CLI force_version=tls1_2 \
4331 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4332 0 \
4333 -c "Read from server: 1 bytes read"
4334
4335run_test "Small server packet TLS 1.2 AEAD" \
4336 "$P_SRV response_size=1" \
4337 "$P_CLI force_version=tls1_2 \
4338 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4339 0 \
4340 -c "Read from server: 1 bytes read"
4341
4342run_test "Small server packet TLS 1.2 AEAD shorter tag" \
4343 "$P_SRV response_size=1" \
4344 "$P_CLI force_version=tls1_2 \
4345 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4346 0 \
4347 -c "Read from server: 1 bytes read"
4348
4349# Tests for small server packets in DTLS
4350
4351requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4352run_test "Small server packet DTLS 1.0" \
4353 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
4354 "$P_CLI dtls=1 \
4355 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4356 0 \
4357 -c "Read from server: 1 bytes read"
4358
4359requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4360run_test "Small server packet DTLS 1.0, without EtM" \
4361 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
4362 "$P_CLI dtls=1 \
4363 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4364 0 \
4365 -c "Read from server: 1 bytes read"
4366
4367requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4368requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4369run_test "Small server packet DTLS 1.0, truncated hmac" \
4370 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
4371 "$P_CLI dtls=1 trunc_hmac=1 \
4372 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4373 0 \
4374 -c "Read from server: 1 bytes read"
4375
4376requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4377requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4378run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
4379 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
4380 "$P_CLI dtls=1 \
4381 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4382 0 \
4383 -c "Read from server: 1 bytes read"
4384
4385requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4386run_test "Small server packet DTLS 1.2" \
4387 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
4388 "$P_CLI dtls=1 \
4389 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4390 0 \
4391 -c "Read from server: 1 bytes read"
4392
4393requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4394run_test "Small server packet DTLS 1.2, without EtM" \
4395 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
4396 "$P_CLI dtls=1 \
4397 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4398 0 \
4399 -c "Read from server: 1 bytes read"
4400
4401requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4402requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4403run_test "Small server packet DTLS 1.2, truncated hmac" \
4404 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
4405 "$P_CLI dtls=1 \
4406 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4407 0 \
4408 -c "Read from server: 1 bytes read"
4409
4410requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4411requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4412run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
4413 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
4414 "$P_CLI dtls=1 \
4415 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4416 0 \
4417 -c "Read from server: 1 bytes read"
4418
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]4419# A test for extensions in SSLv3
4420
4421requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4422run_test "SSLv3 with extensions, server side" \
4423 "$P_SRV min_version=ssl3 debug_level=3" \
4424 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
4425 0 \
4426 -S "dumping 'client hello extensions'" \
4427 -S "server hello, total extension length:"
4428
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4429# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4430
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4431requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4432run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4433 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4434 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4435 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4436 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4437 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4438 -s "Read from client: 16384 bytes read"
4439
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4440requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4441run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4442 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4443 "$P_CLI request_size=16384 force_version=ssl3 \
4444 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4445 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4446 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4447 -s "Read from client: 16384 bytes read"
4448
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4449run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4450 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4451 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4452 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4453 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4454 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4455 -s "Read from client: 16384 bytes read"
4456
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4457run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4458 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4459 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
4460 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4461 0 \
4462 -s "Read from client: 16384 bytes read"
4463
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4464requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4465run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4466 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4467 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4468 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4469 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4470 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4471 -s "Read from client: 16384 bytes read"
4472
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4473requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4474run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4475 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4476 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4477 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4478 0 \
4479 -s "Read from client: 16384 bytes read"
4480
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4481run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4482 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4483 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4484 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4485 0 \
4486 -s "Read from client: 16384 bytes read"
4487
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4488run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4489 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4490 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4491 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4492 0 \
4493 -s "Read from client: 16384 bytes read"
4494
4495requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4496run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4497 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4498 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4499 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4500 0 \
4501 -s "Read from client: 16384 bytes read"
4502
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4503requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4504run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4505 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4506 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4507 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4508 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4509 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4510 -s "Read from client: 16384 bytes read"
4511
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4512run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4513 "$P_SRV" \
4514 "$P_CLI request_size=16384 force_version=tls1_1 \
4515 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4516 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4517 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4518 -s "Read from client: 16384 bytes read"
4519
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4520run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4521 "$P_SRV" \
4522 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4523 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4524 0 \
4525 -s "Read from client: 16384 bytes read"
4526
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4527requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4528run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4529 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4530 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4531 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4532 0 \
4533 -s "Read from client: 16384 bytes read"
4534
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4535requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4536run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4537 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4538 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4539 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4540 0 \
4541 -s "Read from client: 16384 bytes read"
4542
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4543run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4544 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4545 "$P_CLI request_size=16384 force_version=tls1_1 \
4546 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4547 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4548 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4549 -s "Read from client: 16384 bytes read"
4550
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4551run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4552 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4553 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4554 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4555 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4556 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4557 -s "Read from client: 16384 bytes read"
4558
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4559requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4560run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4561 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4562 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4563 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4564 0 \
4565 -s "Read from client: 16384 bytes read"
4566
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4567requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4568run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4569 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4570 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4571 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4572 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4573 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4574 -s "Read from client: 16384 bytes read"
4575
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4576run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4577 "$P_SRV" \
4578 "$P_CLI request_size=16384 force_version=tls1_2 \
4579 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4580 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4581 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4582 -s "Read from client: 16384 bytes read"
4583
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4584run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4585 "$P_SRV" \
4586 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4587 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4588 0 \
4589 -s "Read from client: 16384 bytes read"
4590
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4591run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4592 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4593 "$P_CLI request_size=16384 force_version=tls1_2 \
4594 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4595 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4596 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4597 -s "Read from client: 16384 bytes read"
4598
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4599requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4600run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4601 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4602 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4603 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4604 0 \
4605 -s "Read from client: 16384 bytes read"
4606
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4607requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4608run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4609 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4610 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4611 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4612 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4613 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4614 -s "Read from client: 16384 bytes read"
4615
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4616run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4617 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4618 "$P_CLI request_size=16384 force_version=tls1_2 \
4619 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4620 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4621 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4622 -s "Read from client: 16384 bytes read"
4623
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4624run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4625 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4626 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4627 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4628 0 \
4629 -s "Read from client: 16384 bytes read"
4630
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4631requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4632run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4633 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4634 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4635 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4636 0 \
4637 -s "Read from client: 16384 bytes read"
4638
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4639requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4640run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4641 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4642 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4643 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4644 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4645 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4646 -s "Read from client: 16384 bytes read"
4647
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4648run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4649 "$P_SRV" \
4650 "$P_CLI request_size=16384 force_version=tls1_2 \
4651 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4652 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4653 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4654 -s "Read from client: 16384 bytes read"
4655
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4656run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4657 "$P_SRV" \
4658 "$P_CLI request_size=16384 force_version=tls1_2 \
4659 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4660 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4661 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4662 -s "Read from client: 16384 bytes read"
4663
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4664# Tests for ECC extensions (rfc 4492)
4665
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4666requires_config_enabled MBEDTLS_AES_C
4667requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4668requires_config_enabled MBEDTLS_SHA256_C
4669requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4670run_test "Force a non ECC ciphersuite in the client side" \
4671 "$P_SRV debug_level=3" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4672 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4673 0 \
4674 -C "client hello, adding supported_elliptic_curves extension" \
4675 -C "client hello, adding supported_point_formats extension" \
4676 -S "found supported elliptic curves extension" \
4677 -S "found supported point formats extension"
4678
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4679requires_config_enabled MBEDTLS_AES_C
4680requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4681requires_config_enabled MBEDTLS_SHA256_C
4682requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4683run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4684 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4685 "$P_CLI debug_level=3" \
4686 0 \
4687 -C "found supported_point_formats extension" \
4688 -S "server hello, supported_point_formats extension"
4689
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4690requires_config_enabled MBEDTLS_AES_C
4691requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4692requires_config_enabled MBEDTLS_SHA256_C
4693requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4694run_test "Force an ECC ciphersuite in the client side" \
4695 "$P_SRV debug_level=3" \
4696 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4697 0 \
4698 -c "client hello, adding supported_elliptic_curves extension" \
4699 -c "client hello, adding supported_point_formats extension" \
4700 -s "found supported elliptic curves extension" \
4701 -s "found supported point formats extension"
4702
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4703requires_config_enabled MBEDTLS_AES_C
4704requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4705requires_config_enabled MBEDTLS_SHA256_C
4706requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4707run_test "Force an ECC ciphersuite in the server side" \
4708 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4709 "$P_CLI debug_level=3" \
4710 0 \
4711 -c "found supported_point_formats extension" \
4712 -s "server hello, supported_point_formats extension"
4713
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4714# Test for large server packets
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4715requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4716run_test "Large server packet SSLv3 StreamCipher" \
4717 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4718 "$P_CLI force_version=ssl3 \
4719 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4720 0 \
4721 -c "Read from server: 16384 bytes read"
4722
Andrzej Kurekc8958212018-08-27 08:00:13 -0400[diff] [blame]4723# Checking next 4 tests logs for 1n-1 split against BEAST too
4724requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4725run_test "Large server packet SSLv3 BlockCipher" \
4726 "$P_SRV response_size=16384 min_version=ssl3" \
4727 "$P_CLI force_version=ssl3 recsplit=0 \
4728 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4729 0 \
4730 -c "Read from server: 1 bytes read"\
4731 -c "16383 bytes read"\
4732 -C "Read from server: 16384 bytes read"
4733
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4734run_test "Large server packet TLS 1.0 BlockCipher" \
4735 "$P_SRV response_size=16384" \
4736 "$P_CLI force_version=tls1 recsplit=0 \
4737 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4738 0 \
4739 -c "Read from server: 1 bytes read"\
4740 -c "16383 bytes read"\
4741 -C "Read from server: 16384 bytes read"
4742
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4743run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
4744 "$P_SRV response_size=16384" \
4745 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
4746 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4747 0 \
4748 -c "Read from server: 1 bytes read"\
4749 -c "16383 bytes read"\
4750 -C "Read from server: 16384 bytes read"
4751
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4752requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4753run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
4754 "$P_SRV response_size=16384" \
4755 "$P_CLI force_version=tls1 recsplit=0 \
4756 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4757 trunc_hmac=1" \
4758 0 \
4759 -c "Read from server: 1 bytes read"\
4760 -c "16383 bytes read"\
4761 -C "Read from server: 16384 bytes read"
4762
4763requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4764run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
4765 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4766 "$P_CLI force_version=tls1 \
4767 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4768 trunc_hmac=1" \
4769 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4770 -s "16384 bytes written in 1 fragments" \
4771 -c "Read from server: 16384 bytes read"
4772
4773run_test "Large server packet TLS 1.0 StreamCipher" \
4774 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4775 "$P_CLI force_version=tls1 \
4776 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4777 0 \
4778 -s "16384 bytes written in 1 fragments" \
4779 -c "Read from server: 16384 bytes read"
4780
4781run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
4782 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4783 "$P_CLI force_version=tls1 \
4784 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4785 0 \
4786 -s "16384 bytes written in 1 fragments" \
4787 -c "Read from server: 16384 bytes read"
4788
4789requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4790run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
4791 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4792 "$P_CLI force_version=tls1 \
4793 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4794 0 \
4795 -s "16384 bytes written in 1 fragments" \
4796 -c "Read from server: 16384 bytes read"
4797
4798requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4799run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4800 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4801 "$P_CLI force_version=tls1 \
4802 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4803 0 \
4804 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4805 -c "Read from server: 16384 bytes read"
4806
4807run_test "Large server packet TLS 1.1 BlockCipher" \
4808 "$P_SRV response_size=16384" \
4809 "$P_CLI force_version=tls1_1 \
4810 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4811 0 \
4812 -c "Read from server: 16384 bytes read"
4813
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4814run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
4815 "$P_SRV response_size=16384" \
4816 "$P_CLI force_version=tls1_1 etm=0 \
4817 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4818 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4819 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4820 -c "Read from server: 16384 bytes read"
4821
4822requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4823run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
4824 "$P_SRV response_size=16384" \
4825 "$P_CLI force_version=tls1_1 \
4826 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4827 trunc_hmac=1" \
4828 0 \
4829 -c "Read from server: 16384 bytes read"
4830
4831requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4832run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4833 "$P_SRV response_size=16384 trunc_hmac=1" \
4834 "$P_CLI force_version=tls1_1 \
4835 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4836 0 \
4837 -s "16384 bytes written in 1 fragments" \
4838 -c "Read from server: 16384 bytes read"
4839
4840run_test "Large server packet TLS 1.1 StreamCipher" \
4841 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4842 "$P_CLI force_version=tls1_1 \
4843 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4844 0 \
4845 -c "Read from server: 16384 bytes read"
4846
4847run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
4848 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4849 "$P_CLI force_version=tls1_1 \
4850 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4851 0 \
4852 -s "16384 bytes written in 1 fragments" \
4853 -c "Read from server: 16384 bytes read"
4854
4855requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4856run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
4857 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4858 "$P_CLI force_version=tls1_1 \
4859 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4860 trunc_hmac=1" \
4861 0 \
4862 -c "Read from server: 16384 bytes read"
4863
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4864run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4865 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4866 "$P_CLI force_version=tls1_1 \
4867 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4868 0 \
4869 -s "16384 bytes written in 1 fragments" \
4870 -c "Read from server: 16384 bytes read"
4871
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4872run_test "Large server packet TLS 1.2 BlockCipher" \
4873 "$P_SRV response_size=16384" \
4874 "$P_CLI force_version=tls1_2 \
4875 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4876 0 \
4877 -c "Read from server: 16384 bytes read"
4878
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4879run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
4880 "$P_SRV response_size=16384" \
4881 "$P_CLI force_version=tls1_2 etm=0 \
4882 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4883 0 \
4884 -s "16384 bytes written in 1 fragments" \
4885 -c "Read from server: 16384 bytes read"
4886
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4887run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
4888 "$P_SRV response_size=16384" \
4889 "$P_CLI force_version=tls1_2 \
4890 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4891 0 \
4892 -c "Read from server: 16384 bytes read"
4893
4894requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4895run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
4896 "$P_SRV response_size=16384" \
4897 "$P_CLI force_version=tls1_2 \
4898 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4899 trunc_hmac=1" \
4900 0 \
4901 -c "Read from server: 16384 bytes read"
4902
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4903run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4904 "$P_SRV response_size=16384 trunc_hmac=1" \
4905 "$P_CLI force_version=tls1_2 \
4906 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4907 0 \
4908 -s "16384 bytes written in 1 fragments" \
4909 -c "Read from server: 16384 bytes read"
4910
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4911run_test "Large server packet TLS 1.2 StreamCipher" \
4912 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4913 "$P_CLI force_version=tls1_2 \
4914 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4915 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4916 -s "16384 bytes written in 1 fragments" \
4917 -c "Read from server: 16384 bytes read"
4918
4919run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
4920 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4921 "$P_CLI force_version=tls1_2 \
4922 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4923 0 \
4924 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4925 -c "Read from server: 16384 bytes read"
4926
4927requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4928run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
4929 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4930 "$P_CLI force_version=tls1_2 \
4931 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4932 trunc_hmac=1" \
4933 0 \
4934 -c "Read from server: 16384 bytes read"
4935
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4936requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4937run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4938 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4939 "$P_CLI force_version=tls1_2 \
4940 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4941 0 \
4942 -s "16384 bytes written in 1 fragments" \
4943 -c "Read from server: 16384 bytes read"
4944
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4945run_test "Large server packet TLS 1.2 AEAD" \
4946 "$P_SRV response_size=16384" \
4947 "$P_CLI force_version=tls1_2 \
4948 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4949 0 \
4950 -c "Read from server: 16384 bytes read"
4951
4952run_test "Large server packet TLS 1.2 AEAD shorter tag" \
4953 "$P_SRV response_size=16384" \
4954 "$P_CLI force_version=tls1_2 \
4955 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4956 0 \
4957 -c "Read from server: 16384 bytes read"
4958
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4959# Tests for DTLS HelloVerifyRequest
4960
4961run_test "DTLS cookie: enabled" \
4962 "$P_SRV dtls=1 debug_level=2" \
4963 "$P_CLI dtls=1 debug_level=2" \
4964 0 \
4965 -s "cookie verification failed" \
4966 -s "cookie verification passed" \
4967 -S "cookie verification skipped" \
4968 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4969 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4970 -S "SSL - The requested feature is not available"
4971
4972run_test "DTLS cookie: disabled" \
4973 "$P_SRV dtls=1 debug_level=2 cookies=0" \
4974 "$P_CLI dtls=1 debug_level=2" \
4975 0 \
4976 -S "cookie verification failed" \
4977 -S "cookie verification passed" \
4978 -s "cookie verification skipped" \
4979 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4980 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4981 -S "SSL - The requested feature is not available"
4982
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4983run_test "DTLS cookie: default (failing)" \
4984 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4985 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4986 1 \
4987 -s "cookie verification failed" \
4988 -S "cookie verification passed" \
4989 -S "cookie verification skipped" \
4990 -C "received hello verify request" \
4991 -S "hello verification requested" \
4992 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4993
4994requires_ipv6
4995run_test "DTLS cookie: enabled, IPv6" \
4996 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4997 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
4998 0 \
4999 -s "cookie verification failed" \
5000 -s "cookie verification passed" \
5001 -S "cookie verification skipped" \
5002 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5003 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]5004 -S "SSL - The requested feature is not available"
5005
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5006run_test "DTLS cookie: enabled, nbio" \
5007 "$P_SRV dtls=1 nbio=2 debug_level=2" \
5008 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5009 0 \
5010 -s "cookie verification failed" \
5011 -s "cookie verification passed" \
5012 -S "cookie verification skipped" \
5013 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5014 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5015 -S "SSL - The requested feature is not available"
5016
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5017# Tests for client reconnecting from the same port with DTLS
5018
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5019not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5020run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5021 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
5022 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5023 0 \
5024 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5025 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5026 -S "Client initiated reconnection from same port"
5027
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5028not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5029run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5030 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
5031 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5032 0 \
5033 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5034 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5035 -s "Client initiated reconnection from same port"
5036
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5037not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
5038run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5039 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
5040 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5041 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5042 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5043 -s "Client initiated reconnection from same port"
5044
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5045only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
5046run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
5047 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
5048 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
5049 0 \
5050 -S "The operation timed out" \
5051 -s "Client initiated reconnection from same port"
5052
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5053run_test "DTLS client reconnect from same port: no cookies" \
5054 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]5055 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
5056 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5057 -s "The operation timed out" \
5058 -S "Client initiated reconnection from same port"
5059
Manuel Pégourié-Gonnarda58b0462020-03-13 11:11:02 +0100[diff] [blame]5060run_test "DTLS client reconnect from same port: attacker-injected" \
5061 -p "$P_PXY inject_clihlo=1" \
5062 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
5063 "$P_CLI dtls=1 exchanges=2" \
5064 0 \
5065 -s "possible client reconnect from the same port" \
5066 -S "Client initiated reconnection from same port"
5067
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5068# Tests for various cases of client authentication with DTLS
5069# (focused on handshake flows and message parsing)
5070
5071run_test "DTLS client auth: required" \
5072 "$P_SRV dtls=1 auth_mode=required" \
5073 "$P_CLI dtls=1" \
5074 0 \
5075 -s "Verifying peer X.509 certificate... ok"
5076
5077run_test "DTLS client auth: optional, client has no cert" \
5078 "$P_SRV dtls=1 auth_mode=optional" \
5079 "$P_CLI dtls=1 crt_file=none key_file=none" \
5080 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5081 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5082
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5083run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5084 "$P_SRV dtls=1 auth_mode=none" \
5085 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
5086 0 \
5087 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5088 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5089
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]5090run_test "DTLS wrong PSK: badmac alert" \
5091 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
5092 "$P_CLI dtls=1 psk=abc124" \
5093 1 \
5094 -s "SSL - Verification of the message MAC failed" \
5095 -c "SSL - A fatal alert message was received from our peer"
5096
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]5097# Tests for receiving fragmented handshake messages with DTLS
5098
5099requires_gnutls
5100run_test "DTLS reassembly: no fragmentation (gnutls server)" \
5101 "$G_SRV -u --mtu 2048 -a" \
5102 "$P_CLI dtls=1 debug_level=2" \
5103 0 \
5104 -C "found fragmented DTLS handshake message" \
5105 -C "error"
5106
5107requires_gnutls
5108run_test "DTLS reassembly: some fragmentation (gnutls server)" \
5109 "$G_SRV -u --mtu 512" \
5110 "$P_CLI dtls=1 debug_level=2" \
5111 0 \
5112 -c "found fragmented DTLS handshake message" \
5113 -C "error"
5114
5115requires_gnutls
5116run_test "DTLS reassembly: more fragmentation (gnutls server)" \
5117 "$G_SRV -u --mtu 128" \
5118 "$P_CLI dtls=1 debug_level=2" \
5119 0 \
5120 -c "found fragmented DTLS handshake message" \
5121 -C "error"
5122
5123requires_gnutls
5124run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
5125 "$G_SRV -u --mtu 128" \
5126 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5127 0 \
5128 -c "found fragmented DTLS handshake message" \
5129 -C "error"
5130
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5131requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5132requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5133run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
5134 "$G_SRV -u --mtu 256" \
5135 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
5136 0 \
5137 -c "found fragmented DTLS handshake message" \
5138 -c "client hello, adding renegotiation extension" \
5139 -c "found renegotiation extension" \
5140 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5141 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5142 -C "error" \
5143 -s "Extra-header:"
5144
5145requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5146requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5147run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
5148 "$G_SRV -u --mtu 256" \
5149 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
5150 0 \
5151 -c "found fragmented DTLS handshake message" \
5152 -c "client hello, adding renegotiation extension" \
5153 -c "found renegotiation extension" \
5154 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5155 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5156 -C "error" \
5157 -s "Extra-header:"
5158
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5159run_test "DTLS reassembly: no fragmentation (openssl server)" \
5160 "$O_SRV -dtls1 -mtu 2048" \
5161 "$P_CLI dtls=1 debug_level=2" \
5162 0 \
5163 -C "found fragmented DTLS handshake message" \
5164 -C "error"
5165
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5166run_test "DTLS reassembly: some fragmentation (openssl server)" \
5167 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5168 "$P_CLI dtls=1 debug_level=2" \
5169 0 \
5170 -c "found fragmented DTLS handshake message" \
5171 -C "error"
5172
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5173run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5174 "$O_SRV -dtls1 -mtu 256" \
5175 "$P_CLI dtls=1 debug_level=2" \
5176 0 \
5177 -c "found fragmented DTLS handshake message" \
5178 -C "error"
5179
5180run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
5181 "$O_SRV -dtls1 -mtu 256" \
5182 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5183 0 \
5184 -c "found fragmented DTLS handshake message" \
5185 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5186
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5187# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5188
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5189not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5190run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5191 -p "$P_PXY" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5192 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5193 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5194 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5195 -C "replayed record" \
5196 -S "replayed record" \
5197 -C "record from another epoch" \
5198 -S "record from another epoch" \
5199 -C "discarding invalid record" \
5200 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5201 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5202 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5203 -c "HTTP/1.0 200 OK"
5204
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5205not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5206run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5207 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5208 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5209 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5210 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5211 -c "replayed record" \
5212 -s "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5213 -c "record from another epoch" \
5214 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5215 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5216 -s "Extra-header:" \
5217 -c "HTTP/1.0 200 OK"
5218
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5219run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
5220 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5221 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
5222 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5223 0 \
5224 -c "replayed record" \
5225 -S "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5226 -c "record from another epoch" \
5227 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5228 -c "resend" \
5229 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5230 -s "Extra-header:" \
5231 -c "HTTP/1.0 200 OK"
5232
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5233run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5234 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5235 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5236 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5237 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5238 -c "discarding invalid record (mac)" \
5239 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5240 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5241 -c "HTTP/1.0 200 OK" \
5242 -S "too many records with bad MAC" \
5243 -S "Verification of the message MAC failed"
5244
5245run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
5246 -p "$P_PXY bad_ad=1" \
5247 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
5248 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5249 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5250 -C "discarding invalid record (mac)" \
5251 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5252 -S "Extra-header:" \
5253 -C "HTTP/1.0 200 OK" \
5254 -s "too many records with bad MAC" \
5255 -s "Verification of the message MAC failed"
5256
5257run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
5258 -p "$P_PXY bad_ad=1" \
5259 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
5260 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5261 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5262 -c "discarding invalid record (mac)" \
5263 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5264 -s "Extra-header:" \
5265 -c "HTTP/1.0 200 OK" \
5266 -S "too many records with bad MAC" \
5267 -S "Verification of the message MAC failed"
5268
5269run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
5270 -p "$P_PXY bad_ad=1" \
5271 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
5272 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
5273 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5274 -c "discarding invalid record (mac)" \
5275 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5276 -s "Extra-header:" \
5277 -c "HTTP/1.0 200 OK" \
5278 -s "too many records with bad MAC" \
5279 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5280
5281run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5282 -p "$P_PXY delay_ccs=1" \
5283 "$P_SRV dtls=1 debug_level=1" \
5284 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5285 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5286 -c "record from another epoch" \
5287 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5288 -s "Extra-header:" \
5289 -c "HTTP/1.0 200 OK"
5290
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5291# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5292
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5293client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5294run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5295 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5296 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5297 psk=abc123" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5298 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5299 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5300 0 \
5301 -s "Extra-header:" \
5302 -c "HTTP/1.0 200 OK"
5303
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5304client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5305run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
5306 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5307 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5308 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5309 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5310 0 \
5311 -s "Extra-header:" \
5312 -c "HTTP/1.0 200 OK"
5313
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5314client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5315run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
5316 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5317 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5318 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5319 0 \
5320 -s "Extra-header:" \
5321 -c "HTTP/1.0 200 OK"
5322
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5323client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5324run_test "DTLS proxy: 3d, FS, client auth" \
5325 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5326 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=required" \
5327 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5328 0 \
5329 -s "Extra-header:" \
5330 -c "HTTP/1.0 200 OK"
5331
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5332client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5333run_test "DTLS proxy: 3d, FS, ticket" \
5334 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5335 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=none" \
5336 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5337 0 \
5338 -s "Extra-header:" \
5339 -c "HTTP/1.0 200 OK"
5340
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5341client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5342run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
5343 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5344 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=required" \
5345 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5346 0 \
5347 -s "Extra-header:" \
5348 -c "HTTP/1.0 200 OK"
5349
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5350client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5351run_test "DTLS proxy: 3d, max handshake, nbio" \
5352 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5353 "$P_SRV dtls=1 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5354 auth_mode=required" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5355 "$P_CLI dtls=1 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5356 0 \
5357 -s "Extra-header:" \
5358 -c "HTTP/1.0 200 OK"
5359
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5360client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5361run_test "DTLS proxy: 3d, min handshake, resumption" \
5362 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5363 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5364 psk=abc123 debug_level=3" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5365 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5366 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5367 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5368 0 \
5369 -s "a session has been resumed" \
5370 -c "a session has been resumed" \
5371 -s "Extra-header:" \
5372 -c "HTTP/1.0 200 OK"
5373
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5374client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5375run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
5376 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5377 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5378 psk=abc123 debug_level=3 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5379 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5380 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5381 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
5382 0 \
5383 -s "a session has been resumed" \
5384 -c "a session has been resumed" \
5385 -s "Extra-header:" \
5386 -c "HTTP/1.0 200 OK"
5387
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5388client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5389requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5390run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5391 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5392 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5393 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5394 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5395 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5396 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5397 0 \
5398 -c "=> renegotiate" \
5399 -s "=> renegotiate" \
5400 -s "Extra-header:" \
5401 -c "HTTP/1.0 200 OK"
5402
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5403client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5404requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5405run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
5406 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5407 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5408 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5409 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5410 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5411 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5412 0 \
5413 -c "=> renegotiate" \
5414 -s "=> renegotiate" \
5415 -s "Extra-header:" \
5416 -c "HTTP/1.0 200 OK"
5417
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5418client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5419requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5420run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5421 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5422 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5423 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5424 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5425 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5426 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5427 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5428 0 \
5429 -c "=> renegotiate" \
5430 -s "=> renegotiate" \
5431 -s "Extra-header:" \
5432 -c "HTTP/1.0 200 OK"
5433
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5434client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5435requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5436run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5437 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5438 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5439 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5440 debug_level=2 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5441 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5442 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5443 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5444 0 \
5445 -c "=> renegotiate" \
5446 -s "=> renegotiate" \
5447 -s "Extra-header:" \
5448 -c "HTTP/1.0 200 OK"
5449
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5450client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5451not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5452run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5453 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5454 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5455 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5456 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5457 -c "HTTP/1.0 200 OK"
5458
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5459client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5460not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5461run_test "DTLS proxy: 3d, openssl server, fragmentation" \
5462 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5463 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5464 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5465 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5466 -c "HTTP/1.0 200 OK"
5467
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5468client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5469not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5470run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
5471 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5472 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5473 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5474 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5475 -c "HTTP/1.0 200 OK"
5476
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5477requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5478client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5479not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5480run_test "DTLS proxy: 3d, gnutls server" \
5481 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5482 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5483 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5484 0 \
5485 -s "Extra-header:" \
5486 -c "Extra-header:"
5487
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5488requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5489client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5490not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5491run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
5492 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5493 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5494 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5495 0 \
5496 -s "Extra-header:" \
5497 -c "Extra-header:"
5498
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5499requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5500client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5501not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5502run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
5503 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5504 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5505 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5506 0 \
5507 -s "Extra-header:" \
5508 -c "Extra-header:"
5509
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5510# Final report
5511
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5512echo "------------------------------------------------------------------------"
5513
5514if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5515 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5516else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5517 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5518fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]5519PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]5520echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5521
5522exit $FAILS